Closed Bug 1165262 Opened 9 years ago Closed 9 years ago

Assertion failure: opIter != block->end() (Operand in same block as instruction does not precede), at js/src/jit/IonAnalysis.cpp:2209

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
Other Branch
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1154971
Tracking Flags:
Tracking Status
firefox41 --- disabled

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update,bisect]) 

The following testcase crashes on mozilla-central revision d8420a541d1c+ (patch from bug 923717, build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2 --ion-eager):

function f(x, y) {
  return Math.imul(0, Math.imul(y | 0, x >> 0))
}
try {
  (f(1 ? 0 : undefined))()
} catch(Math) {}
while (true) {}



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff64c7700 (LWP 37532)]
0x00000000008e883a in js::jit::AssertExtendedGraphCoherency (graph=...) at js/src/jit/IonAnalysis.cpp:2208
#0  0x00000000008e883a in js::jit::AssertExtendedGraphCoherency (graph=...) at js/src/jit/IonAnalysis.cpp:2208
#1  0x00000000008fdb9c in js::jit::AccountForCFGChanges (mir=0x7ffff5102258, graph=..., updateAliasAnalysis=<optimized out>) at js/src/jit/IonAnalysis.cpp:1518
#2  0x0000000000a30585 in js::jit::ValueNumberer::run (this=this@entry=0x7ffff64c6ba0, updateAliasAnalysis=updateAliasAnalysis@entry=js::jit::ValueNumberer::UpdateAliasAnalysis) at js/src/jit/ValueNumbering.cpp:1126
#3  0x000000000091e72d in js::jit::OptimizeMIR (mir=mir@entry=0x7ffff5102258) at js/src/jit/Ion.cpp:1339
#4  0x000000000091e853 in js::jit::CompileBackEnd (mir=0x7ffff5102258) at js/src/jit/Ion.cpp:1616
#5  0x0000000000637da2 in js::HelperThread::handleIonWorkload (this=this@entry=0x7ffff694c420) at js/src/vm/HelperThreads.cpp:1126
#6  0x00000000006395d7 in js::HelperThread::threadLoop (this=0x7ffff694c420) at js/src/vm/HelperThreads.cpp:1422
#7  0x00000000006a9fb1 in nspr::Thread::ThreadRoutine (arg=0x7ffff6930200) at js/src/vm/PosixNSPR.cpp:45
#8  0x00007ffff7bc4182 in start_thread (arg=0x7ffff64c7700) at pthread_create.c:312
#9  0x00007ffff6cb3fbd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111
rax	0x0	0
rbx	0x7ffff5104cd0	140737304874192
rcx	0x7ffff6ca53cd	140737333842893
rdx	0x0	0
rsi	0x7ffff6f7a9d0	140737336814032
rdi	0x7ffff6f791c0	140737336807872
rbp	0x7ffff64c69c0	140737325590976
rsp	0x7ffff64c6960	140737325590880
r8	0x7ffff64c7700	140737325594368
r9	0x6568637461702d6c	7307199746910727532
r10	0x7ffff64c6720	140737325590304
r11	0x7ffff6c27960	140737333328224
r12	0x1	1
r13	0x7ffff5105aa0	140737304877728
r14	0x0	0
r15	0x7ffff5104d00	140737304874240
rip	0x8e883a <js::jit::AssertExtendedGraphCoherency(js::jit::MIRGraph&)+1754>
=> 0x8e883a <js::jit::AssertExtendedGraphCoherency(js::jit::MIRGraph&)+1754>:	movl   $0x8a1,0x0
   0x8e8845 <js::jit::AssertExtendedGraphCoherency(js::jit::MIRGraph&)+1765>:	callq  0x48ef30 <abort()>
I did not managed to reproduce this issue so far. I tried to use rr with different scheduling parameters, but I still failed to reproduce this issue after ~600 attempts.

Also, this issue definitely looks like Bug 1154971, are you sure that patches are correctly applied on the latest version?  Does Bug 1154971 test case reproduce with revision d8420a541d1c+ ?
Closing as duplicate of bug 1154971. I don't have the original build anymore but the testcases look similar enough to assume that it's the same bug. Also, d8420a541d1 is older than the fix revision in that other bug.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.