Closed
Bug 769224
Opened 12 years ago
Closed 12 years ago
IonMonkey: Assertion failure: found, at methodjit/Retcon.cpp:133 or Opt-Crash trying to execute NULL
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
firefox-esr10 | --- | unaffected |
People
(Reporter: decoder, Assigned: dvander)
References
Details
(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update][fuzzblocker])
Attachments
(2 files)
1.21 KB,
application/zip
|
Details | |
654 bytes,
patch
|
billm
:
review+
|
Details | Diff | Splinter Review |
The attached testcase asserts on ionmonkey revision 4f57f42dc238 (run with --ion -n -m --ion-eager).
Reporter | ||
Comment 1•12 years ago
|
||
This is causing lots of signatures on opt builds.
Whiteboard: [jsbugmon:update] → [jsbugmon:update][fuzzblocker]
Comment 2•12 years ago
|
||
Regression from bug 761854. What happens is: - There's a native call IC - PurgeJITCaches destroys this IC without updating the rejoin state (REJOIN_NATIVE) - ClearAllFrames looks at the rejoin value and expects a native call IC discardJitCode avoids this problem by calling ClearAllFrames before purging any caches.
Assignee | ||
Comment 3•12 years ago
|
||
Assignee | ||
Comment 4•12 years ago
|
||
Jan: thanks for the analysis, spot on.
Comment on attachment 637630 [details] [diff] [review] fix I wish there were a way to assert that ClearAllFrames had been called. I'm not seeing anything, though.
Attachment #637630 -
Flags: review?(wmccloskey) → review+
Assignee | ||
Comment 6•12 years ago
|
||
http://hg.mozilla.org/projects/ionmonkey/rev/3112408514c8
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Updated•12 years ago
|
status-firefox-esr10:
--- → unaffected
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•