Closed
Bug 728033
Opened 13 years ago
Closed 13 years ago
IonMonkey: "Assertion failure: jumpOffset + SizeOfExtendedJump <= code->instructionsSize(),"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: gkw, Assigned: dvander)
References
Details
(Keywords: assertion, testcase)
Attachments
(2 files)
|
(deleted),
text/plain
|
Details | |
|
(deleted),
patch
|
sstangl
:
review+
|
Details | Diff | Splinter Review |
a = {}
o14 = [].__proto__
function g(o) {
o.f = o14
}
for (let i = 0; i < 50; i++) {
g(a)
}
asserts js debug shell on IonMonkey changeset 05f26aaf851c with --ion and -n at Assertion failure: jumpOffset + SizeOfExtendedJump <= code->instructionsSize(),
Not very sure if attached stack is correct.
|
Reporter | |
Updated•13 years ago
|
Attachment #598018 -
Attachment description: screencast → stack
|
|
Assignee | |
Comment 1•13 years ago
|
||
The bug is that, we embed the location of the extended jump table into the relocation table. But if we never emit any relocations, we won't have access to the jump table later. This changes writeRelocations so we'll emit the extended jump table offset if we see a patchable jump.
|
||
Comment 2•13 years ago
|
||
Comment on attachment 598425 [details] [diff] [review]
fix
Review of attachment 598425 [details] [diff] [review]:
-----------------------------------------------------------------
::: js/src/ion/x64/Assembler-x64.cpp
@@ +54,5 @@
> // actual extended jump table offset yet, so write a 0 which we'll
> // patch later.
> jumpRelocations_.writeFixedUint32(0);
> }
> + if (reloc == Relocation::IONCODE) {
hax. But OK.
Attachment #598425 -
Flags: review?(sstangl) → review+
|
|
Assignee | |
Comment 3•13 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
|
||
Comment 4•12 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/ion/bug728033.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•