Closed
Bug 606829
Opened 14 years ago
Closed 14 years ago
Assertion failure: !isConstant && !u.s.isTypeKnown in js/src/methodjit/RematInfo.h:70
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
blocking2.0 | --- | beta7+ |
People
(Reporter: bc, Assigned: billm)
References
()
Details
(Keywords: assertion, Whiteboard: [jmcrash], fixed-in-tracemonkey)
Attachments
(1 file)
1.09 KB,
patch
|
sstangl
:
review+
|
Details | Diff | Splinter Review |
1. http://phandroid.com/2010/10/10/android-market-gets-a-hot-update-to-add-froyos-once-exclusive-features/ 2. Assertion failure: !isConstant && !u.s.isTypeKnown, at /work/mozilla/builds/2.0.0/mozilla/js/src/methodjit/RematInfo.h:70 mac, winxp/win7 perating system: Mac OS X 10.5.8 9L34 CPU: x86 GenuineIntel family 6 model 26 stepping 5 1 CPU Crash reason: EXC_BAD_ACCESS / KERN_PROTECTION_FAILURE Crash address: 0x0 Thread 0 (crashed) 0 XUL!JS_Assert [jsutil.cpp : 80 + 0x5] eip = 0x0638e7ab esp = 0xbfff6160 ebp = 0xbfff6188 ebx = 0x0638e762 esi = 0x00000012 edi = 0x176a16c0 eax = 0x00000000 ecx = 0x00000000 edx = 0x00000000 efl = 0x00010246 Found by: given as instruction pointer in context 1 XUL!ValueRemat::typeReg [RematInfo.h : 70 + 0x3c] eip = 0x0646fd8a esp = 0xbfff6190 ebp = 0xbfff61a8 ebx = 0x0646fd4c esi = 0x00000012 edi = 0x176a16c0 Found by: call frame info 2 XUL!js::mjit::Compiler::jsop_equality_int_string [FastArithmetic.cpp : 1055 + 0xa] eip = 0x06459202 esp = 0xbfff61b0 ebp = 0xbfff62f8 ebx = 0x06458c30 esi = 0x00000012 edi = 0x176a16c0 Found by: call frame info 3 XUL!js::mjit::Compiler::jsop_relational [FastOps.cpp : 741 + 0x26] eip = 0x06466ce3 esp = 0xbfff6300 ebp = 0xbfff6348 ebx = 0x064669e6 esi = 0x00000012 edi = 0x176a16c0 Found by: call frame info 4 XUL!js::mjit::Compiler::generateMethod [Compiler.cpp : 894 + 0x32] eip = 0x06442893 esp = 0xbfff6350 ebp = 0xbfff66d8 ebx = 0x064418e9 esi = 0x00000012 edi = 0x176a16c0 Found by: call frame info 5 XUL!js::mjit::Compiler::performCompilation [Compiler.cpp : 195 + 0xa] eip = 0x06448b3b esp = 0xbfff66e0 ebp = 0xbfff6748 ebx = 0x064488f7 esi = 0x16c4c8e8 edi = 0x176a16c0 Found by: call frame info 6 XUL!js::mjit::Compiler::compile [Compiler.cpp : 130 + 0x11] eip = 0x06448d20 esp = 0xbfff6750 ebp = 0xbfff6788 ebx = 0x06448c12 esi = 0x0000000c edi = 0x176a16c0 Found by: call frame info 7 XUL!js::mjit::TryCompile [Compiler.cpp : 228 + 0xd] eip = 0x06449142 esp = 0xbfff6790 ebp = 0xbfff9678 ebx = 0x06449090 esi = 0x0000000c edi = 0x176a16c0 Found by: call frame info 8 XUL!UncachedInlineCall [InvokeHelpers.cpp : 386 + 0x11] eip = 0x064844d6 esp = 0xbfff9680 ebp = 0xbfff9708 ebx = 0x0648428f esi = 0x0000000c edi = 0x176a16c0 Found by: call frame info 9 XUL!js::mjit::stubs::UncachedCallHelper [InvokeHelpers.cpp : 463 + 0x18] eip = 0x06484687 esp = 0xbfff9710 ebp = 0xbfff9738 ebx = 0x06484590 esi = 0x0000c000 edi = 0x176a16c0 Found by: call frame info 10 XUL!CallCompiler::update [MonoIC.cpp : 787 + 0x25] eip = 0x0647365c esp = 0xbfff9740 ebp = 0xbfff97a8 ebx = 0x06473602 esi = 0x0000c000 edi = 0x176a16c0 Found by: call frame info 11 XUL!js::mjit::ic::Call [MonoIC.cpp : 845 + 0xa] eip = 0x0646ed14 esp = 0xbfff97b0 ebp = 0xbfff97f8 ebx = 0x01000078 esi = 0x0000c000 edi = 0x176a16c0 Found by: call frame info 12 0x16606524 eip = 0x16606525 esp = 0xbfff9800 ebp = 0xbfff9838 ebx = 0x01000078 esi = 0x0000c000 edi = 0x176a16c0 Found by: call frame info 13 XUL!js::mjit::EnterMethodJIT [MethodJIT.cpp : 742 + 0x1f] eip = 0x06426a31 esp = 0xbfff9840 ebp = 0xbfff9888 Found by: previous frame's frame pointer 14 XUL!CheckStackAndEnterMethodJIT [MethodJIT.cpp : 767 + 0x1f] eip = 0x06426b48 esp = 0xbfff9890 ebp = 0xbfff98c8 ebx = 0x06426bbb esi = 0x1660575c Found by: call frame info 15 XUL!js::mjit::JaegerShot [MethodJIT.cpp : 784 + 0x1c] eip = 0x06426c70 esp = 0xbfff98d0 ebp = 0xbfff98f8 ebx = 0x06426bbb esi = 0x1660575c Found by: call frame info 16 XUL!js::RunScript [jsinterp.cpp : 634 + 0xa] eip = 0x062c9a5a esp = 0xbfff9900 ebp = 0xbfff9938 ebx = 0x062c9984 esi = 0x00000000 Found by: call frame info
Updated•14 years ago
|
Whiteboard: [jmcrash]
Assignee | ||
Comment 1•14 years ago
|
||
Here's a reduced testcase. I'll fix this now. function f(x) { if ("hi" == (x & 3)) { return 1; } } f(12);
Status: NEW → ASSIGNED
Assignee | ||
Comment 2•14 years ago
|
||
This patches guarantees that the call to lvr.typeReg() will not occur if lhs has a known type. The if condition is logically equivalent to: (lhs->isTypeKnown() ==> lhsInt) && (rhs->isTypeKnown() ==> rhsInt) Taking the contrapositive: (!lhsInt ==> !lhs->isTypeKnown()) && (!rhsInt ==> !rhs->isTypeKnown()) Since each type test is guarded by !lhsInt or !rhsInt, this is exactly what we need.
Attachment #485820 -
Flags: review?(dvander)
Comment 4•14 years ago
|
||
Apparently this crash causes Gmail failures. A debug stack is attached for bug 607239.
Comment 5•14 years ago
|
||
Comment on attachment 485820 [details] [diff] [review] fix Stealing with permission of dvander.
Attachment #485820 -
Flags: review?(dvander) → review+
Comment 6•14 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/beb157e79468 Pushed on request from Brendan. Fixed a related, nearby issue in a quick way.
Whiteboard: [jmcrash] → [jmcrash], fixed-in-tracemonkey
Assignee | ||
Comment 7•14 years ago
|
||
Thanks, Sean.
Comment 8•14 years ago
|
||
sstangl id'ed this as a cause of my woe. Isn't this is a Jaegershot topcrash in release builds? If so, is it a topcrash? It sure is for me! :-( /be
Assignee: general → wmccloskey
blocking2.0: --- → ?
Sounds like it could cause any method JIT crash on trunk since the 18th.
Updated•14 years ago
|
blocking2.0: ? → beta7+
Comment 10•14 years ago
|
||
only bug I see with the test url in comment zero has this signature on windows KERNELBASE.dll@0xb727 http://phandroid.com/2010/10/10/android-market-gets-a-hot-update-to-add-froyos-once-exclusive-features/ http://crash-stats.mozilla.com/report/index/5d2e3265-3780-45b7-9bc8-5830d2101011 that signature has just has a few crashes per day and ranks around #150 are there other signatures to look for. if this is in tracemonkey it maybe going to trunk soon so it would make it to b7 too.
See comment #9, the crash in comment #0 is only a debug mode assertion. Also I don't think the regressing patch landed on beta 7.
Comment 12•14 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/beb157e79468
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•