Closed
Bug 776880
Opened 13 years ago
Closed 13 years ago
IonMonkey: Assertion failure: addr % Cell::CellSize == 0, at ../../gc/Heap.h:826
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: decoder, Assigned: jandem)
References
Details
(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update][ion:p1:fx18])
Attachments
(1 file, 1 obsolete file)
1.34 KB,
patch
|
dvander
:
review+
|
Details | Diff | Splinter Review |
The following testcase asserts on ionmonkey revision 23a84dbb258f (run with --ion -n -m):
gcPreserveCode();
string_split( "hello", "ll" );
function string_split ( __this, R) {
var S = String(__this );
var q = 0;
while (true ) {
z = SplitMatch(R, S, q);
q = q + ('abc');
}
}
function SplitMatch(R, S, q) {
if (R.constructor == RegExp)
a = new Array(reResult.length - 1);
var r = R.length;
s = S.length;
if ((q + r) > s)
return false;
for (var i = 0; i < r; i++) {}
}
![]() |
||
Updated•13 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update][ion:p1:fx18]
Assignee | ||
Updated•13 years ago
|
Assignee: general → jdemooij
Status: NEW → ASSIGNED
Assignee | ||
Comment 1•13 years ago
|
||
The safepoint contained a bogus GC argument slot due to CallConstructor not popping the |this| value slot. Note that all other callers of dropArguments also add 1.
I tried to add the testcase but couldn't get it to run fast enough so I decided not to add it.
Attachment #647187 -
Flags: review?(dvander)
Assignee | ||
Comment 2•13 years ago
|
||
Updated patch to assert that pushedArgumentSlots_ is empty after codegen, to catch similar bugs in the future.
Attachment #647187 -
Attachment is obsolete: true
Attachment #647187 -
Flags: review?(dvander)
Attachment #647208 -
Flags: review?(dvander)
Comment on attachment 647208 [details] [diff] [review]
Patch
Review of attachment 647208 [details] [diff] [review]:
-----------------------------------------------------------------
the assert is invalid because calls could nest - r=me other than that
Attachment #647208 -
Flags: review?(dvander) → review+
Whoops sorry I misread context - assert is fine.
Assignee | ||
Comment 5•13 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Assignee | ||
Updated•13 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•