Closed Bug 779380 Opened 12 years ago Closed 12 years ago

IonMonkey: Assertion failure: !ic.pools[index], at methodjit/MonoIC.cpp:541

Categories

(Core :: JavaScript Engine, defect)

Other Branch
x86
Linux
defect
Not set
major

Tracking

()

VERIFIED FIXED
Tracking Status
firefox17 --- unaffected
firefox-esr10 --- unaffected

People

(Reporter: decoder, Assigned: dvander)

References

Details

(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update][fuzzblocker][ion:p1:fx18])

Attachments

(1 file)

The following testcase asserts on ionmonkey revision b46621aba6fd (run with --ion -n):


function printStatus (msg) {}
gcPreserveCode()
function f(j, k) {
  var g = function() { 
  }
}
for (var i = 0; i < 5; ++(printStatus)) {
  f(i);
}
Hitting this quite often with multiple sigs.
Whiteboard: [jsbugmon:update] → [jsbugmon:update][fuzzblocker]
Whiteboard: [jsbugmon:update][fuzzblocker] → [jsbugmon:update][fuzzblocker][ion:p1:fx18]
Attached patch fixSplinter Review
I forgot to reset the hasIonStub_ bit in CallICs. Just for completeness I also made us not generate an Ion stub if there exists a call stub, since I don't think the call IC machinery can handle that.
Assignee: general → dvander
Status: NEW → ASSIGNED
Attachment #648100 - Flags: review?(jdemooij)
Attachment #648100 - Flags: review?(jdemooij) → review+
http://hg.mozilla.org/projects/ionmonkey/rev/fa872ef28a96
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
Group: core-security
You need to log in before you can comment on or make changes to this bug.