IonMonkey: Assertion failure: addr % Cell::CellSize == 0, at ../../gc/Heap.h:832

RESOLVED FIXED

Status

()

Core
JavaScript Engine
--
major
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: decoder, Assigned: dvander)

Tracking

(Blocks: 2 bugs, {assertion, testcase})

Other Branch
x86_64
Linux
assertion, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [jsbugmon:update,reconfirm])

Attachments

(2 attachments)

(Reporter)

Description

5 years ago
Created attachment 625406 [details]
Testcase for shell

The attached testcase asserts on ionmonkey revision 890dd17b4187 (run with --ion -n -m --ion-eager).
Works for me at revision 9602aebd7e43a27f1675ca8313b80045c383c7fb.
(Reporter)

Comment 2

5 years ago
I'm still seeing this on the fuzzer, let's see if it still repros.
Whiteboard: [jsbugmon:update] → [jsbugmon:update,reconfirm]
(Assignee)

Comment 3

5 years ago
Created attachment 626270 [details] [diff] [review]
fix

This seemed to sketchy to just be fixed, at first I thought it was bug 756235 but reproduces with that applied too. Turns out it's similar though. LDefVar wasn't marked as a call, so LSRA gave it safepoint regs, which of course weren't spilled. To make it a call we also have to make it use the call temporary regs.
Assignee: general → dvander
Status: NEW → ASSIGNED
Attachment #626270 - Flags: review?
(Assignee)

Updated

5 years ago
Attachment #626270 - Flags: review? → review?(sstangl)

Updated

5 years ago
Attachment #626270 - Flags: review?(sstangl) → review+
(Assignee)

Comment 4

5 years ago
http://hg.mozilla.org/projects/ionmonkey/rev/9a4817a83ca6
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
(Reporter)

Updated

5 years ago
Group: core-security
You need to log in before you can comment on or make changes to this bug.