Closed
Bug 1165262
Opened 9 years ago
Closed 9 years ago
Assertion failure: opIter != block->end() (Operand in same block as instruction does not precede), at js/src/jit/IonAnalysis.cpp:2209
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1154971
Tracking | Status | |
---|---|---|
firefox41 | --- | disabled |
People
(Reporter: decoder, Unassigned)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update,bisect])
The following testcase crashes on mozilla-central revision d8420a541d1c+ (patch from bug 923717, build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2 --ion-eager): function f(x, y) { return Math.imul(0, Math.imul(y | 0, x >> 0)) } try { (f(1 ? 0 : undefined))() } catch(Math) {} while (true) {} Backtrace: Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7ffff64c7700 (LWP 37532)] 0x00000000008e883a in js::jit::AssertExtendedGraphCoherency (graph=...) at js/src/jit/IonAnalysis.cpp:2208 #0 0x00000000008e883a in js::jit::AssertExtendedGraphCoherency (graph=...) at js/src/jit/IonAnalysis.cpp:2208 #1 0x00000000008fdb9c in js::jit::AccountForCFGChanges (mir=0x7ffff5102258, graph=..., updateAliasAnalysis=<optimized out>) at js/src/jit/IonAnalysis.cpp:1518 #2 0x0000000000a30585 in js::jit::ValueNumberer::run (this=this@entry=0x7ffff64c6ba0, updateAliasAnalysis=updateAliasAnalysis@entry=js::jit::ValueNumberer::UpdateAliasAnalysis) at js/src/jit/ValueNumbering.cpp:1126 #3 0x000000000091e72d in js::jit::OptimizeMIR (mir=mir@entry=0x7ffff5102258) at js/src/jit/Ion.cpp:1339 #4 0x000000000091e853 in js::jit::CompileBackEnd (mir=0x7ffff5102258) at js/src/jit/Ion.cpp:1616 #5 0x0000000000637da2 in js::HelperThread::handleIonWorkload (this=this@entry=0x7ffff694c420) at js/src/vm/HelperThreads.cpp:1126 #6 0x00000000006395d7 in js::HelperThread::threadLoop (this=0x7ffff694c420) at js/src/vm/HelperThreads.cpp:1422 #7 0x00000000006a9fb1 in nspr::Thread::ThreadRoutine (arg=0x7ffff6930200) at js/src/vm/PosixNSPR.cpp:45 #8 0x00007ffff7bc4182 in start_thread (arg=0x7ffff64c7700) at pthread_create.c:312 #9 0x00007ffff6cb3fbd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111 rax 0x0 0 rbx 0x7ffff5104cd0 140737304874192 rcx 0x7ffff6ca53cd 140737333842893 rdx 0x0 0 rsi 0x7ffff6f7a9d0 140737336814032 rdi 0x7ffff6f791c0 140737336807872 rbp 0x7ffff64c69c0 140737325590976 rsp 0x7ffff64c6960 140737325590880 r8 0x7ffff64c7700 140737325594368 r9 0x6568637461702d6c 7307199746910727532 r10 0x7ffff64c6720 140737325590304 r11 0x7ffff6c27960 140737333328224 r12 0x1 1 r13 0x7ffff5105aa0 140737304877728 r14 0x0 0 r15 0x7ffff5104d00 140737304874240 rip 0x8e883a <js::jit::AssertExtendedGraphCoherency(js::jit::MIRGraph&)+1754> => 0x8e883a <js::jit::AssertExtendedGraphCoherency(js::jit::MIRGraph&)+1754>: movl $0x8a1,0x0 0x8e8845 <js::jit::AssertExtendedGraphCoherency(js::jit::MIRGraph&)+1765>: callq 0x48ef30 <abort()>
Comment 1•9 years ago
|
||
I did not managed to reproduce this issue so far. I tried to use rr with different scheduling parameters, but I still failed to reproduce this issue after ~600 attempts. Also, this issue definitely looks like Bug 1154971, are you sure that patches are correctly applied on the latest version? Does Bug 1154971 test case reproduce with revision d8420a541d1c+ ?
Reporter | ||
Comment 2•9 years ago
|
||
Closing as duplicate of bug 1154971. I don't have the original build anymore but the testcases look similar enough to assume that it's the same bug. Also, d8420a541d1 is older than the fix revision in that other bug.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•