1138073 - Assertion failure: test->input() == value, at js/src/jit/IonAnalysis.cpp:160

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision b94bcbc389e8 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --enable-debug, run with --fuzzing-safe --thread-count=2):

function f0(p0) {
    var v0;
    if (f0())
        v0 = p0;
    return v0;
}
f0(0);



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff6852700 (LWP 15670)]
0x0000000000867fff in UpdateTestSuccessors (alloc=..., block=0x1b1d7b0, value=0x1b1dbf8, ifTrue=0x1b1e268, ifFalse=0x1b1f6c0, existingPred=0x1b1ea78) at js/src/jit/IonAnalysis.cpp:160
160	        MOZ_ASSERT(test->input() == value);
#0  0x0000000000867fff in UpdateTestSuccessors (alloc=..., block=0x1b1d7b0, value=0x1b1dbf8, ifTrue=0x1b1e268, ifFalse=0x1b1f6c0, existingPred=0x1b1ea78) at js/src/jit/IonAnalysis.cpp:160
#1  0x000000000087138e in MaybeFoldAndOrBlock (initialBlock=0x1b1d7b0, graph=...) at js/src/jit/IonAnalysis.cpp:387
#2  js::jit::FoldTests (graph=...) at js/src/jit/IonAnalysis.cpp:409
#3  0x00000000008b01c8 in js::jit::OptimizeMIR (mir=mir@entry=0x1b1bd88) at js/src/jit/Ion.cpp:1163
#4  0x00000000008c9680 in js::jit::CompileBackEnd (mir=0x1b1bd88) at js/src/jit/Ion.cpp:1580
#5  0x00000000005e138d in js::HelperThread::handleIonWorkload (this=this@entry=0x1a17690) at js/src/vm/HelperThreads.cpp:1091
#6  0x00000000005e235e in js::HelperThread::threadLoop (this=0x1a17690) at js/src/vm/HelperThreads.cpp:1387
#7  0x0000000000663bb1 in nspr::Thread::ThreadRoutine (arg=0x1a1a220) at js/src/vm/PosixNSPR.cpp:45
#8  0x00007ffff7bc4e9a in start_thread (arg=0x7ffff6852700) at pthread_create.c:308
#9  0x00007ffff6cc02ed in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
#10 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x1b1d7b0	28432304
rcx	0x7ffff6cb2f4d	140737333899085
rdx	0x0	0
rsi	0x7ffff6f86a80	140737336863360
rdi	0x7ffff6f85180	140737336856960
rbp	0x7ffff6851700	140737329305344
rsp	0x7ffff68516c0	140737329305280
r8	0x7ffff6852700	140737329309440
r9	0x1b1f6c0	28440256
r10	0x7ffff6851450	140737329304656
r11	0x7ffff6c3a940	140737333406016
r12	0x1b1e268	28435048
r13	0x1b1f6c0	28440256
r14	0x1b1ea78	28437112
r15	0x1b1e750	28436304
rip	0x867fff <UpdateTestSuccessors(js::jit::TempAllocator&, js::jit::MBasicBlock*, js::jit::MDefinition*, js::jit::MBasicBlock*, js::jit::MBasicBlock*, js::jit::MBasicBlock*)+463>
=> 0x867fff <UpdateTestSuccessors(js::jit::TempAllocator&, js::jit::MBasicBlock*, js::jit::MDefinition*, js::jit::MBasicBlock*, js::jit::MBasicBlock*, js::jit::MBasicBlock*)+463>:	movl   $0xa0,0x0
   0x86800a <UpdateTestSuccessors(js::jit::TempAllocator&, js::jit::MBasicBlock*, js::jit::MDefinition*, js::jit::MBasicBlock*, js::jit::MBasicBlock*, js::jit::MBasicBlock*)+474>:	callq  0x404ac0 <abort@plt>

Comment 1

[Brian Hackett [Laid off!]]

Attachment: patch

Comment 2

[Christian Holler (:decoder)]

JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20150226031912" and the hash "71a08ff0d27c".
The "bad" changeset has the timestamp "20150226043516" and the hash "670bdd1f10a7".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=71a08ff0d27c&tochange=670bdd1f10a7

Comment 3

[Brian Hackett [Laid off!]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/25324890f496

Comment 4

[Wes Kocher (:KWierso) (Not reading bugmail; email directly if needed)]

https://hg.mozilla.org/mozilla-central/rev/25324890f496