Closed Bug 1083681 Opened 10 years ago Closed 10 years ago

Assertion failure: !operand->isDiscarded(), at jit/IonAnalysis.cpp

Categories

(Core :: JavaScript Engine: JIT, defect)

x86_64
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla36
Tracking Status
firefox36 --- affected

People

(Reporter: gkw, Assigned: nbp)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [fuzzblocker][jsbugmon:update])

Attachments

(2 files, 1 obsolete file)

function f() {
    Function() * (function() {})()
}
Array.buildPar(1, f)

asserts js debug shell on m-c changeset a280a03c9f3c with --ion-eager --ion-offthread-compile=off at Assertion failure: !operand->isDiscarded(), at jit/IonAnalysis.cpp.

Debug configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/2a2a1889250e
user:        Nicolas B. Pierron
date:        Wed Oct 15 14:49:38 2014 +0200
summary:     Bug 1055690 - Assert that no operands are discarded. r=sunfish

Nicolas, is bug 1055690 a possible regressor?
Flags: needinfo?(nicolas.b.pierron)
Attached file stack
(lldb) bt 5
* thread #1: tid = 0x20c853, 0x00000001002b4f96 js-dbg-opt-64-dm-nsprBuild-darwin-a280a03c9f3c`CheckOperandImpliesUse(n=<unavailable>, operand=<unavailable>) + 214 at IonAnalysis.cpp:1768, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x00000001002b4f96 js-dbg-opt-64-dm-nsprBuild-darwin-a280a03c9f3c`CheckOperandImpliesUse(n=<unavailable>, operand=<unavailable>) + 214 at IonAnalysis.cpp:1768
    frame #1: 0x00000001002b3e01 js-dbg-opt-64-dm-nsprBuild-darwin-a280a03c9f3c`js::jit::AssertBasicGraphCoherency(graph=0x00000001020cc640) + 769 at IonAnalysis.cpp:1839
    frame #2: 0x00000001002b4fda js-dbg-opt-64-dm-nsprBuild-darwin-a280a03c9f3c`js::jit::AssertGraphCoherency(graph=0x00000001020cc640) + 42 at IonAnalysis.cpp:1975
    frame #3: 0x00000001002b2b3d js-dbg-opt-64-dm-nsprBuild-darwin-a280a03c9f3c`js::jit::AssertExtendedGraphCoherency(graph=0x00000001020cc640) + 45 at IonAnalysis.cpp:2005
    frame #4: 0x00000001002b392e js-dbg-opt-64-dm-nsprBuild-darwin-a280a03c9f3c`js::jit::RemoveUnmarkedBlocks(js::jit::MIRGenerator*, js::jit::MIRGraph&, unsigned int) [inlined] js::jit::AccountForCFGChanges(updateAliasAnalysis=<unavailable>) + 71 at IonAnalysis.cpp:1488
(lldb)
(In reply to Gary Kwong [:gkw] [:nth10sd] GMT+8 after Oct 9 from comment #0)
> function f() {
>     Function() * (function() {})()
> }
> Array.buildPar(1, f)
> 
> asserts js debug shell on m-c changeset a280a03c9f3c with --ion-eager
> --ion-offthread-compile=off at Assertion failure: !operand->isDiscarded(),
> at jit/IonAnalysis.cpp.
> 
> Debug configure options:
> 
> CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar sh
> /Users/skywalker/trees/mozilla-central/js/src/configure
> --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize
> --enable-nspr-build --enable-more-deterministic --with-ccache
> --enable-gczeal --enable-debug-symbols --disable-tests
> 
> autoBisect shows this is probably related to the following changeset:
> 
> The first bad revision is:
> changeset:   https://hg.mozilla.org/mozilla-central/rev/2a2a1889250e
> user:        Nicolas B. Pierron
> date:        Wed Oct 15 14:49:38 2014 +0200
> summary:     Bug 1055690 - Assert that no operands are discarded. r=sunfish
> 
> Nicolas, is bug 1055690 a possible regressor?

Yes, this is adding a new invariant which is here for sanity ;)
I'll investigate.
Ok, the problem is quite simple, apparently when we convert a block to become unreachable in the ParallelSafetyAnalysis, we do not discard the outer-resume point.  The outer resume point is used by the successors of the current block when we inline a function.

As the current block is ending with MUnreachable, then there is no more need for an outer resume point which captures the state of the stack before the inlined function.
Assignee: nobody → nicolas.b.pierron
Flags: needinfo?(nicolas.b.pierron)
Delta:
 - Not all block have an outerResumePoint, check if it is present before
   removing it.
Attachment #8506101 - Attachment is obsolete: true
Attachment #8506101 - Flags: review?(shu)
Attachment #8506107 - Flags: review?(shu)
Attachment #8506107 - Flags: review?(shu) → review+
https://hg.mozilla.org/mozilla-central/rev/fcf1af7b0974
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla36
Depends on: 1095284
You need to log in before you can comment on or make changes to this bug.