Closed
Bug 730115
Opened 12 years ago
Closed 12 years ago
IonMonkey: Assertion failure: codeArray[offset], at ../jsanalyze.h:976
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: decoder, Assigned: dvander)
References
Details
(Keywords: assertion, testcase)
Attachments
(1 file, 1 obsolete file)
1.34 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
The following testcase asserts on ionmonkey revision 5a04fd69aa09 (run with --ion -n -m), tested on 64 bit: for (var power = 0; power < 20; power++) { for (var count = 0; count < 1000; count++) { } continue; gc( start, (new Date(t)).getTimezoneOffset() ); }
Assignee | ||
Comment 1•12 years ago
|
||
When we have a "continue" or "break", the pc of the catch-block was kind of random. In this case it started after a JSOP_GOTO and began executing dead code. This fix introduces a |pc| on DeferredEdge and the catch block gets the pc of the first deferred edge.
Comment 2•12 years ago
|
||
Comment on attachment 600586 [details] [diff] [review] fix Review of attachment 600586 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/ion/IonBuilder.cpp @@ +1441,5 @@ > // There must always be a valid target loop structure. If not, there's > // probably an off-by-something error in which pc we track. > CFGState &state = *found; > > + state.loop.breaks = new DeferredEdge(current, state.loop.breaks, pc); Shouldn't we either use "target" here instead of "pc", or have createBreakCatchBlock use state.loop.exitpc? Same for continue.
Assignee | ||
Comment 3•12 years ago
|
||
Thanks, that's a much better idea.
Attachment #600586 -
Attachment is obsolete: true
Attachment #601092 -
Flags: review?(jdemooij)
Attachment #600586 -
Flags: review?(jdemooij)
Updated•12 years ago
|
Attachment #601092 -
Flags: review?(jdemooij) → review+
Assignee | ||
Comment 4•12 years ago
|
||
https://bug730115.bugzilla.mozilla.org/attachment.cgi?id=601092
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 5•12 years ago
|
||
err http://hg.mozilla.org/projects/ionmonkey/rev/1b73ed18a3a8
Reporter | ||
Comment 6•12 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/ion/bug730115.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•