Closed Bug 1082611 Opened 10 years ago Closed 10 years ago

Assertion failure: pred->isLoopBackedge(), at jit/IonAnalysis.cpp:1905 or Crash [@ js::jit::LiveInterval::addRangeAtHead]

Categories

(Core :: JavaScript Engine: JIT, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 1077991
Tracking Status
firefox36 --- affected

People

(Reporter: decoder, Unassigned)

Details

(Keywords: assertion, crash, testcase, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(1 file)

The following testcase asserts on mozilla-central revision 54217864bae9 (run with --no-threads --fuzzing-safe --ion-eager):


for ( var n = 4; n <= 7; n += 1 ) {
  var minDepth = 4;
  var maxDepth = Math.max(minDepth + 2, n);
  for (var depth=minDepth; depth<=maxDepth; depth+=2) {
    var iterations = 1 << (maxDepth - depth + minDepth);
    try {
      c6+=1;
      break;
    } catch(er1){}
      for (var i=1; i<=iterations; i++){}
    }
}
Crash seems to be a null-deref:


Program received signal SIGSEGV, Segmentation fault.
js::jit::LiveInterval::addRangeAtHead (this=0x0, from=..., to=...) at js/src/jit/LiveRangeAllocator.cpp:158
158             return ranges_.append(newRange);
#0  js::jit::LiveInterval::addRangeAtHead (this=0x0, from=..., to=...) at js/src/jit/LiveRangeAllocator.cpp:158
#1  0x0000000000679384 in js::jit::LiveRangeAllocator<js::jit::LinearScanVirtualRegister, true>::buildLivenessInfo (this=0x7fffffffae50) at js/src/jit/LiveRangeAllocator.cpp:851
#2  0x000000000065367d in js::jit::LinearScanAllocator::go (this=0x7fffffffae50) at js/src/jit/LinearScan.cpp:1284
#3  0x000000000059e16a in js::jit::GenerateLIR (mir=0x17d1778) at js/src/jit/Ion.cpp:1751
#4  0x000000000059ea05 in js::jit::CompileBackEnd (mir=0x17d1778) at js/src/jit/Ion.cpp:1839
#5  0x00000000005cd452 in IonCompile (optimizationLevel=js::jit::Optimization_Normal, recompile=false, executionMode=<optimized out>, constructing=<optimized out>, osrPc=<optimized out>, baselineFrame=<optimized out>, script=<optimized out>, cx=0x16934f0) at js/src/jit/Ion.cpp:2126
#6  js::jit::Compile (cx=0x16934f0, script=..., osrFrame=<optimized out>, osrPc=<optimized out>, constructing=<optimized out>, executionMode=<optimized out>) at js/src/jit/Ion.cpp:2295
#7  0x00000000005cd81b in js::jit::CanEnterAtBranch (cx=0x16934f0, script=0x7ffff5334510, osrFrame=<optimized out>, pc=<optimized out>) at js/src/jit/Ion.cpp:2357
rdi     0x0     0
=> 0x6460be <js::jit::LiveInterval::addRangeAtHead(js::jit::CodePosition, js::jit::CodePosition)+14>:   mov    0x20(%rdi),%rax
Crash Signature: [@ js::jit::LiveInterval::addRangeAtHead]
Keywords: crash
Whiteboard: [jsbugmon:update,bisect]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/8f27a48a25d5
user:        Dan Gohman
date:        Wed Sep 17 10:27:25 2014 -0700
summary:     Bug 1029830 - IonMonkey: GVN: Replace UCE with GVN r=nbp

This iteration took 3.274 seconds to run.
Needinfo from sunfish based on comment 3.
Flags: needinfo?(sunfish)
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(sunfish)
Resolution: --- → DUPLICATE
Group: core-security
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: