1201469 - Assertion failure: resume->block() == *block, at jit/IonAnalysis.cpp

Status: RESOLVED FIXED

(Core :: JavaScript Engine: JIT, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

f = (function() {
    "use asm";
    var a;
    function f() {
        var b = -1;
    }
    return f;
})();
for (var j = 0; j < 1; ++j)
    f();
setJitCompilerOption('ion.forceinlineCaches', 1);
Math.fround(
    Math.fround()
);
for (var j = 0; j < 1; ++j)
    (function() {})();

asserts js debug shell on m-c changeset a6786bf8d71d with --fuzzing-safe --no-threads --ion-eager at Assertion failure: resume->block() == *block, at jit/IonAnalysis.cpp

Configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u ~/funfuzz/js/compileShell.py -b "--enable-debug --enable-more-deterministic --enable-nspr-build" -r a6786bf8d71d

=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20150814025439" and the hash "2db399cd414f8ca2e70b41d4c36d50fa0a9a8d87".
The "bad" changeset has the timestamp "20150814034639" and the hash "d791ba00bf065740fc504329a1075f5132cdc800".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=2db399cd414f8ca2e70b41d4c36d50fa0a9a8d87&tochange=d791ba00bf065740fc504329a1075f5132cdc800

Hannes, is bug 1171945 a likely regressor?

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: stack

(lldb) bt 5
* thread #1: tid = 0x440165, 0x000000010059a75e js-dbg-64-dm-nsprBuild-darwin-a6786bf8d71d`js::jit::AssertBasicGraphCoherency(graph=<unavailable>) + 4126 at IonAnalysis.cpp:1945, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x000000010059a75e js-dbg-64-dm-nsprBuild-darwin-a6786bf8d71d`js::jit::AssertBasicGraphCoherency(graph=<unavailable>) + 4126 at IonAnalysis.cpp:1945
    frame #1: 0x000000010059b98a js-dbg-64-dm-nsprBuild-darwin-a6786bf8d71d`js::jit::AssertGraphCoherency(graph=0x00000001028c7040) + 42 at IonAnalysis.cpp:2056
    frame #2: 0x000000010059c99d js-dbg-64-dm-nsprBuild-darwin-a6786bf8d71d`js::jit::AssertExtendedGraphCoherency(graph=0x00000001028c7040) + 45 at IonAnalysis.cpp:2143
    frame #3: 0x0000000100598567 js-dbg-64-dm-nsprBuild-darwin-a6786bf8d71d`js::jit::OptimizeMIR(mir=0x00000001028c7258) + 2951 at Ion.cpp:1567
    frame #4: 0x00000001005a201f js-dbg-64-dm-nsprBuild-darwin-a6786bf8d71d`js::jit::CompileBackEnd(mir=0x00000001028c7258) + 63 at Ion.cpp:1850
(lldb)

Comment 2

[Hannes Verschore [:h4writer]]

Attachment: Don't do the float32 optimization when not specialized

In the blamed patch I made it possible to force MBinaryArithInstruction to have no "specialization". In that case we will do a VMCall and have a resume point. The float32 optimization doesn't look at it and will just overwrite the specialization_. (As a result we think there is no resume point and this is a movable instruction. Which it actually isn't.). Disable float32 optimization to overwrite the specialization if that is set to MIRType_None.

Comment 3

[Benjamin Bouvier [:bbouvier] (inactive)]

Comment on attachment 8658093 [details] [diff] [review]
Don't do the float32 optimization when not specialized

Review of attachment 8658093 [details] [diff] [review]:
-----------------------------------------------------------------

OK, can you add the test please?

Comment 4

[Pulsebot]

https://hg.mozilla.org/integration/mozilla-inbound/rev/6305e8ca4f6b

Comment 5

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/mozilla-central/rev/6305e8ca4f6b