Closed Bug 732858 Opened 12 years ago Closed 12 years ago

IonMonkey: Assertion failure: pc == target, at jsopcode.cpp:6008

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
Other Branch
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla13

People

(Reporter: decoder, Assigned: nbp)

References

Details

(Keywords: assertion, testcase)

Attachments

(1 file)

Fix post inline-calls entry resume point call chain.
2.67 KB, patch
dvander
: review+
Details | Diff | Splinter Review 
The following testcase asserts on ionmonkey revision 1fd6c40d3852 (run with --ion -n -m --ion-eager):


var gTestcases = new Array;
var gTc = gTestcases;
function TestCase(n, d, e, a) {
  gTestcases[gTc++]=this
}
TestCase.prototype.dump=function () + toPrinted(this.description) + toPrinted(this.reason) + '\n';
function toPrinted(value) DESCRIPTION = "var return = true";
function jsTestDriverEnd() {
  for (var i = 0; i < gTestcases.length; i++)
  gTestcases[i].dump()
}
var SECTION = "dowhile-007";
new TestCase( SECTION, "''.match(new RegExp('.+'))", [], '');
jsTestDriverEnd();
jsTestDriverEnd();
Assignee: general → nicolas.b.pierron
Target Milestone: --- → mozilla13
The assertion reported here is called from RestoreOneFrame which verify if the number of pushed made on the interpreter stack is correct.  The frame used to restore was not corresponding to the topmost frame of the snapshot.  This bug can also be found with the assertion:

exprStackSlots == js_ReconstructStackDepth(cx, fp->script(), regs.pc)

The bug is coming from a bad entry resume point after the inlining.  It did not show up before because we disabled the inlining of more than one level.  Now we enabled the inlining of 2 functions, but the caller chain of the entry resume point (of the basic block following the inlined-call) was not updated.  This caused the snapshot to only map the inlined-frame but not the caller-frame.

This patch add the line to update the call chain of the entry resume point which fix the snapshot, and thus the restoreOneFrame data.

In addition it provides some extra debug information for resume point., which highlighted the bug because the frame count was not matching the script pointer:

Current resume point 0xcf9240 details: // before inlining
    frame count: 1                                     <==
    taken at block 4 entry
    pc: 0xcf7f8a (script: 0x7ffff0a073d0, offset: 26)  <==
    slot0: phi36
Current resume point 0xcf98e0 details: // first inline
    frame count: 2                                     <==
    taken at block 5 entry
    pc: 0xcf47e8 (script: 0x7ffff0a072e0, offset: 0)   <==
    slot0: constant0-vn1
    slot1: constant0-vn1
Current resume point 0xcf9ea0 details: // second inline
    frame count: 3
    taken at block 6 entry
    pc: 0xcf4670 (script: 0x7ffff0a071f0, offset: 0)
    slot0: constant0-vn1
    slot1: constant0-vn1
Current resume point 0xcfa650 details: // resume first inline
    frame count: 1                                     <==
    taken at block 7 entry
    pc: 0xcf47f2 (script: 0x7ffff0a072e0, offset: 10)  <==
    slot0: constant0-vn1
    slot1: constant0-vn1
    slot2: constant0-vn29
Attachment #606057 - Flags: review?(dvander)
Attachment #606057 - Flags: review?(dvander) → review+
https://hg.mozilla.org/projects/ionmonkey/rev/4bab7e913ab63c8ce6dfb85efc7ac2aa2a6dc66a
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
A testcase for this bug was automatically identified at js/src/jit-test/tests/ion/bug732858.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: