Closed
Bug 779380
Opened 12 years ago
Closed 12 years ago
IonMonkey: Assertion failure: !ic.pools[index], at methodjit/MonoIC.cpp:541
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
| Tracking | Status | |
|---|---|---|
| firefox17 | --- | unaffected |
| firefox-esr10 | --- | unaffected |
People
(Reporter: decoder, Assigned: dvander)
References
Details
(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update][fuzzblocker][ion:p1:fx18])
Attachments
(1 file)
|
(deleted),
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
The following testcase asserts on ionmonkey revision b46621aba6fd (run with --ion -n):
function printStatus (msg) {}
gcPreserveCode()
function f(j, k) {
var g = function() {
}
}
for (var i = 0; i < 5; ++(printStatus)) {
f(i);
}
|
Reporter | |
Comment 1•12 years ago
|
||
Hitting this quite often with multiple sigs.
Whiteboard: [jsbugmon:update] → [jsbugmon:update][fuzzblocker]
|
Assignee | |
Updated•12 years ago
|
Whiteboard: [jsbugmon:update][fuzzblocker] → [jsbugmon:update][fuzzblocker][ion:p1:fx18]
|
|
Assignee | |
Comment 2•12 years ago
|
||
I forgot to reset the hasIonStub_ bit in CallICs. Just for completeness I also made us not generate an Ion stub if there exists a call stub, since I don't think the call IC machinery can handle that.
|
||
Updated•12 years ago
|
Attachment #648100 -
Flags: review?(jdemooij) → review+
|
|
Assignee | |
Comment 3•12 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
|
|
Reporter | |
Updated•12 years ago
|
Status: RESOLVED → VERIFIED
|
|
Reporter | |
Comment 4•12 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
|
||
Updated•12 years ago
|
status-firefox-esr10:
--- → unaffected
status-firefox17:
--- → unaffected
|
|
||
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•