Assertion failure: *def->output() == alloc, at jit/RegisterAllocator.cpp involving Array.buildPar

RESOLVED WONTFIX

Status

()

Core
JavaScript Engine: JIT
--
critical
RESOLVED WONTFIX
3 years ago
3 years ago

People

(Reporter: gkw, Unassigned)

Tracking

(Blocks: 1 bug, {assertion, regression, testcase})

Trunk
x86_64
Mac OS X
assertion, regression, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox35 affected)

Details

(Whiteboard: [jsbugmon:update,testComment=8,origRev=27d545252264,ignore])

Attachments

(1 attachment)

(Reporter)

Description

3 years ago
function f() {}
for (var j = 0; j < 99; ++j) {
    (function() {
        f
    })()
}
f = function() {}
Array.buildPar(8, function(y) {
    Math.pow(Math.fround(8 % y), f([] ? y : -([] >>> 0)))
})

asserts js debug shell on m-c changeset 6a63bcb6e0d3 with --ion-offthread-compile=off --ion-gvn=off at Assertion failure: *def->output() == alloc, at jit/RegisterAllocator.cpp.

Debug configure flags:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests
Flags: needinfo?
(Reporter)

Comment 1

3 years ago
Waiting on a bisect result before setting needinfo.
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
Due to skipped revisions, the first bad revision could be any of:
changeset:   https://hg.mozilla.org/mozilla-central/rev/a0dd5a83ba36
user:        Jan de Mooij
date:        Thu Jul 24 11:56:43 2014 +0200
summary:     Bug 1031529 part 2 - Remove JS_THREADSAFE #ifdefs everywhere. r=bhackett

changeset:   https://hg.mozilla.org/mozilla-central/rev/6426fef52f51
user:        Jan de Mooij
date:        Thu Jul 24 11:56:45 2014 +0200
summary:     Bug 1031529 part 3 - Step defining JS_THREADSAFE, remove --disable-threadsafe. r=glandium

This iteration took 475.829 seconds to run.
(Reporter)

Comment 3

3 years ago
This is probably more correct:

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/cd7125c33385
user:        Shu-yu Guo
date:        Fri Jun 20 18:39:14 2014 -0700
summary:     Bug 1019304 - Part 2: Overhaul PJS bailout mechanism to be like the normal bailout mechanism. (r=nmatsakis)

Shu-yu, is bug 1019304 a likely regressor?
Blocks: 1019304
Flags: needinfo? → needinfo?(shu)
(Reporter)

Updated

3 years ago
OS: Linux → Mac OS X
Hardware: x86 → x86_64
(Reporter)

Comment 4

3 years ago
Created attachment 8498165 [details]
stack

(lldb) bt 5
* thread #1: tid = 0x2e6510, 0x00000001003cce8c js-dbg-opt-64-dm-nsprBuild-darwin-14665b1de5ee`js::jit::AllocationIntegrityState::checkIntegrity(js::jit::LBlock*, js::jit::LInstruction*, unsigned int, js::jit::LAllocation, bool) [inlined] js::jit::LInstruction::toMoveGroup() + 28 at LIR.h:1704, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x00000001003cce8c js-dbg-opt-64-dm-nsprBuild-darwin-14665b1de5ee`js::jit::AllocationIntegrityState::checkIntegrity(js::jit::LBlock*, js::jit::LInstruction*, unsigned int, js::jit::LAllocation, bool) [inlined] js::jit::LInstruction::toMoveGroup() + 28 at LIR.h:1704
    frame #1: 0x00000001003cce70 js-dbg-opt-64-dm-nsprBuild-darwin-14665b1de5ee`js::jit::AllocationIntegrityState::checkIntegrity(this=<unavailable>, block=<unavailable>, ins=<unavailable>, vreg=<unavailable>, populateSafepoints=<unavailable>, alloc=<unavailable>) + 1232 at RegisterAllocator.cpp:192
    frame #2: 0x00000001003cb558 js-dbg-opt-64-dm-nsprBuild-darwin-14665b1de5ee`js::jit::AllocationIntegrityState::check(this=0x00000001040e26b0, populateSafepoints=false) + 1432 at RegisterAllocator.cpp:172
    frame #3: 0x000000010026f056 js-dbg-opt-64-dm-nsprBuild-darwin-14665b1de5ee`js::jit::GenerateLIR(mir=0x00000001040e5da8) + 1990 at Ion.cpp:1726
    frame #4: 0x0000000100270e96 js-dbg-opt-64-dm-nsprBuild-darwin-14665b1de5ee`js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned char*, bool, js::ExecutionMode) [inlined] js::jit::CompileBackEnd(mir=0x00000001040e5da8, aRhs=<unavailable>) + 57 at Ion.cpp:1810
(lldb)
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 15099ba111e8).
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:bisectfix]
Whiteboard: [jsbugmon:bisectfix] → [jsbugmon:]
JSBugMon: Fix Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/27d545252264
user:        Jyri Pyykkönen
date:        Tue Oct 21 15:28:05 2014 +0200
summary:     Bug 1076922 - Implement RToFloat32 Recover instruction. r=nbp

This iteration took 332.972 seconds to run.
nbp, can you check if the fix in comment 6 is relevant for fixing this bug too?
Flags: needinfo?(nicolas.b.pierron)
(In reply to Christian Holler (:decoder) from comment #7)
> nbp, can you check if the fix in comment 6 is relevant for fixing this bug
> too?

No, it is not.
The patch in comment 6 is an optimization which remove code which is unused by Ion compilations.

The following test case


function f() {}
for (var j = 0; j < 99; ++j) {
    (function() {
        f
    })()
}
f = function() {}
var g = function() { with({}) {}; }
Array.buildPar(8, function(y) {
    Math.pow(g(8 % y), f([] ? y : -([] >>> 0)))
})


asserts js debug shell on changeset 27d545252264 with --ion-offthread-compile=off --ion-gvn=off at Assertion failure: *def->output() == alloc, at jit/RegisterAllocator.cpp.
Flags: needinfo?(nicolas.b.pierron)
Thanks Nicolas! Setting tracking for the new test.
Whiteboard: [jsbugmon:] → [jsbugmon:update,testComment=8,origRev=27d545252264]
(Reporter)

Updated

3 years ago
Summary: Assertion failure: *def->output() == alloc, at jit/RegisterAllocator.cpp → Assertion failure: *def->output() == alloc, at jit/RegisterAllocator.cpp involving Array.buildPar
Whiteboard: [jsbugmon:update,testComment=8,origRev=27d545252264] → [jsbugmon:update,testComment=8,origRev=27d545252264,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 206205dd8bd1).
(Reporter)

Comment 11

3 years ago
Since the testcase in comment 8 also has PJS, and this no longer reproduced not too long ago, I'm assuming this is PJS stuff.

PJS has been disabled as per bug 1117764, marking WONTFIX as per other similar bugs.
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Flags: needinfo?(shu)
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.