Closed Bug 771157 Opened 12 years ago Closed 12 years ago

IonMonkey: Crash [@ mozilla::DebugOnly<int>::operator++(int)]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
Other Branch
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: decoder, Assigned: djvj)

References

Details

(Keywords: crash, testcase, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(1 file)

Refactoring to resolve bug.
5.77 KB, patch
dvander
: review+
Details | Diff | Splinter Review 
The following testcase crashes on ionmonkey revision 9cf3ea112635 (run with --ion -n -m --ion-eager):


var callStack = new Array();
function TestCase(n, d, e, a) {
  this.expect = e;
  this.actual = a;
  this.passed = getTestCaseResult(e, a);
  dump(+ this.path + ' ' + 'reason: ' + toPrinted(this.reason)+ '\n');
};
function reportCompare (expected, actual, description) {
  var testcase = new TestCase("unknown-test-name", description, expected, actual);
}
function enterFunc (funcName) {
  callStack.push(funcName);
  var lastFunc = callStack.pop();
  reportCompare(funcName, lastFunc, "Test driver failure wrong exit function ");
}
try {
var summary = 'String static methods';
var actual = '';
expect = '2';
reportCompare(expect, actual, summary + " String.toUpperCase(new Boolean(true))");
} catch(exc0) {}
try {
function TestCase(n, d, e, a) {}
enterFunc ('test');
reportCompare(expect, actual, summary);
} catch(exc2) {}
Kannan, this looks like fallout from polymorphic inlining: we assert adding MIR to a block that has ended. lastIns = InlineFunctionGuard and the MIR we're adding is a CreateThis.
Assignee: general → kvijayan
This cleans up the sequencing of blocks in the poly inline code.

I also removed some asserts that seem really unnecessary.
Attachment #639399 - Flags: review?(dvander)
Attachment #639399 - Flags: review?(dvander) → review+
https://hg.mozilla.org/projects/ionmonkey/rev/5d1b1af768fc
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/2e891e0db397
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.