Closed Bug 1126629 Opened 9 years ago Closed 9 years ago

Assertion failure: !minimalInterval(interval), at js/src/jit/BacktrackingAllocator.cpp:572

Categories

(Core :: JavaScript Engine, defect)

ARM
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla38
Tracking Status
firefox38 --- fixed

People

(Reporter: decoder, Assigned: bhackett1024)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])

Attachments

(1 file, 1 obsolete file)

The following testcase crashes on mozilla-central revision 1dd013ece082 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --enable-arm-simulator --enable-debug, run with --fuzzing-safe --thread-count=2 --ion-regalloc=backtracking --ion-eager --ion-offthread-compile=off):

function intLength (a, l) {
    var res = 0;
    for (var i = 0; i < l; i++)
        res += a.length;
    return res / l;
}
var denseArray = [0,1,2,3,4,5,6,7,8,9];
intLength(denseArray, 10);



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x082298ed in js::jit::BacktrackingAllocator::processInterval (this=this@entry=0xffffab98, interval=interval@entry=0x970cb50) at js/src/jit/BacktrackingAllocator.cpp:572
572	        MOZ_ASSERT(!minimalInterval(interval));
#0  0x082298ed in js::jit::BacktrackingAllocator::processInterval (this=this@entry=0xffffab98, interval=interval@entry=0x970cb50) at js/src/jit/BacktrackingAllocator.cpp:572
#1  0x0822accc in js::jit::BacktrackingAllocator::go (this=0xffffab98) at js/src/jit/BacktrackingAllocator.cpp:111
#2  0x082ac037 in js::jit::GenerateLIR (mir=mir@entry=0x9701ec8) at js/src/jit/Ion.cpp:1508
#3  0x082af48e in js::jit::CompileBackEnd (mir=mir@entry=0x9701ec8) at js/src/jit/Ion.cpp:1577
#4  0x082c871d in IonCompile (optimizationLevel=js::jit::Optimization_Normal, recompile=false, constructing=false, osrPc=0x96fe7f3 "\343\201V", baselineFrame=0xf60feda0, script=0xf5d491c0, cx=0x9657928) at js/src/jit/Ion.cpp:1848
#5  js::jit::Compile (cx=cx@entry=0x9657928, script=script@entry=0xf5d491c0, osrFrame=osrFrame@entry=0xf60feda0, osrPc=osrPc@entry=0x96fe7f3 "\343\201V", constructing=false, forceRecompile=false) at js/src/jit/Ion.cpp:2001
#6  0x082c8c3b in js::jit::CanEnterAtBranch (cx=cx@entry=0x9657928, script=0xf5d491c0, osrFrame=osrFrame@entry=0xf60feda0, pc=pc@entry=0x96fe7f3 "\343\201V") at js/src/jit/Ion.cpp:2070
#7  0x082c8f54 in EnsureCanEnterIon (jitcodePtr=<synthetic pointer>, pc=0x96fe7f3 "\343\201V", script=0xf5d491c0, frame=0xf60feda0, cx=0x9657928, stub=<optimized out>) at js/src/jit/BaselineIC.cpp:764
#8  DoWarmUpCounterFallback (infoPtr=0xf60fed7c, frame=0xf60feda0, stub=0x96fe3d0, cx=0x9657928) at js/src/jit/BaselineIC.cpp:928
#9  js::jit::DoWarmUpCounterFallback (cx=cx@entry=0x9657928, stub=stub@entry=0x96fe3d0, frame=frame@entry=0xf60feda0, infoPtr=infoPtr@entry=0xf60fed7c) at js/src/jit/BaselineIC.cpp:885
#10 0x084c0ba0 in js::jit::Simulator::softwareInterrupt (this=0x9656eb0, instr=0x96c703c) at js/src/jit/arm/Simulator-arm.cpp:2174
#11 0x084bd61d in js::jit::Simulator::instructionDecode (this=this@entry=0x9656eb0, instr=instr@entry=0x96c703c) at js/src/jit/arm/Simulator-arm.cpp:4168
#12 0x084eb474 in js::jit::Simulator::execute<false> (this=0x9656eb0) at js/src/jit/arm/Simulator-arm.cpp:4223
#13 0x084c1365 in js::jit::Simulator::callInternal (this=this@entry=0x9656eb0, entry=entry@entry=0xf62ac8b0 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345t\240\235", <incomplete sequence \345>) at js/src/jit/arm/Simulator-arm.cpp:4311
#14 0x084c168c in js::jit::Simulator::call (this=0x9656eb0, entry=0xf62ac8b0 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345t\240\235", <incomplete sequence \345>, argument_count=8) at js/src/jit/arm/Simulator-arm.cpp:4394
#15 0x082bb00e in EnterIon (data=..., cx=0x9657928) at js/src/jit/Ion.cpp:2238
#16 js::jit::IonCannon (cx=0x9657928, state=...) at js/src/jit/Ion.cpp:2320
#17 0x086bc98c in js::RunScript (cx=cx@entry=0x9657928, state=...) at js/src/vm/Interpreter.cpp:428
#18 0x086bd1b7 in js::Invoke (cx=cx@entry=0x9657928, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:517
#19 0x086be238 in js::Invoke (cx=0x9657928, thisv=..., fval=..., argc=2, argv=0xf60feec0, rval=$jsval(-nan(0xfff8200000000))) at js/src/vm/Interpreter.cpp:554
#20 0x082e0b97 in js::jit::DoCallFallback (cx=cx@entry=0x9657928, frame=frame@entry=0xf60fef00, stub_=stub_@entry=0x96fe158, argc=argc@entry=2, vp=vp@entry=0xf60feeb0, res=res@entry=$jsval(-nan(0xfff8200000000))) at js/src/jit/BaselineIC.cpp:9325
#21 0x084c0b46 in js::jit::Simulator::softwareInterrupt (this=0x9656eb0, instr=0x96c6db4) at js/src/jit/arm/Simulator-arm.cpp:2188
#22 0x084bd61d in js::jit::Simulator::instructionDecode (this=this@entry=0x9656eb0, instr=instr@entry=0x96c6db4) at js/src/jit/arm/Simulator-arm.cpp:4168
#23 0x084eb474 in js::jit::Simulator::execute<false> (this=0x9656eb0) at js/src/jit/arm/Simulator-arm.cpp:4223
#24 0x084c1365 in js::jit::Simulator::callInternal (this=this@entry=0x9656eb0, entry=entry@entry=0xf62ac8b0 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345t\240\235", <incomplete sequence \345>) at js/src/jit/arm/Simulator-arm.cpp:4311
#25 0x084c168c in js::jit::Simulator::call (this=0x9656eb0, entry=0xf62ac8b0 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345t\240\235", <incomplete sequence \345>, argument_count=8) at js/src/jit/arm/Simulator-arm.cpp:4394
#26 0x082bb00e in EnterIon (data=..., cx=0x9657928) at js/src/jit/Ion.cpp:2238
#27 js::jit::IonCannon (cx=0x9657928, state=...) at js/src/jit/Ion.cpp:2320
#28 0x086bc98c in js::RunScript (cx=cx@entry=0x9657928, state=...) at js/src/vm/Interpreter.cpp:428
#29 0x086bca60 in js::ExecuteKernel (cx=cx@entry=0x9657928, script=0xf5d49128, scopeChainArg=(JSObject &) @0xf5d45040 [object global] delegate, thisv=..., type=type@entry=js::EXECUTE_GLOBAL, evalInFrame=..., result=result@entry=0x0) at js/src/vm/Interpreter.cpp:657
#30 0x086bced9 in js::Execute (cx=0x9657928, script=0xf5d49128, scopeChainArg=(JSObject &) @0xf5d45040 [object global] delegate, rval=0x0) at js/src/vm/Interpreter.cpp:694
#31 0x0854c634 in ExecuteScript (cx=0x9657928, obj=(JSObject * const) 0xf5d45040 [object global] delegate, scriptArg=0xf5d49128, rval=0x0) at js/src/jsapi.cpp:4239
#32 0x0805fa41 in RunFile (compileOnly=false, file=0x96fdb18, filename=0xffffd071 "min.js", obj=..., cx=0x9657928) at js/src/shell/js.cpp:453
#33 Process (cx=cx@entry=0x9657928, obj_=<optimized out>, filename=0xffffd071 "min.js", forceTTY=forceTTY@entry=false) at js/src/shell/js.cpp:586
#34 0x0806c7b3 in ProcessArgs (op=0xffffcc80, obj_=<optimized out>, cx=0x9657928) at js/src/shell/js.cpp:5514
#35 Shell (op=0xffffcc80, cx=0x9657928, envp=<optimized out>) at js/src/shell/js.cpp:5755
#36 main (argc=7, argv=0xffffce34, envp=0xffffce54) at js/src/shell/js.cpp:6096
eax	0x0	0
ebx	0x9612ff4	157364212
ecx	0xf7e5e8ac	-135927636
edx	0x0	0
esi	0x970cb50	158387024
edi	0xffffab98	-21608
ebp	0xffffa258	4294943320
esp	0xffffa1f0	4294943216
eip	0x82298ed <js::jit::BacktrackingAllocator::processInterval(js::jit::LiveInterval*)+717>
=> 0x82298ed <js::jit::BacktrackingAllocator::processInterval(js::jit::LiveInterval*)+717>:	movl   $0x23c,0x0
   0x82298f7 <js::jit::BacktrackingAllocator::processInterval(js::jit::LiveInterval*)+727>:	call   0x804aa50 <abort@plt>
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/ccca03a662e3
parent:      225581:2cca9e9d7ccf
user:        Brian Hackett
date:        Sat Jan 24 17:16:01 2015 -0700
summary:     Bug 948838 - Adjust backtracking allocator splitting mechanism for hot vs. cold code, r=sunfish.

This iteration took 569.479 seconds to run.
Setting needinfo from comment 1
Flags: needinfo?(bhackett1024)
Attached patch patch (obsolete) — Splinter Review
LSoftDivI on ARM uses the same register (r1) as a fixed use and a fixed temp.  The vreg used for the fixed use also has an ANY use on the output of the instruction for the safepoint.  When the same interval was used for both of those uses we thought we had a minimal interval covering the input and output, which isn't compatible with the temp's vreg at the output.

The attached patch fixes this by making sure minimalInterval knows that intervals containing multiple uses with at least one fixed will be split up by splitAtAllRegisterUses.  The patch also fixes splitAtAllRegisterUses so it actually does that, since its logic is a little messed up.
Assignee: nobody → bhackett1024
Flags: needinfo?(bhackett1024)
Attachment #8561132 - Flags: review?(sunfish)
Attached patch patchSplinter Review
Oops, wrong patch.
Attachment #8561132 - Attachment is obsolete: true
Attachment #8561132 - Flags: review?(sunfish)
Attachment #8561133 - Flags: review?(sunfish)
Comment on attachment 8561133 [details] [diff] [review]
patch

Review of attachment 8561133 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/jit/BacktrackingAllocator.cpp
@@ +1677,5 @@
>              *pfixed = reg.def()->policy() == LDefinition::FIXED && reg.def()->output()->isRegister();
>          return minimalDef(interval, reg.ins());
>      }
>  
> +    bool fixed = false, minimal = false, multiple = false;;

Style nit: duplicate semicolon.
Attachment #8561133 - Flags: review?(sunfish) → review+
https://hg.mozilla.org/mozilla-central/rev/162e8e32b182
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla38
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: