Closed Bug 1126116 Opened 9 years ago Closed 9 years ago

Assert hit in TypeAnalyzer::checkFloatCoherency()

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Version:
38 Branch
Platform:
All
Windows 8.1
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla38
Tracking Flags:
Tracking Status
firefox35 --- affected
firefox36 --- affected
firefox37 --- affected
firefox38 --- affected

People

(Reporter: jgilbert, Assigned: bbouvier)

References

(
URL
)

Details

Attachments

(1 file)

setpropertypolymorphic-float32.patch
1.93 KB, patch
nbp
: review+
Details | Diff | Splinter Review 
I appear to get this consistently.

Stacktrace:
>	xul.dll!`anonymous namespace'::TypeAnalyzer::checkFloatCoherency() Line 1376	C++
 	xul.dll!`anonymous namespace'::TypeAnalyzer::analyze() Line 1393	C++
 	xul.dll!js::jit::ApplyTypeInformation(js::jit::MIRGenerator * mir, js::jit::MIRGraph & graph) Line 1403	C++
 	xul.dll!js::jit::OptimizeMIR(js::jit::MIRGenerator * mir) Line 1236	C++
 	xul.dll!js::jit::CompileBackEnd(js::jit::MIRGenerator * mir) Line 1574	C++
 	xul.dll!js::HelperThread::handleIonWorkload() Line 1084	C++
 	xul.dll!js::HelperThread::threadLoop() Line 1380	C++
 	xul.dll!js::HelperThread::ThreadMain(void * arg) Line 994	C++
 	nss3.dll!_PR_NativeRunThread(void * arg) Line 397	C
 	nss3.dll!pr_root(void * arg) Line 90	C
 	msvcr120.dll!5d7cc01d()	Unknown
Let's see if I can't format that better:

> xul.dll!`anonymous namespace'::TypeAnalyzer::checkFloatCoherency() Line 1376	C++
> xul.dll!`anonymous namespace'::TypeAnalyzer::analyze() Line 1393	C++
> xul.dll!js::jit::ApplyTypeInformation(js::jit::MIRGenerator * mir, js::jit::MIRGraph & graph) Line 1403	C++
> xul.dll!js::jit::OptimizeMIR(js::jit::MIRGenerator * mir) Line 1236	C++
> xul.dll!js::jit::CompileBackEnd(js::jit::MIRGenerator * mir) Line 1574	C++
> xul.dll!js::HelperThread::handleIonWorkload() Line 1084	C++
> xul.dll!js::HelperThread::threadLoop() Line 1380	C++
> xul.dll!js::HelperThread::ThreadMain(void * arg) Line 994	C++
> nss3.dll!_PR_NativeRunThread(void * arg) Line 397	C
> nss3.dll!pr_root(void * arg) Line 90	C
> msvcr120.dll!5d7cc01d()	Unknown
In `consumer->isConsistentFloat32Use(...)`, type() returns MIRType_None, and canConsumeFloat(use) just runs the base virtual function, which unconditionally returns false.

*conumer:
> -   consumer  0x1c97dec0 {shapes_={...} needsBarrier_=false } js::jit::MDefinition *
> +   [js::jit::MSetPropertyPolymorphic]  {shapes_={...} needsBarrier_=false }  js::jit::MSetPropertyPolymorphic
> +   js::jit::MNode  {block_=0x1c97cfc8 {unreachable_=false graph_={blocks_={...} alloc_=0x1c97a010 {lifoScope_={...} } returnAccumulator_=...} ...} } js::jit::MNode
> +   uses_ {...} js::InlineList<js::jit::MUse>
>     id_ 0x00000040  unsigned int
>     flags_  0x00000000  unsigned int
> +   range_  0x00000000 {lower_=??? upper_=??? hasInt32LowerBound_=??? ...}  js::jit::Range *
>     resultType_ MIRType_None (0x00000010) js::jit::MIRType
> +   resultTypeSet_  0x00000000 {...}  js::types::TemporaryTypeSet *
> +   dependency_ 0x00000000 {resumePoint_=??? }  js::jit::MInstruction *
>     virtualRegister_  0x00000000  unsigned int
> +   trackedSite_  0x1c97de98 {tree_=0x1c97a048 {caller_=0x00000000 {caller_=??? callerPc_=??? script_=??? ...} callerPc_=...} ...}  const js::jit::BytecodeSite *
Flags: needinfo?(benj)
Thanks for reporting.  This implies a correctness issue, are you getting weird side-effects?
Do you have a plain JS test case I could use to reproduce? Otherwise, can you attach a debugger on the process, and at the time you're hitting the assertion, can you show the result of these gdb commands:

print def->op()
print consumer->op()
print consumer->type()

Thanks!
Flags: needinfo?(benj) → needinfo?(jgilbert)
Owait, I didn't see you've filled the URL field, so please ignore my second question about getting a reproducible test-case.  I am compiling a debug-optimized browser, so that I can answer my own questions, unless you beat me to it.
So apparently, SetPropertyPolymorphic can receive Float32. Working on it.
Assignee: nobody → benj
Status: NEW → ASSIGNED
Flags: needinfo?(jgilbert)
Just blacklist MSetPropertyPolymorphic as a potential receiver of float32 value inputs, as MSetPropertyCache.
Attachment #8555229 - Flags: review?(nicolas.b.pierron)
Just verified: it fixes the assertion at the url, in a debug browser build.

Bad news: this has been around for long, since the float32 optimizations (bug 888109) or MSetPropertyPolymorphic (bug 846648). As float32 optimizations landed afterwards, this is bug 888109. Setting affected fields.
Blocks: 888109
status-firefox35: --- → affected
status-firefox36: --- → affected
status-firefox37: --- → affected
status-firefox38: --- → affected
Attachment #8555229 - Flags: review?(nicolas.b.pierron) → review+
https://hg.mozilla.org/mozilla-central/rev/4cf56d1211c9
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla38
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: