Closed
Bug 1199898
Opened 9 years ago
Closed 9 years ago
Assertion failure: iter->isInterruptCheck(), at jit/shared/CodeGenerator-shared.cpp or Assertion failure: *iter == ool->lir, at jit/CodeGenerator.cpp
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
RESOLVED
FIXED
mozilla44
People
(Reporter: gkw, Assigned: bhackett1024)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [fuzzblocker][jsbugmon:update])
Attachments
(3 files)
do {
for (var a of [{}]) {}
} while (4());
asserts js debug shell on m-c changeset 87e23922be37 with --fuzzing-safe --no-threads --ion-eager at Assertion failure: iter->isInterruptCheck(), at jit/shared/CodeGenerator-shared.cpp
Configure options:
CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests
python -u ~/funfuzz/js/compileShell.py -b "--enable-debug --enable-more-deterministic --enable-nspr-build" -r 87e23922be37
=== Treeherder Build Bisection Results by autoBisect ===
The "good" changeset has the timestamp "20150827093137" and the hash "43f374ed42a798f517b3dddb428ad71dbee3786e".
The "bad" changeset has the timestamp "20150827100238" and the hash "55bea2798c68e18837b1c3a6bf3503f721f00c08".
Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=43f374ed42a798f517b3dddb428ad71dbee3786e&tochange=55bea2798c68e18837b1c3a6bf3503f721f00c08
Trying to get a smaller regression window.Flags: needinfo?
|
Reporter | |
Comment 1•9 years ago
|
||
do {
for (var a of [0, {}]) {}
} while (4() && 0);
This variant asserts at Assertion failure: *iter == ool->lir, at jit/CodeGenerator.cppFlags: needinfo?
Summary: Assertion failure: iter->isInterruptCheck(), at jit/shared/CodeGenerator-shared.cpp → Assertion failure: iter->isInterruptCheck(), at jit/shared/CodeGenerator-shared.cpp or Assertion failure: *iter == ool->lir, at jit/CodeGenerator.cpp
|
|
Reporter | |
Comment 2•9 years ago
|
||
(lldb) bt 5
* thread #1: tid = 0x2b5db9, 0x000000010076628b js-dbg-64-dm-nsprBuild-darwin-87e23922be37`js::jit::CodeGeneratorShared::labelForBackedgeWithImplicitCheck(this=<unavailable>, mir=<unavailable>) + 363 at CodeGenerator-shared.cpp:1555, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
* frame #0: 0x000000010076628b js-dbg-64-dm-nsprBuild-darwin-87e23922be37`js::jit::CodeGeneratorShared::labelForBackedgeWithImplicitCheck(this=<unavailable>, mir=<unavailable>) + 363 at CodeGenerator-shared.cpp:1555
frame #1: 0x0000000100509744 js-dbg-64-dm-nsprBuild-darwin-87e23922be37`js::jit::CodeGenerator::getJumpLabelForBranch(this=0x00000001028dd000, block=0x00000001028c8458) + 36 at CodeGenerator.cpp:652
frame #2: 0x0000000100509ebc js-dbg-64-dm-nsprBuild-darwin-87e23922be37`js::jit::CodeGenerator::visitTestVAndBranch(this=0x00000001028dd000, lir=0x0000000103b0bcb8) + 316 at CodeGenerator.cpp:708
frame #3: 0x000000010051ef99 js-dbg-64-dm-nsprBuild-darwin-87e23922be37`js::jit::CodeGenerator::generateBody(this=0x00000001028dd000) + 985 at CodeGenerator.cpp:4129
frame #4: 0x00000001005384fa js-dbg-64-dm-nsprBuild-darwin-87e23922be37`js::jit::CodeGenerator::generate(this=0x00000001028dd000) + 458 at CodeGenerator.cpp:7803
(lldb)|
|
Reporter | |
Comment 3•9 years ago
|
||
(lldb) bt 5
* thread #1: tid = 0x2b621e, 0x0000000100511761 js-dbg-64-dm-nsprBuild-darwin-87e23922be37`js::jit::CodeGenerator::visitOutOfLineInterruptCheckImplicit(this=<unavailable>, ool=<unavailable>) + 433 at CodeGenerator.cpp:1982, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
* frame #0: 0x0000000100511761 js-dbg-64-dm-nsprBuild-darwin-87e23922be37`js::jit::CodeGenerator::visitOutOfLineInterruptCheckImplicit(this=<unavailable>, ool=<unavailable>) + 433 at CodeGenerator.cpp:1982
frame #1: 0x00000001007603b8 js-dbg-64-dm-nsprBuild-darwin-87e23922be37`js::jit::CodeGeneratorShared::generateOutOfLineCode(this=0x00000001028dd000) + 392 at CodeGenerator-shared.cpp:182
frame #2: 0x00000001007a8e17 js-dbg-64-dm-nsprBuild-darwin-87e23922be37`js::jit::CodeGeneratorX86Shared::generateOutOfLineCode(this=0x00000001028dd000) + 23 at CodeGenerator-x86-shared.cpp:403
frame #3: 0x0000000100538548 js-dbg-64-dm-nsprBuild-darwin-87e23922be37`js::jit::CodeGenerator::generate(this=0x00000001028dd000) + 536 at CodeGenerator.cpp:7825
frame #4: 0x00000001005a3adf js-dbg-64-dm-nsprBuild-darwin-87e23922be37`js::jit::GenerateCode(mir=0x00000001028c7258, lir=0x0000000103b09240) + 303 at Ion.cpp:1835
(lldb)|
|
Reporter | |
Comment 4•9 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/59d2f2e62420 user: Brian Hackett date: Thu Aug 27 10:33:34 2015 -0600 summary: Bug 1195545 - Add instruction reordering pass to IonMonkey, r=sunfish. Brian, is bug 1195545 a likely regressor?
Blocks: 1195545
Flags: needinfo?(bhackett1024)
|
|
Reporter | |
Comment 5•9 years ago
|
||
This is happening often enough to merit [fuzzblocker], due to its simplicity.
Whiteboard: [jsbugmon:update] → [fuzzblocker][jsbugmon:update]
|
Assignee | |
Comment 6•9 years ago
|
||
MBasicBlock::optimizedOutConstant can insert constants before the interrupt check in a loop header, which confuses the instruction reordering pass.
Assignee: nobody → bhackett1024
Flags: needinfo?(bhackett1024)
Attachment #8663335 -
Flags: review?(sunfish)
|
||
Updated•9 years ago
|
Attachment #8663335 -
Flags: review?(sunfish) → review+
https://hg.mozilla.org/mozilla-central/rev/c6488cc76e54
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox44:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
You need to log in
before you can comment on or make changes to this bug.
Description
•