Closed
Bug 1124617
Opened 10 years ago
Closed 9 years ago
Assertion failure: isLowered(), at js/src/jit/MIR.h:716 or Crash [@ js::jit::LiveInterval::addRangeAtHead] with Float32Array
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1107011
| Tracking | Status | |
|---|---|---|
| firefox38 | --- | affected |
People
(Reporter: decoder, Unassigned)
Details
(4 keywords, Whiteboard: [jsbugmon:])
Crash Data
The following testcase crashes on mozilla-central revision 34e2d2bd7ec4 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-debug, run with --fuzzing-safe --thread-count=2):
setJitCompilerOption("ion.warmup.trigger", 50);
var f32 = new Float32Array(32);
function f(n) {
var x;
if (n > 10000) {
x = 4.5;
} else {
x = f32[0];
}
f32[0] = (function() {
for(var f=0;f<4;++f) {
x=1;
}
})() < x;
}
for (var n = 0; n < 100; n++)
f(n);
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff7ee4700 (LWP 30424)]
js::jit::LiveInterval::addRangeAtHead (this=0x0, from=..., to=...) at js/src/jit/LiveRangeAllocator.cpp:158
158 return ranges_.append(newRange);
#0 js::jit::LiveInterval::addRangeAtHead (this=0x0, from=..., to=...) at js/src/jit/LiveRangeAllocator.cpp:158
#1 0x0000000000693bf3 in js::jit::LiveRangeAllocator<js::jit::LinearScanVirtualRegister, true>::buildLivenessInfo (this=0x7ffff7ee3b00) at js/src/jit/LiveRangeAllocator.cpp:851
#2 0x000000000066f17d in js::jit::LinearScanAllocator::go (this=0x7ffff7ee3b00) at js/src/jit/LinearScan.cpp:1288
#3 0x00000000005bc8a7 in js::jit::GenerateLIR (mir=0x17ce7b8) at js/src/jit/Ion.cpp:1487
#4 0x00000000005bd195 in js::jit::CompileBackEnd (mir=0x17ce7b8) at js/src/jit/Ion.cpp:1575
#5 0x00000000008827d7 in js::HelperThread::handleIonWorkload (this=0x16d1e50) at js/src/vm/HelperThreads.cpp:1084
#6 0x000000000088a61d in js::HelperThread::threadLoop (this=0x16d1e50) at js/src/vm/HelperThreads.cpp:1380
#7 0x000000000087dc89 in nspr::Thread::ThreadRoutine (arg=0x16d3fb0) at js/src/vm/PosixNSPR.cpp:45
#8 0x00007ffff7bc4e9a in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0
#9 0x00007ffff6cc4ccd in clone () from /lib/x86_64-linux-gnu/libc.so.6
#10 0x0000000000000000 in ?? ()
rax 0x17d7ac0 25000640
rbx 0x3 3
rcx 0x0 0
rdx 0x41 65
rsi 0x38 56
rdi 0x0 0
rbp 0x41 65
rsp 0x7ffff7ee2de0 140737352969696
r8 0x17d7978 25000312
r9 0x0 0
r10 0x0 0
r11 0x17dc348 25019208
r12 0x17d8ab8 25004728
r13 0x17d8a48 25004616
r14 0x7ffff7ee3b00 140737352973056
r15 0x1 1
rip 0x65d3be <js::jit::LiveInterval::addRangeAtHead(js::jit::CodePosition, js::jit::CodePosition)+14>
=> 0x65d3be <js::jit::LiveInterval::addRangeAtHead(js::jit::CodePosition, js::jit::CodePosition)+14>: mov 0x20(%rdi),%rax
0x65d3c2 <js::jit::LiveInterval::addRangeAtHead(js::jit::CodePosition, js::jit::CodePosition)+18>: mov %rdi,%rbx
This could be a duplicate of bug 1108413 but I'm actually not sure because this test uses a Float32Array while the other does not.
|
Reporter | |
Updated•10 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
Reporter | |
Comment 1•10 years ago
|
||
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/b421cdd4b918
user: Nicolas B. Pierron
date: Fri Dec 19 15:28:31 2014 +0100
summary: Bug 991720 part 4 - Scalar replacement registers the state instead of replacing resume points operands. r=h4writer
This iteration took 301.891 seconds to run.
|
|
Reporter | |
Updated•10 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
|
|
Reporter | |
Comment 2•10 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision b30570f41c27).
|
||
Updated•10 years ago
|
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:bisectfix]
|
|
Reporter | |
Updated•10 years ago
|
Whiteboard: [jsbugmon:bisectfix] → [jsbugmon:]
|
|
Reporter | |
Comment 3•10 years ago
|
||
JSBugMon: Fix Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first good revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/385840329d91
tag: tip
parent: 236396:02f2f4c75007
parent: 236402:b34ca540cf73
user: Phil Ringnalda
date: Sat Mar 28 21:33:32 2015 -0700
summary: Merge f-t to m-c, a=merge
This iteration took 0.724 seconds to run.
The bug was introduced by a merge (it was not present on either parent).
I don't know which patches from each side of the merge contributed to the bug. Sorry.
|
|
||
Comment 4•10 years ago
|
||
autoBisect got confused as to what caused this bug to no longer occur.
|
||
Comment 5•9 years ago
|
||
This is being worked on in bug 1107011, where the underlying issue is the same.
|
|
||
Comment 6•9 years ago
|
||
(definitely not the same bug as bug 1108413, though)
|
|
||
Updated•9 years ago
|
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•