Closed Bug 756777 Opened 9 years ago Closed 9 years ago

IonMonkey: Assertion failure: addr % Cell::CellSize == 0, at ../../gc/Heap.h:832

Categories

(Core :: JavaScript Engine, defect)

Other Branch
x86_64
Linux
defect
Not set
major

Tracking

()

RESOLVED FIXED

People

(Reporter: decoder, Assigned: dvander)

References

Details

(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update,reconfirm])

Attachments

(2 files)

Attached file Testcase for shell
The attached testcase asserts on ionmonkey revision 890dd17b4187 (run with --ion -n -m --ion-eager).
Works for me at revision 9602aebd7e43a27f1675ca8313b80045c383c7fb.
I'm still seeing this on the fuzzer, let's see if it still repros.
Whiteboard: [jsbugmon:update] → [jsbugmon:update,reconfirm]
Attached patch fixSplinter Review
This seemed to sketchy to just be fixed, at first I thought it was bug 756235 but reproduces with that applied too. Turns out it's similar though. LDefVar wasn't marked as a call, so LSRA gave it safepoint regs, which of course weren't spilled. To make it a call we also have to make it use the call temporary regs.
Assignee: general → dvander
Status: NEW → ASSIGNED
Attachment #626270 - Flags: review?
Attachment #626270 - Flags: review? → review?(sstangl)
Attachment #626270 - Flags: review?(sstangl) → review+
http://hg.mozilla.org/projects/ionmonkey/rev/9a4817a83ca6
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Group: core-security
You need to log in before you can comment on or make changes to this bug.