Closed Bug 1158632 Opened 10 years ago Closed 10 years ago

Assertion failure: exprStack == stackDepth, at jit/Recover.cpp

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla44
Tracking Flags:
Tracking Status
firefox40 --- affected
firefox44 --- fixed

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])

Attachments

(2 files)

stack
4.74 KB, text/plain
Details
IonBuilder TableSwitch, fill-the-gap cases should bail at the PC of the default block.
3.24 KB, patch
h4writer
: review+
Details | Diff | Splinter Review
for (var j = 0; j < 1; ++j) { (function() { function f(x) { x = 4294967295 >>> 4294967295 % x switch (-1) { case 1: case -1: x = 0 } } return f; }())() } asserts js debug shell on m-c changeset f214df6ac75f with --fuzzing-safe --no-threads --ion-eager at Assertion failure: exprStack == stackDepth, at jit/Recover.cpp. Configure options: CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests python -u ~/fuzzing/js/compileShell.py -b "--enable-debug --enable-more-deterministic --enable-nspr-build" -r f214df6ac75f Due to skipped revisions, the first bad revision could be any of: changeset: https://hg.mozilla.org/mozilla-central/rev/79097ed14588 user: Nicolas B. Pierron date: Fri Oct 03 14:25:59 2014 +0200 summary: Bug 1072188 - IonMonkey: Split truncate function. r=sunfish changeset: https://hg.mozilla.org/mozilla-central/rev/e25f541006dc user: Nicolas B. Pierron date: Fri Oct 03 14:25:59 2014 +0200 summary: Bug 1072188 - Recover truncated instruction. r=sunfish Nicolas, is bug 1072188 a likely regressor?
Flags: needinfo?(nicolas.b.pierron)
Attached file stack
(lldb) bt 5 * thread #1: tid = 0x81802c, 0x00000001005ec3be js-dbg-64-dm-nsprBuild-darwin-f214df6ac75f`js::jit::MResumePoint::writeRecoverData(this=0x0000000101eca8d0, writer=<unavailable>) const + 958 at Recover.cpp:107, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0) * frame #0: 0x00000001005ec3be js-dbg-64-dm-nsprBuild-darwin-f214df6ac75f`js::jit::MResumePoint::writeRecoverData(this=0x0000000101eca8d0, writer=<unavailable>) const + 958 at Recover.cpp:107 frame #1: 0x000000010067cb0c js-dbg-64-dm-nsprBuild-darwin-f214df6ac75f`js::jit::CodeGeneratorShared::encode(js::jit::LRecoverInfo*) + 9 at Snapshots.cpp:715 frame #2: 0x000000010067cb03 js-dbg-64-dm-nsprBuild-darwin-f214df6ac75f`js::jit::CodeGeneratorShared::encode(this=0x0000000101ed5000, recover=0x0000000101ed01c0) + 227 at CodeGenerator-shared.cpp:492 frame #3: 0x000000010067cd21 js-dbg-64-dm-nsprBuild-darwin-f214df6ac75f`js::jit::CodeGeneratorShared::encode(this=0x0000000101ed5000, snapshot=0x0000000101ed0228) + 49 at CodeGenerator-shared.cpp:506 frame #4: 0x000000010070b99f js-dbg-64-dm-nsprBuild-darwin-f214df6ac75f`void js::jit::CodeGeneratorX86Shared::bailout<js::jit::BailoutLabel>(this=0x0000000101ed5000, binder=0x00007fff5fbfe4a0, snapshot=0x0000000101ed0228) + 31 at CodeGenerator-x86-shared.cpp:497 (lldb)
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision be81b8d6fae9).
This still reproduces for me with m-c rev ffa83d153080.
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:update]
When instructions which might fail are added in fill-the-gap blocks, we expect the be able to encode snapshots. In this case we were trying to encode a snapshot which had one extra argument. The reason is that the switch cases encoded by the bytecode emitter expect us to pop the tested variable. Which means that the current scheme used for creating a new block at the same pc as the end of the previous case statement is effectively expecting one less local on the stack frame. This patch changes the creation of the fill-the-gap blocks such that we create them with the basic block of the default case instead of the basic block of the end of the previous case. Note: we cannot use the default case as a successor as the MIRGraph only expects blocks to appear only once in the list predecessors, and doing so would effectively register the MTableSwitch block multiple times.
Attachment #8676410 - Flags: review?(hv1989)
Flags: needinfo?(nicolas.b.pierron)
Comment on attachment 8676410 [details] [diff] [review] IonBuilder TableSwitch, fill-the-gap cases should bail at the PC of the default block. Review of attachment 8676410 [details] [diff] [review]: ----------------------------------------------------------------- Wow, good catch! Note: I was totally confused by your commit comment. The comment suggested to me that we would now start bailing when we encountered the 'fill-the-gap' case. Can you update your commit comment to: Bug 1158632 - IonBuilder TableSwitch, fill-the-gap case should encode the PC of the default block. r=
Attachment #8676410 - Flags: review?(hv1989) → review+
https://hg.mozilla.org/mozilla-central/rev/105c07e0c6ad
Status: NEW → RESOLVED
Closed: 10 years ago
status-firefox44: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: