Closed Bug 776880 Opened 13 years ago Closed 13 years ago

IonMonkey: Assertion failure: addr % Cell::CellSize == 0, at ../../gc/Heap.h:826

Categories

(Core :: JavaScript Engine, defect)

Other Branch
x86_64
Linux
defect
Not set
major

Tracking

()

RESOLVED FIXED

People

(Reporter: decoder, Assigned: jandem)

References

Details

(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update][ion:p1:fx18])

Attachments

(1 file, 1 obsolete file)

The following testcase asserts on ionmonkey revision 23a84dbb258f (run with --ion -n -m): gcPreserveCode(); string_split( "hello", "ll" ); function string_split ( __this, R) { var S = String(__this ); var q = 0; while (true ) { z = SplitMatch(R, S, q); q = q + ('abc'); } } function SplitMatch(R, S, q) { if (R.constructor == RegExp) a = new Array(reResult.length - 1); var r = R.length; s = S.length; if ((q + r) > s) return false; for (var i = 0; i < r; i++) {} }
Whiteboard: [jsbugmon:update] → [jsbugmon:update][ion:p1:fx18]
Assignee: general → jdemooij
Status: NEW → ASSIGNED
Attached patch Patch (obsolete) — Splinter Review
The safepoint contained a bogus GC argument slot due to CallConstructor not popping the |this| value slot. Note that all other callers of dropArguments also add 1. I tried to add the testcase but couldn't get it to run fast enough so I decided not to add it.
Attachment #647187 - Flags: review?(dvander)
Attached patch PatchSplinter Review
Updated patch to assert that pushedArgumentSlots_ is empty after codegen, to catch similar bugs in the future.
Attachment #647187 - Attachment is obsolete: true
Attachment #647187 - Flags: review?(dvander)
Attachment #647208 - Flags: review?(dvander)
Comment on attachment 647208 [details] [diff] [review] Patch Review of attachment 647208 [details] [diff] [review]: ----------------------------------------------------------------- the assert is invalid because calls could nest - r=me other than that
Attachment #647208 - Flags: review?(dvander) → review+
Whoops sorry I misread context - assert is fine.
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: