1199581 - Assertion failure: HasSSE2(), at jit/x86-shared/Assembler-x86-shared.h

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Object.getOwnPropertyNames(this);

asserts js debug shell on m-c changeset 87e23922be37 with --fuzzing-safe --no-threads --no-fpu -D at Assertion failure: HasSSE2(), at jit/x86-shared/Assembler-x86-shared.h

Configure options:

LD=ld CROSS_COMPILE=1 CC="clang -Qunused-arguments -msse2 -mfpmath=sse -arch i386" RANLIB=ranlib CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse -arch i386" AS=$CC AR=ar STRIP="strip -x -S" HOST_CC="clang -Qunused-arguments -msse2 -mfpmath=sse" AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 HOST_CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse" sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=i386-apple-darwin9.2.0 --enable-macos-target=10.5 --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u ~/funfuzz/js/compileShell.py -b "--enable-debug --enable-more-deterministic --enable-nspr-build --32" -r 87e23922be37

=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20150826114205" and the hash "84ff0f8456e79d3c0f297c133e90de81fd75028c".
The "bad" changeset has the timestamp "20150826114910" and the hash "8b68a9f000b3cc4c94af015823aa475b9c86c31f".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=84ff0f8456e79d3c0f297c133e90de81fd75028c&tochange=8b68a9f000b3cc4c94af015823aa475b9c86c31f

Nicolas, is bug 1190446 a likely regressor?

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

This completely blocks fuzzing 32-bit builds with --no-fpu and -D.

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: stack

(lldb) bt 5
* thread #1: tid = 0x21706a, 0x008d2d76 js-dbg-32-dm-nsprBuild-darwin-87e23922be37`js::jit::AssemblerX86Shared::vaddsd(this=<unavailable>, src1=(reg_ = xmm1, type_ = Single, isInvalid_ = false), src0=(reg_ = xmm0, type_ = Single, isInvalid_ = false), dest=(reg_ = xmm0, type_ = Single, isInvalid_ = false)) + 198 at Assembler-x86-shared.h:2747, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x008d2d76 js-dbg-32-dm-nsprBuild-darwin-87e23922be37`js::jit::AssemblerX86Shared::vaddsd(this=<unavailable>, src1=(reg_ = xmm1, type_ = Single, isInvalid_ = false), src0=(reg_ = xmm0, type_ = Single, isInvalid_ = false), dest=(reg_ = xmm0, type_ = Single, isInvalid_ = false)) + 198 at Assembler-x86-shared.h:2747
    frame #1: 0x0051310f js-dbg-32-dm-nsprBuild-darwin-87e23922be37`js::jit::BaselineCompiler::emitCoverage(unsigned char*) [inlined] js::jit::MacroAssemblerX86Shared::addDouble(js::jit::FloatRegister, js::jit::FloatRegister) + 319 at MacroAssembler-x86-shared.h:925
    frame #2: 0x005130e9 js-dbg-32-dm-nsprBuild-darwin-87e23922be37`js::jit::BaselineCompiler::emitCoverage(this=<unavailable>, pc=0x030ca6a9) + 281 at BaselineCompiler.cpp:820
    frame #3: 0x0050e30f js-dbg-32-dm-nsprBuild-darwin-87e23922be37`js::jit::BaselineCompiler::emitBody(this=0x03097100) + 735 at BaselineCompiler.cpp:978
    frame #4: 0x0050c7a5 js-dbg-32-dm-nsprBuild-darwin-87e23922be37`js::jit::BaselineCompiler::compile(this=0xbfffc5c8) + 565 at BaselineCompiler.cpp:102
(lldb)

Comment 3

[Nicolas B. Pierron [:nbp]]

This is likely, and this will disappear as soon as I land Bug 1190454.  Hopefully today.

Comment 4

[Nicolas B. Pierron [:nbp]]

Bug 1190454 replace the double increments by an uint64 increment.
This should solve this issue.

Comment 5

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

I'd say this was fixed by bug 1190454.