1169460 - Assertion failure: !minimalBundle(bundle), at jit/BacktrackingAllocator.cpp

Status: RESOLVED FIXED

(Core :: JavaScript Engine: JIT, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

function m(f) {
    for (var j = 0; j < 1; ++j) {
        try {
            f()
        } catch (e) {}
    }
}
function f() {
    g(2() ? 0 : 1)
}
m(f)
g = function(y) {
    w ? y / (x >> 0) : h
}
m(g)

asserts js debug shell on m-c changeset e537a1ba501b with --fuzzing-safe --no-threads --ion-eager at Assertion failure: !minimalBundle(bundle), at jit/BacktrackingAllocator.cpp.

Configure options:

LD=ld CROSS_COMPILE=1 CC="clang -Qunused-arguments -msse2 -mfpmath=sse -arch i386" RANLIB=ranlib CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse -arch i386" AS=$CC AR=ar STRIP="strip -x -S" HOST_CC="clang -Qunused-arguments -msse2 -mfpmath=sse" AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 HOST_CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse" sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=i386-apple-darwin9.2.0 --enable-macos-target=10.5 --enable-arm-simulator --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u ~/fuzzing/js/compileShell.py -b "--enable-debug --enable-more-deterministic --enable-nspr-build --32 --enable-arm-simulator" -r e537a1ba501b

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/261cadb83015
user:        Brian Hackett
date:        Mon May 18 20:20:14 2015 -0600
summary:     Bug 1067610 - Refactor backtracking allocator to handle grouped registers better, r=sunfish.

Brian, is bug 1067610 a likely regressor?

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: stack

(lldb) bt 5
* thread #1: tid = 0xe5c14, 0x003ca6bb js-dbg-32-dm-nsprBuild-armSim-darwin-e537a1ba501b`js::jit::BacktrackingAllocator::processBundle(this=<unavailable>, bundle=<unavailable>) + 955 at BacktrackingAllocator.cpp:1280, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x003ca6bb js-dbg-32-dm-nsprBuild-armSim-darwin-e537a1ba501b`js::jit::BacktrackingAllocator::processBundle(this=<unavailable>, bundle=<unavailable>) + 955 at BacktrackingAllocator.cpp:1280
    frame #1: 0x003c9481 js-dbg-32-dm-nsprBuild-armSim-darwin-e537a1ba501b`js::jit::BacktrackingAllocator::go(this=0xbfffd4d8) + 433 at BacktrackingAllocator.cpp:822
    frame #2: 0x005023db js-dbg-32-dm-nsprBuild-armSim-darwin-e537a1ba501b`js::jit::GenerateLIR(mir=<unavailable>) + 1723 at Ion.cpp:1546
    frame #3: 0x005027dc js-dbg-32-dm-nsprBuild-armSim-darwin-e537a1ba501b`js::jit::CompileBackEnd(mir=0x01dbe150) + 76 at Ion.cpp:1615
    frame #4: 0x005051ca js-dbg-32-dm-nsprBuild-armSim-darwin-e537a1ba501b`js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned char*, bool, bool) [inlined] js::jit::IonCompile(script=<unavailable>) + 14 at Ion.cpp:1980
(lldb)

Comment 2

[Brian Hackett [Laid off!]]

Attachment: patch

minimalBundle could return true for a bundle that can actually be split up further, due to overly restrictive constraints in minimalUse.

Comment 3

[Brian Hackett [Laid off!]]

Attachment: patch

Oops, the first patch had some debugging code.

Comment 4

[Pulsebot]

https://hg.mozilla.org/integration/mozilla-inbound/rev/43d4ff5c6553

Comment 5

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/mozilla-central/rev/43d4ff5c6553