Closed Bug 1190002 Opened 9 years ago Closed 9 years ago

Assertion failure: HasSSE2(), at jit/x86-shared/Assembler-x86-shared.h

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla42
Tracking Flags:
Tracking Status
firefox42 --- fixed

People

(Reporter: gkw, Assigned: bhackett1024)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])

Attachments

(2 files)

stack
5.06 KB, text/plain
Details
patch
795 bytes, patch
jandem
: review+
Details | Diff | Splinter Review 
// Randomly chosen test: js/src/jit-test/tests/ion/lsra-bug1112164.js
function f() {
    return [Math.tan(1, 1)];
}
for (var x = 0; x < 99; x++) {
    f();
}

asserts js debug shell on m-c changeset afa67b6957bb with --fuzzing-safe --no-threads --ion-eager --unboxed-arrays --no-fpu at Assertion failure: HasSSE2(), at jit/x86-shared/Assembler-x86-shared.h

Configure options:

LD=ld CROSS_COMPILE=1 CC="clang -Qunused-arguments -msse2 -mfpmath=sse -arch i386" RANLIB=ranlib CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse -arch i386" AS=$CC AR=ar STRIP="strip -x -S" HOST_CC="clang -Qunused-arguments -msse2 -mfpmath=sse" AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 HOST_CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse" sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=i386-apple-darwin9.2.0 --enable-macos-target=10.5 --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u ~/funfuzz/js/compileShell.py -b "--enable-debug --enable-more-deterministic --enable-nspr-build --32" -r afa67b6957bb

autoBisect is running.
Flags: needinfo?
Attached file stack 
(lldb) bt 5
* thread #1: tid = 0x9456c, 0x00862da6 js-dbg-32-dm-nsprBuild-darwin-afa67b6957bb`js::jit::AssemblerX86Shared::vxorpd(this=<unavailable>, src1=(reg_ = xmm7, type_ = Double, isInvalid_ = false), src0=(reg_ = xmm7, type_ = Double, isInvalid_ = false), dest=(reg_ = xmm7, type_ = Double, isInvalid_ = false)) + 198 at Assembler-x86-shared.h:2741, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x00862da6 js-dbg-32-dm-nsprBuild-darwin-afa67b6957bb`js::jit::AssemblerX86Shared::vxorpd(this=<unavailable>, src1=(reg_ = xmm7, type_ = Double, isInvalid_ = false), src0=(reg_ = xmm7, type_ = Double, isInvalid_ = false), dest=(reg_ = xmm7, type_ = Double, isInvalid_ = false)) + 198 at Assembler-x86-shared.h:2741
    frame #1: 0x007511b8 js-dbg-32-dm-nsprBuild-darwin-afa67b6957bb`void js::jit::MacroAssembler::storeUnboxedProperty<js::jit::BaseIndex>(js::jit::BaseIndex, JSValueType, js::jit::ConstantOrRegister, js::jit::Label*) [inlined] js::jit::MacroAssemblerX86Shared::zeroDouble(js::jit::FloatRegister) + 1512 at MacroAssembler-x86-shared.h:904
    frame #2: 0x00751186 js-dbg-32-dm-nsprBuild-darwin-afa67b6957bb`void js::jit::MacroAssembler::storeUnboxedProperty<js::jit::BaseIndex>(js::jit::BaseIndex, JSValueType, js::jit::ConstantOrRegister, js::jit::Label*) [inlined] js::jit::MacroAssemblerX86Shared::convertInt32ToDouble(js::jit::Register, js::jit::FloatRegister) at MacroAssembler-x86-shared.h:656
    frame #3: 0x00751186 js-dbg-32-dm-nsprBuild-darwin-afa67b6957bb`void js::jit::MacroAssembler::storeUnboxedProperty<js::jit::BaseIndex>(js::jit::BaseIndex, JSValueType, js::jit::ConstantOrRegister, js::jit::Label*) [inlined] js::jit::MacroAssemblerX86::int32ValueToDouble(js::jit::ValueOperand const&, js::jit::FloatRegister) at MacroAssembler-x86.h:976
    frame #4: 0x00751186 js-dbg-32-dm-nsprBuild-darwin-afa67b6957bb`void js::jit::MacroAssembler::storeUnboxedProperty<js::jit::BaseIndex>(this=0xbfffe2a8, address=BaseIndex at 0xbfffe0d4, type=JSVAL_TYPE_DOUBLE, value=ConstantOrRegister at 0xbfffe0e8, failure=<unavailable>) + 1462 at MacroAssembler.cpp:961
(lldb)
Flags: needinfo?
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/57dce88fc620
user:        Brian Hackett
date:        Tue May 26 16:29:19 2015 -0600
summary:     Bug 1165392, Bug 1165463 - Various unboxed array fixes and optimizations, r=jandem.

Brian, is bug 1165392 or bug 1165463 a likely regressor?
Blocks: 1165463, 1165392
Flags: needinfo?(bhackett1024)
Attached patch patchSplinter Review 
Assignee: nobody → bhackett1024
Flags: needinfo?(bhackett1024)

        Attachment #8643766 -
        Flags: review?(jdemooij)

        Attachment #8643766 -
        Flags: review?(jdemooij) → review+

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/1a410d6cb2ba
Status: NEW → RESOLVED
Closed: 9 years ago

          status-firefox42:
          affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla42

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: