Closed
Bug 1126629
Opened 9 years ago
Closed 9 years ago
Assertion failure: !minimalInterval(interval), at js/src/jit/BacktrackingAllocator.cpp:572
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla38
Tracking | Status | |
---|---|---|
firefox38 | --- | fixed |
People
(Reporter: decoder, Assigned: bhackett1024)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])
Attachments
(1 file, 1 obsolete file)
3.10 KB,
patch
|
sunfish
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 1dd013ece082 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --enable-arm-simulator --enable-debug, run with --fuzzing-safe --thread-count=2 --ion-regalloc=backtracking --ion-eager --ion-offthread-compile=off): function intLength (a, l) { var res = 0; for (var i = 0; i < l; i++) res += a.length; return res / l; } var denseArray = [0,1,2,3,4,5,6,7,8,9]; intLength(denseArray, 10); Backtrace: Program received signal SIGSEGV, Segmentation fault. 0x082298ed in js::jit::BacktrackingAllocator::processInterval (this=this@entry=0xffffab98, interval=interval@entry=0x970cb50) at js/src/jit/BacktrackingAllocator.cpp:572 572 MOZ_ASSERT(!minimalInterval(interval)); #0 0x082298ed in js::jit::BacktrackingAllocator::processInterval (this=this@entry=0xffffab98, interval=interval@entry=0x970cb50) at js/src/jit/BacktrackingAllocator.cpp:572 #1 0x0822accc in js::jit::BacktrackingAllocator::go (this=0xffffab98) at js/src/jit/BacktrackingAllocator.cpp:111 #2 0x082ac037 in js::jit::GenerateLIR (mir=mir@entry=0x9701ec8) at js/src/jit/Ion.cpp:1508 #3 0x082af48e in js::jit::CompileBackEnd (mir=mir@entry=0x9701ec8) at js/src/jit/Ion.cpp:1577 #4 0x082c871d in IonCompile (optimizationLevel=js::jit::Optimization_Normal, recompile=false, constructing=false, osrPc=0x96fe7f3 "\343\201V", baselineFrame=0xf60feda0, script=0xf5d491c0, cx=0x9657928) at js/src/jit/Ion.cpp:1848 #5 js::jit::Compile (cx=cx@entry=0x9657928, script=script@entry=0xf5d491c0, osrFrame=osrFrame@entry=0xf60feda0, osrPc=osrPc@entry=0x96fe7f3 "\343\201V", constructing=false, forceRecompile=false) at js/src/jit/Ion.cpp:2001 #6 0x082c8c3b in js::jit::CanEnterAtBranch (cx=cx@entry=0x9657928, script=0xf5d491c0, osrFrame=osrFrame@entry=0xf60feda0, pc=pc@entry=0x96fe7f3 "\343\201V") at js/src/jit/Ion.cpp:2070 #7 0x082c8f54 in EnsureCanEnterIon (jitcodePtr=<synthetic pointer>, pc=0x96fe7f3 "\343\201V", script=0xf5d491c0, frame=0xf60feda0, cx=0x9657928, stub=<optimized out>) at js/src/jit/BaselineIC.cpp:764 #8 DoWarmUpCounterFallback (infoPtr=0xf60fed7c, frame=0xf60feda0, stub=0x96fe3d0, cx=0x9657928) at js/src/jit/BaselineIC.cpp:928 #9 js::jit::DoWarmUpCounterFallback (cx=cx@entry=0x9657928, stub=stub@entry=0x96fe3d0, frame=frame@entry=0xf60feda0, infoPtr=infoPtr@entry=0xf60fed7c) at js/src/jit/BaselineIC.cpp:885 #10 0x084c0ba0 in js::jit::Simulator::softwareInterrupt (this=0x9656eb0, instr=0x96c703c) at js/src/jit/arm/Simulator-arm.cpp:2174 #11 0x084bd61d in js::jit::Simulator::instructionDecode (this=this@entry=0x9656eb0, instr=instr@entry=0x96c703c) at js/src/jit/arm/Simulator-arm.cpp:4168 #12 0x084eb474 in js::jit::Simulator::execute<false> (this=0x9656eb0) at js/src/jit/arm/Simulator-arm.cpp:4223 #13 0x084c1365 in js::jit::Simulator::callInternal (this=this@entry=0x9656eb0, entry=entry@entry=0xf62ac8b0 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345t\240\235", <incomplete sequence \345>) at js/src/jit/arm/Simulator-arm.cpp:4311 #14 0x084c168c in js::jit::Simulator::call (this=0x9656eb0, entry=0xf62ac8b0 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345t\240\235", <incomplete sequence \345>, argument_count=8) at js/src/jit/arm/Simulator-arm.cpp:4394 #15 0x082bb00e in EnterIon (data=..., cx=0x9657928) at js/src/jit/Ion.cpp:2238 #16 js::jit::IonCannon (cx=0x9657928, state=...) at js/src/jit/Ion.cpp:2320 #17 0x086bc98c in js::RunScript (cx=cx@entry=0x9657928, state=...) at js/src/vm/Interpreter.cpp:428 #18 0x086bd1b7 in js::Invoke (cx=cx@entry=0x9657928, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:517 #19 0x086be238 in js::Invoke (cx=0x9657928, thisv=..., fval=..., argc=2, argv=0xf60feec0, rval=$jsval(-nan(0xfff8200000000))) at js/src/vm/Interpreter.cpp:554 #20 0x082e0b97 in js::jit::DoCallFallback (cx=cx@entry=0x9657928, frame=frame@entry=0xf60fef00, stub_=stub_@entry=0x96fe158, argc=argc@entry=2, vp=vp@entry=0xf60feeb0, res=res@entry=$jsval(-nan(0xfff8200000000))) at js/src/jit/BaselineIC.cpp:9325 #21 0x084c0b46 in js::jit::Simulator::softwareInterrupt (this=0x9656eb0, instr=0x96c6db4) at js/src/jit/arm/Simulator-arm.cpp:2188 #22 0x084bd61d in js::jit::Simulator::instructionDecode (this=this@entry=0x9656eb0, instr=instr@entry=0x96c6db4) at js/src/jit/arm/Simulator-arm.cpp:4168 #23 0x084eb474 in js::jit::Simulator::execute<false> (this=0x9656eb0) at js/src/jit/arm/Simulator-arm.cpp:4223 #24 0x084c1365 in js::jit::Simulator::callInternal (this=this@entry=0x9656eb0, entry=entry@entry=0xf62ac8b0 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345t\240\235", <incomplete sequence \345>) at js/src/jit/arm/Simulator-arm.cpp:4311 #25 0x084c168c in js::jit::Simulator::call (this=0x9656eb0, entry=0xf62ac8b0 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345t\240\235", <incomplete sequence \345>, argument_count=8) at js/src/jit/arm/Simulator-arm.cpp:4394 #26 0x082bb00e in EnterIon (data=..., cx=0x9657928) at js/src/jit/Ion.cpp:2238 #27 js::jit::IonCannon (cx=0x9657928, state=...) at js/src/jit/Ion.cpp:2320 #28 0x086bc98c in js::RunScript (cx=cx@entry=0x9657928, state=...) at js/src/vm/Interpreter.cpp:428 #29 0x086bca60 in js::ExecuteKernel (cx=cx@entry=0x9657928, script=0xf5d49128, scopeChainArg=(JSObject &) @0xf5d45040 [object global] delegate, thisv=..., type=type@entry=js::EXECUTE_GLOBAL, evalInFrame=..., result=result@entry=0x0) at js/src/vm/Interpreter.cpp:657 #30 0x086bced9 in js::Execute (cx=0x9657928, script=0xf5d49128, scopeChainArg=(JSObject &) @0xf5d45040 [object global] delegate, rval=0x0) at js/src/vm/Interpreter.cpp:694 #31 0x0854c634 in ExecuteScript (cx=0x9657928, obj=(JSObject * const) 0xf5d45040 [object global] delegate, scriptArg=0xf5d49128, rval=0x0) at js/src/jsapi.cpp:4239 #32 0x0805fa41 in RunFile (compileOnly=false, file=0x96fdb18, filename=0xffffd071 "min.js", obj=..., cx=0x9657928) at js/src/shell/js.cpp:453 #33 Process (cx=cx@entry=0x9657928, obj_=<optimized out>, filename=0xffffd071 "min.js", forceTTY=forceTTY@entry=false) at js/src/shell/js.cpp:586 #34 0x0806c7b3 in ProcessArgs (op=0xffffcc80, obj_=<optimized out>, cx=0x9657928) at js/src/shell/js.cpp:5514 #35 Shell (op=0xffffcc80, cx=0x9657928, envp=<optimized out>) at js/src/shell/js.cpp:5755 #36 main (argc=7, argv=0xffffce34, envp=0xffffce54) at js/src/shell/js.cpp:6096 eax 0x0 0 ebx 0x9612ff4 157364212 ecx 0xf7e5e8ac -135927636 edx 0x0 0 esi 0x970cb50 158387024 edi 0xffffab98 -21608 ebp 0xffffa258 4294943320 esp 0xffffa1f0 4294943216 eip 0x82298ed <js::jit::BacktrackingAllocator::processInterval(js::jit::LiveInterval*)+717> => 0x82298ed <js::jit::BacktrackingAllocator::processInterval(js::jit::LiveInterval*)+717>: movl $0x23c,0x0 0x82298f7 <js::jit::BacktrackingAllocator::processInterval(js::jit::LiveInterval*)+727>: call 0x804aa50 <abort@plt>
Reporter | ||
Updated•9 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Reporter | ||
Comment 1•9 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/ccca03a662e3 parent: 225581:2cca9e9d7ccf user: Brian Hackett date: Sat Jan 24 17:16:01 2015 -0700 summary: Bug 948838 - Adjust backtracking allocator splitting mechanism for hot vs. cold code, r=sunfish. This iteration took 569.479 seconds to run.
Assignee | ||
Comment 3•9 years ago
|
||
LSoftDivI on ARM uses the same register (r1) as a fixed use and a fixed temp. The vreg used for the fixed use also has an ANY use on the output of the instruction for the safepoint. When the same interval was used for both of those uses we thought we had a minimal interval covering the input and output, which isn't compatible with the temp's vreg at the output. The attached patch fixes this by making sure minimalInterval knows that intervals containing multiple uses with at least one fixed will be split up by splitAtAllRegisterUses. The patch also fixes splitAtAllRegisterUses so it actually does that, since its logic is a little messed up.
Assignee: nobody → bhackett1024
Flags: needinfo?(bhackett1024)
Attachment #8561132 -
Flags: review?(sunfish)
Assignee | ||
Comment 4•9 years ago
|
||
Oops, wrong patch.
Attachment #8561132 -
Attachment is obsolete: true
Attachment #8561132 -
Flags: review?(sunfish)
Attachment #8561133 -
Flags: review?(sunfish)
Comment 5•9 years ago
|
||
Comment on attachment 8561133 [details] [diff] [review] patch Review of attachment 8561133 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/jit/BacktrackingAllocator.cpp @@ +1677,5 @@ > *pfixed = reg.def()->policy() == LDefinition::FIXED && reg.def()->output()->isRegister(); > return minimalDef(interval, reg.ins()); > } > > + bool fixed = false, minimal = false, multiple = false;; Style nit: duplicate semicolon.
Attachment #8561133 -
Flags: review?(sunfish) → review+
Assignee | ||
Comment 6•9 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/162e8e32b182
Comment 7•9 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/162e8e32b182
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla38
You need to log in
before you can comment on or make changes to this bug.
Description
•