Closed Bug 757785 Opened 12 years ago Closed 12 years ago

IonMonkey: Assertion failure: addr % Cell::CellSize == 0, at ../../gc/Heap.h:832

Categories

(Core :: JavaScript Engine, defect)

Other Branch
x86_64
Linux
defect
Not set
major

Tracking

()

RESOLVED FIXED
Tracking Status
firefox-esr10 --- unaffected

People

(Reporter: decoder, Assigned: dvander)

References

Details

(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update] js-triage-needed)

Attachments

(2 files)

Attached file Testcase for shell
The attached testcase asserts on ionmonkey revision d5545e6d927b (run with --ion -n -m --ion-eager).
Whiteboard: [jsbugmon:update] → [jsbugmon:update] js-triage-needed
Assignee: general → dvander
Status: NEW → ASSIGNED
This is some kind of mystery bug where a gc slot in the safe point has never been written.
Getting a little further: there is a branch in the program that exits a loop (it looks like a break). A spill occurs inside the loop, but operations in the break have safepoints expecting the spill to have occurred.

Note this bug doesn't repro on tip, it was masked by changes in between. You need the original cset.
Attached patch fixSplinter Review
Thanks to Jan for helping narrow this down and come up with a fix. The bug is that we can add spill slots to safepoints that are not actually spilled yet. The patch makes IsSpilledAt more accurate.
Attachment #628826 - Flags: review?(jdemooij)
Comment on attachment 628826 [details] [diff] [review]
fix

Review of attachment 628826 [details] [diff] [review]:
-----------------------------------------------------------------

Looks good, glad to see this fixed.
Attachment #628826 - Flags: review?(jdemooij) → review+
http://hg.mozilla.org/projects/ionmonkey/rev/f55395bc4e61
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Group: core-security
You need to log in before you can comment on or make changes to this bug.