Closed
Bug 757785
Opened 12 years ago
Closed 12 years ago
IonMonkey: Assertion failure: addr % Cell::CellSize == 0, at ../../gc/Heap.h:832
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
firefox-esr10 | --- | unaffected |
People
(Reporter: decoder, Assigned: dvander)
References
Details
(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update] js-triage-needed)
Attachments
(2 files)
9.03 KB,
application/x-gzip
|
Details | |
5.45 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
The attached testcase asserts on ionmonkey revision d5545e6d927b (run with --ion -n -m --ion-eager).
Updated•12 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update] js-triage-needed
Assignee | ||
Updated•12 years ago
|
Assignee: general → dvander
Status: NEW → ASSIGNED
Assignee | ||
Comment 1•12 years ago
|
||
This is some kind of mystery bug where a gc slot in the safe point has never been written.
Assignee | ||
Comment 2•12 years ago
|
||
Getting a little further: there is a branch in the program that exits a loop (it looks like a break). A spill occurs inside the loop, but operations in the break have safepoints expecting the spill to have occurred. Note this bug doesn't repro on tip, it was masked by changes in between. You need the original cset.
Assignee | ||
Comment 3•12 years ago
|
||
Thanks to Jan for helping narrow this down and come up with a fix. The bug is that we can add spill slots to safepoints that are not actually spilled yet. The patch makes IsSpilledAt more accurate.
Attachment #628826 -
Flags: review?(jdemooij)
Comment 4•12 years ago
|
||
Comment on attachment 628826 [details] [diff] [review] fix Review of attachment 628826 [details] [diff] [review]: ----------------------------------------------------------------- Looks good, glad to see this fixed.
Attachment #628826 -
Flags: review?(jdemooij) → review+
Assignee | ||
Comment 5•12 years ago
|
||
http://hg.mozilla.org/projects/ionmonkey/rev/f55395bc4e61
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Updated•12 years ago
|
status-firefox-esr10:
--- → unaffected
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•