Last Comment Bug 776880 - IonMonkey: Assertion failure: addr % Cell::CellSize == 0, at ../../gc/Heap.h:826
: IonMonkey: Assertion failure: addr % Cell::CellSize == 0, at ../../gc/Heap.h:826
Status: RESOLVED FIXED
[jsbugmon:update][ion:p1:fx18]
: assertion, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Other Branch
: x86_64 Linux
: -- major (vote)
: ---
Assigned To: Jan de Mooij [:jandem]
: general
:
Mentors:
Depends on:
Blocks: langfuzz IonFuzz
  Show dependency treegraph
 
Reported: 2012-07-24 05:10 PDT by Christian Holler (:decoder)
Modified: 2012-07-30 11:45 PDT (History)
7 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Patch (947 bytes, patch)
2012-07-30 08:32 PDT, Jan de Mooij [:jandem]
no flags Details | Diff | Splinter Review
Patch (1.34 KB, patch)
2012-07-30 10:14 PDT, Jan de Mooij [:jandem]
dvander: review+
Details | Diff | Splinter Review

Description Christian Holler (:decoder) 2012-07-24 05:10:14 PDT
The following testcase asserts on ionmonkey revision 23a84dbb258f (run with --ion -n -m):


gcPreserveCode();
string_split( "hello", "ll" );
function string_split ( __this, R) {
  var S = String(__this );
    var q = 0;
  while (true ) {
    z = SplitMatch(R, S, q);
    q = q + ('abc');
  }
}
function SplitMatch(R, S, q) {
  if (R.constructor == RegExp)
    a = new Array(reResult.length - 1);
  var r = R.length;
  s = S.length;
  if ((q + r) > s) 
    return false;
  for (var i = 0; i < r; i++) {}
}
Comment 1 Jan de Mooij [:jandem] 2012-07-30 08:32:58 PDT
Created attachment 647187 [details] [diff] [review]
Patch

The safepoint contained a bogus GC argument slot due to CallConstructor not popping the |this| value slot. Note that all other callers of dropArguments also add 1.

I tried to add the testcase but couldn't get it to run fast enough so I decided not to add it.
Comment 2 Jan de Mooij [:jandem] 2012-07-30 10:14:13 PDT
Created attachment 647208 [details] [diff] [review]
Patch

Updated patch to assert that pushedArgumentSlots_ is empty after codegen, to catch similar bugs in the future.
Comment 3 David Anderson [:dvander] 2012-07-30 11:01:44 PDT
Comment on attachment 647208 [details] [diff] [review]
Patch

Review of attachment 647208 [details] [diff] [review]:
-----------------------------------------------------------------

the assert is invalid because calls could nest - r=me other than that
Comment 4 David Anderson [:dvander] 2012-07-30 11:03:11 PDT
Whoops sorry I misread context - assert is fine.
Comment 5 Jan de Mooij [:jandem] 2012-07-30 11:45:23 PDT
https://hg.mozilla.org/projects/ionmonkey/rev/75f02a17f7cd

Note You need to log in before you can comment on or make changes to this bug.