Closed Bug 539965 Opened 15 years ago Closed 15 years ago

Assertion failed: !s0->isQuad() && !s1->isQuad()

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: MatsPalmgren_bugz, Unassigned)

References

Details

(Keywords: assertion, regression)

Attachments

(1 file)

fix
1.02 KB, patch
dmandelin
: review+
Details | Diff | Splinter Review 
Firefox debug build, x86_64 on Linux.
I think this is a regression in the past day or so.
STR: run mochitest layout/xul/base/test/test_bug393970.xul


Assertion failed: !s0->isQuad() && !s1->isQuad() (js/src/nanojit/LIR.cpp:2475)

Program received signal SIGABRT, Aborted.
0x00007ff454a05fb5 in raise () from /lib/libc.so.6
(gdb) bt 25
#0  0x00007ff454a05fb5 in raise () from /lib/libc.so.6
#1  0x00007ff454a07bc3 in abort () from /lib/libc.so.6
#2  0x00007ff458d0d939 in NanoAssertFail () at js/src/nanojit/avmplus.cpp:72
#3  0x00007ff458d0562e in nanojit::SanityFilter::ins2 (this=0x2128748, v=nanojit::LIR_rsh, s0=0x1a198e8, s1=0x1a19710) at js/src/nanojit/LIR.cpp:2480
#4  0x00007ff458ce0800 in TraceRecorder::record_JSOP_LENGTH (this=0x1ef02c0) at js/src/jstracer.cpp:14843
#5  0x00007ff458cf6845 in TraceRecorder::monitorRecording (this=0x1ef02c0, op=JSOP_LENGTH) at js/src/jsopcode.tbl:550
#6  0x00007ff458c33ca8 in js_Interpret (cx=0x1558220) at js/src/jsops.cpp:78
#7  0x00007ff458c42016 in js_Invoke (cx=0x1558220, argc=2, vp=0x1507a00, flags=<value optimized out>) at js/src/jsinterp.cpp:1384
#8  0x00007ff458c10ae2 in js_fun_apply (cx=0x1558220, argc=2, vp=0x1507990) at js/src/jsfun.cpp:2036
#9  0x00007ff458c2e6de in js_Interpret (cx=0x1558220) at js/src/jsops.cpp:2263
#10 0x00007ff458c42016 in js_Invoke (cx=0x1558220, argc=3, vp=0x1507930, flags=<value optimized out>) at js/src/jsinterp.cpp:1384
#11 0x00007ff458c10ae2 in js_fun_apply (cx=0x1558220, argc=3, vp=0x15078c0) at js/src/jsfun.cpp:2036
#12 0x00007ff458c2e6de in js_Interpret (cx=0x1558220) at js/src/jsops.cpp:2263
#13 0x00007ff458c42016 in js_Invoke (cx=0x1558220, argc=2, vp=0x1507418, flags=<value optimized out>) at js/src/jsinterp.cpp:1384
#14 0x00007ff458c4287b in js_InternalInvoke (cx=0x1558220, obj=0x7ff43c8ba740, fval=140686836755584, flags=0, argc=2, argv=0x1f933f0, rval=0x7fff6160df60) at js/src/jsinterp.cpp:1439
#15 0x00007ff458bc8249 in JS_CallFunctionValue (cx=0x1558220, obj=0x7ff43c8ba740, fval=140686836755584, argc=2, argv=0x1f933f0, rval=0x7fff6160df60) at js/src/jsapi.cpp:5120
#16 0x00007ff4468a2e92 in nsJSContext::CallEventHandler (this=0x15581b0, aTarget=0x1f25ef0, aScope=<value optimized out>, aHandler=0x7ff434edec80, aargv=0x1f933b8, arv=0x7fff6160e140) at dom/base/nsJSEnvironment.cpp:2168
#17 0x00007ff4468cb7cf in nsGlobalWindow::RunTimeout (this=0x1f25ef0, aTimeout=0x1f93410) at dom/base/nsGlobalWindow.cpp:8104
#18 0x00007ff4468cbc22 in nsGlobalWindow::TimerCallback (aTimer=<value optimized out>, aClosure=0x1f93410) at dom/base/nsGlobalWindow.cpp:8448
#19 0x00007ff45871a6c0 in nsTimerImpl::Fire (this=0xada550) at xpcom/threads/nsTimerImpl.cpp:427
#20 0x00007ff45871a7ad in nsTimerEvent::Run (this=0x7ff438007330) at xpcom/threads/nsTimerImpl.cpp:519
#21 0x00007ff458715e87 in nsThread::ProcessNextEvent (this=0x6b4b70, mayWait=1, result=0x7fff6160e2cc) at xpcom/threads/nsThread.cpp:527
#22 0x00007ff4586cacba in NS_ProcessNextEvent_P (thread=0x17c1, mayWait=1) at nsThreadUtils.cpp:250
#23 0x00007ff44784a3c4 in nsBaseAppShell::Run (this=0xc85a90) at widget/src/xpwidgets/nsBaseAppShell.cpp:177
#24 0x00007ff44390ca66 in nsAppStartup::Run (this=0xefe440) at toolkit/components/startup/src/nsAppStartup.cpp:182
(gdb) fr 3
#3  0x00007ff458d0562e in nanojit::SanityFilter::ins2 (this=0x2128748, v=nanojit::LIR_rsh, s0=0x1a198e8, s1=0x1a19710) at js/src/nanojit/LIR.cpp:2480
2480                NanoAssert(s0->isQuad() && !s1->isQuad());
(gdb) p s0->isQuad()
$1 = true
(gdb) p s1->isQuad()
$2 = false
(gdb) p *s0
$3 = {{lastWord = {arIndex = 0, reg = nanojit::RAX, used = 0, opcode = nanojit::LIR_ldq}, dummy = 0x4a000000}}
(gdb) p *s1
$4 = {{lastWord = {arIndex = 0, reg = nanojit::RAX, used = 0, opcode = nanojit::LIR_int}, dummy = 0x18000000}}
(gdb)
Not just Linux. The assertion is triggering consistently for me on a 64-bit debug build on Mac OS X 10.6 (Intel).

Assertion failed: !s0->isQuad() && !s1->isQuad() (.../js/src/nanojit/LIR.cpp:2475)
[shortened full path to "..."]
OS: Linux → All
Comment on attachment 421879 [details] [diff] [review]
fix

Can you also add a reduced shell test case to trace-tests/tests/arguments? r+ with that.
Attachment #421879 - Flags: review?(dmandelin) → review+
That patch fixes the 64-bit debug build on Mac OS X 10.6.
http://hg.mozilla.org/tracemonkey/rev/30eb740d71d2

this was actually the cause behind a bunch of trace-tests failures (anything using arguments.length) so it should have adequate coverage already.
merged to m-c early because of complaints on IRC.

http://hg.mozilla.org/mozilla-central/rev/925d39fa7d16
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
So is this a dup of Bug 540404?
And it there something to fix on 1.9.2 branch?
64-bit JIT isn't supported on 1.9.2, so it's not an issue for that branch.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: