Closed
Bug 1256702
Opened 8 years ago
Closed 8 years ago
Assertion failure: snapshot_.numAllocationsRead() == numAllocations(), at /home/h4writer/Build/mozilla-inbound/js/src/jit/JitFrameIterator.h:499
Categories
(Core :: JavaScript Engine: JIT, defect)
Core
JavaScript Engine: JIT
Tracking
()
RESOLVED
FIXED
mozilla48
| Tracking | Status | |
|---|---|---|
| firefox48 | --- | fixed |
People
(Reporter: h4writer, Assigned: nbp)
References
Details
Attachments
(2 files)
|
639 bytes,
patch
|
Details | Diff | Splinter Review | |
|
1.23 KB,
patch
|
h4writer
:
review+
|
Details | Diff | Splinter Review |
Nicolas explained that bailing in LEncodeSnapshot should fail, but it does currently:
python jit-test/jit_test.py --tbpl $JS/dist/bin/js recover.js
Assertion failure: snapshot_.numAllocationsRead() == numAllocations(), at /home/h4writer/Build/mozilla-inbound/js/src/jit/JitFrameIterator.h:499
Program received signal SIGSEGV, Segmentation fault.
0x083b89a7 in js::jit::SnapshotIterator::nextInstruction (this=0xbfffddf4) at /home/h4writer/Build/mozilla-inbound/js/src/jit/JitFrameIterator.h:499
499 MOZ_ASSERT(snapshot_.numAllocationsRead() == numAllocations());
(gdb) bt
#0 0x083b89a7 in js::jit::SnapshotIterator::nextInstruction (this=0xbfffddf4) at /home/h4writer/Build/mozilla-inbound/js/src/jit/JitFrameIterator.h:499
#1 0x083aba73 in js::jit::SnapshotIterator::computeInstructionResults (this=0xbfffdf44, cx=0xb7a74020, results=0xbfffe5dc) at /home/h4writer/Build/mozilla-inbound/js/src/jit/JitFrames.cpp:2126
#2 0x083ab6d2 in js::jit::SnapshotIterator::initInstructionResults (this=0xbfffe19c, fallback=...) at /home/h4writer/Build/mozilla-inbound/js/src/jit/JitFrames.cpp:2077
#3 0x08b0e822 in SnapshotIteratorForBailout::init (this=0xbfffe19c, cx=0xb7a74020) at /home/h4writer/Build/mozilla-inbound/js/src/jit/BaselineBailouts.cpp:439
#4 0x08ac8def in js::jit::BailoutIonToBaseline (cx=0xb7a74020, activation=0xbfffe568, iter=..., invalidate=false, bailoutInfo=0xbfffe344, excInfo=0x0)
at /home/h4writer/Build/mozilla-inbound/js/src/jit/BaselineBailouts.cpp:1508
#5 0x08a8fa51 in js::jit::Bailout (sp=0xbfffe348, bailoutInfo=0xbfffe344) at /home/h4writer/Build/mozilla-inbound/js/src/jit/Bailouts.cpp:56
#6 0xb7fca5e2 in ?? ()
#7 0xb7aae208 in ?? ()
#8 0xb7fcaae3 in ?? ()
(gdb)
snapshot_.numAllocationsRead() = 0
numAllocations() = 1
Not sure what is going on?
|
Reporter | |
Comment 1•8 years ago
|
||
This patch adds a bailout at the said instruction. @nbp: can you take a look?
Flags: needinfo?(nicolas.b.pierron)
|
Assignee | |
Comment 2•8 years ago
|
||
I will investigate this issue tomorrow.
|
|
Assignee | |
Comment 3•8 years ago
|
||
This is a testing infrastructure issue. found the issue by looking at the code. The problem comes from the fact that RAssertRecoveredOnBailout has one operand the we check when we encode the instruction, but we do not read it from the stack snapshot when we recover the RAssertRecoveredOnBailout. Thus this should be a trivial fix, I will upload a patch in a few minutes.
Assignee: nobody → nicolas.b.pierron
|
|
Assignee | |
Comment 4•8 years ago
|
||
I double checked, the test case failed the same way in debug builds. By making a bailout with the resume point which encode the MAssertRecoveredOnBailout instruction.
Attachment #8731193 -
Flags: review?(hv1989)
|
|
Reporter | |
Updated•8 years ago
|
Attachment #8731193 -
Flags: review?(hv1989) → review+
|
|
Assignee | |
Updated•8 years ago
|
Flags: needinfo?(nicolas.b.pierron)
|
||
Comment 6•8 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/a571bba8cecd
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox48:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
You need to log in
before you can comment on or make changes to this bug.
Description
•