Assertion failure: !isFloat(), at js/src/jit/RegisterSets.h:47

RESOLVED WORKSFORME

Status

()

Core
JavaScript Engine: JIT
--
critical
RESOLVED WORKSFORME
2 years ago
a year ago

People

(Reporter: g.trentalancia, Unassigned)

Tracking

45 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(6 attachments, 2 obsolete attachments)

(Reporter)

Description

2 years ago
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Build ID: 20160317220330

Steps to reproduce:

Install firefox 45.0.1 from the build tree (make install)


Actual results:

make install

make[1]: ingresso nella directory "/home/guido/new/build-firefox-45.0.1/browser/installer"
OMNIJAR_NAME=omni.ja \
NO_PKG_FILES="core bsdecho js js-config jscpucfg nsinstall viewer TestGtkEmbed elf-dynstr-gc mangle* maptsv* mfc* msdump* msmap* nm2tsv* nsinstall* res/samples res/throbber shlibsign* certutil* pk12util* BadCertServer* OCSPStaplingServer* GenerateOCSPResponse* chrome/chrome.rdf chrome/app-chrome.manifest chrome/overlayinfo components/compreg.dat components/xpti.dat content_unit_tests necko_unit_tests *.dSYM " \
/home/guido/new/build-firefox-45.0.1/_virtualenv/bin/python /home/guido/new/firefox-45.0.1/toolkit/mozapps/installer/packager.py -DMOZ_APP_NAME=firefox -DPREF_DIR=defaults/preferences -DMOZ_DEBUG=1 -DMOZ_GTK=1 -DMOZ_NATIVE_NSPR=1 -DMOZ_NATIVE_NSS=1 -DJAREXT= -DMOZ_CHILD_PROCESS_NAME=plugin-container -DDLL_PREFIX=lib -DDLL_SUFFIX=.so -DBIN_SUFFIX= -DDIR_MACOS= -DDIR_RESOURCES= -DBINPATH=bin -DRESPATH=bin -DLPROJ_ROOT=en -DMOZ_ICU_VERSION=56 -DMOZ_NATIVE_ICU -DMOZ_SHARED_ICU -DMOZ_ICU_DBG_SUFFIX= -DHAVE_64BIT_BUILD=1 -DMOZ_ENABLE_PROFILER_SPS=1 -DMOZILLA_VERSION='"45.0.1"' -DMOZILLA_VERSION_U=45.0.1 -DMOZILLA_UAVERSION='"45.0"' -DXP_LINUX=1 -DD_INO=d_ino -DMOZ_DEBUG_SYMBOLS=1 -DSTDC_HEADERS=1 -DHAVE_VISIBILITY_HIDDEN_ATTRIBUTE=1 -DHAVE_VISIBILITY_ATTRIBUTE=1 -DHAVE_DIRENT_H=1 -DHAVE_GETOPT_H=1 -DHAVE_SYS_BITYPES_H=1 -DHAVE_MEMORY_H=1 -DHAVE_UNISTD_H=1 -DHAVE_GNU_LIBC_VERSION_H=1 -DHAVE_NL_TYPES_H=1 -DHAVE_MALLOC_H=1 -DHAVE_X11_XKBLIB_H=1 -DHAVE_IO_H=1 -DHAVE_CPUID_H=1 -DHAVE_SYS_QUOTA_H=1 -DHAVE_SYS_SYSMACROS_H=1 -DHAVE_LINUX_QUOTA_H=1 -DHAVE_LINUX_IF_ADDR_H=1 -DHAVE_LINUX_RTNETLINK_H=1 -DHAVE_SYS_QUEUE_H=1 -DHAVE_SYS_TYPES_H=1 -DHAVE_NETINET_IN_H=1 -DHAVE_BYTESWAP_H=1 -DHAVE_DLOPEN=1 -DHAVE_DLADDR=1 -DHAVE_MEMMEM=1 -DFUNCPROTO=15 -DHAVE_LIBXSS=1 -D_REENTRANT=1 -DHAVE_PTHREAD_H=1 -DHAVE_STAT64=1 -DHAVE_LSTAT64=1 -DHAVE_TRUNCATE64=1 -DHAVE_GMTIME_R=1 -DHAVE_LOCALTIME_R=1 -DHAVE_CLOCK_MONOTONIC=1 -DHAVE_RES_NINIT=1 -DHAVE_LANGINFO_CODESET=1 -DVA_COPY=va_copy -DHAVE_VA_COPY=1 -DHAVE_VA_LIST_AS_ARRAY=1 -DHAVE_THREAD_TLS_KEYWORD=1 -DHAVE_I18N_LC_MESSAGES=1 -DHAVE_LOCALECONV=1 -DMALLOC_H='<malloc.h>' -DHAVE_ALLOCA_H=1 -DHAVE_STRNDUP=1 -DHAVE_POSIX_MEMALIGN=1 -DHAVE_MEMALIGN=1 -DHAVE_MALLOC_USABLE_SIZE=1 -DHAVE_MALLOC_H=1 -DMALLOC_USABLE_SIZE_CONST_PTR='' -DHAVE_VALLOC=1 -DTARGET_XPCOM_ABI='"x86_64-gcc3"' -DRELEASE_BUILD=1 -DMOZ_UPDATE_CHANNEL=no -DMOZ_PHOENIX=1 -DMOZ_BUILD_APP=browser -DMOZ_X11=1 -DMOZ_WIDGET_GTK2=1 -DMOZ_WIDGET_GTK=2 -DMOZ_PDF_PRINTING=1 -DMOZ_ENABLE_XREMOTE=1 -DMOZ_INSTRUMENT_EVENT_LOOP=1 -DGLIB_VERSION_MIN_REQUIRED=GLIB_VERSION_2_26 -DGLIB_VERSION_MAX_ALLOWED=GLIB_VERSION_2_26 -DNS_PRINTING=1 -DNS_PRINT_PREVIEW=1 -DMOZ_DISTRIBUTION_ID='"org.mozilla"' -DMOZ_ENABLE_GIO=1 -DMOZ_ENABLE_GCONF=1 -DMOZ_ENABLE_DBUS=1 -DACCESSIBILITY=1 -DMOZ_SAMPLE_TYPE_FLOAT32=1 -DATTRIBUTE_ALIGNED_MAX=64 -DMOZ_WEBM=1 -DMOZ_FFMPEG=1 -DMOZ_FMP4=1 -DMOZ_EME=1 -DMOZ_MEDIA_NAVIGATOR=1 -DMOZ_VPX=1 -DHAVE_LIBVPX=1 -DMOZ_VPX_NO_MEM_REPORTING=1 -DMOZ_WAVE=1 -DMOZ_VORBIS=1 -DMOZ_WEBM_ENCODER=1 -DMOZ_GSTREAMER=1 -DGST_API_VERSION='"1.0"' -DMOZ_PERMISSIONS=1 -DENABLE_SYSTEM_EXTENSION_DIRS=1 -DMOZ_WEBGL_CONFORMANT=1 -DMOZ_CRASHREPORTER_ENABLE_PERCENT=100 -DMOZ_LIBAV_FFT=1 -DMOZ_WEBAPP_RUNTIME=1 -DMOZ_ENABLE_SIGNMAR=1 -DENABLE_TESTS=1 -DGTEST_HAS_RTTI=0 -DMOZ_DISABLE_PARENTAL_CONTROLS=1 -DMOZ_GMP_SANDBOX=1 -DMOZ_SANDBOX=1 -DMOZ_FEEDS=1 -DMOZ_NATIVE_SQLITE=1 -DMOZ_SAFE_BROWSING=1 -DMOZ_URL_CLASSIFIER=1 -DGL_PROVIDER_GLX=1 -DMOZ_STACKWALKING=1 -DMOZ_LOGGING=1 -DFORCE_PR_LOG=1 -DMOZ_GPS_DEBUG=1 -DMOZ_DUMP_PAINTING=1 -DMOZ_GLUE_IN_PROGRAM=1 -DMOZ_MEMORY=1 -DMOZ_MEMORY_DEBUG=1 -DMOZ_MEMORY_LINUX=1 -DMOZ_PAY=1 -DMOZ_ACTIVITIES=1 -DMOZ_SECUREELEMENT=1 -DHAVE___CXA_DEMANGLE=1 -DMOZ_DEMANGLE_SYMBOLS=1 -DHAVE__UNWIND_BACKTRACE=1 -DJS_DEFAULT_JITREPORT_GRANULARITY=3 -DDISABLE_MOZ_RIL_GEOLOC=1 -DMOZ_OMNIJAR=1 -DMOZ_USER_DIR='".mozilla"' -DHAVE_FT_BITMAP_SIZE_Y_PPEM=1 -DHAVE_FT_GLYPHSLOT_EMBOLDEN=1 -DHAVE_FT_LOAD_SFNT_TABLE=1 -DHAVE_FONTCONFIG_FCFREETYPE_H=1 -DHAVE_STDINT_H=1 -DHAVE_INTTYPES_H=1 -DMOZ_ENABLE_SKIA=1 -DUSE_SKIA=1 -DUSE_SKIA_GPU=1 -DMOZ_XUL=1 -DMOZ_PROFILELOCKING=1 -DENABLE_MARIONETTE=1 -DBUILD_CTYPES=1 -DMOZ_PLACES=1 -DMOZ_SOCIAL=1 -DMOZ_SERVICES_COMMON=1 -DMOZ_SERVICES_CRYPTO=1 -DMOZ_SERVICES_HEALTHREPORT=1 -DMOZ_SERVICES_METRICS=1 -DMOZ_SERVICES_SYNC=1 -DMOZ_SERVICES_CLOUDSYNC=1 -DMOZ_JSDOWNLOADS=1 -DMOZ_MACBUNDLE_ID=org.mozilla.nightlydebug -DMOZ_B2G_VERSION='"1.0.0"' -DMOZ_B2G_OS_NAME='""' -DMOZ_APP_UA_NAME='""' -DMOZ_APP_UA_VERSION='"45.0.1"' -DFIREFOX_VERSION=45.0.1 -DMOZ_TELEMETRY_DISPLAY_REV=2 -DMOZ_DATA_REPORTING=1 -DMOZ_DLL_SUFFIX='".so"' -DHAVE_POSIX_FADVISE=1 -DHAVE_POSIX_FALLOCATE=1 -DXP_UNIX=1 -DMOZ_REFLOW_PERF=1 -DMOZ_REFLOW_PERF_DSP=1 -DMOZ_ACCESSIBILITY_ATK=1 -DATK_MAJOR_VERSION=2 -DATK_MINOR_VERSION=20 -DATK_REV_VERSION=0 -DA11Y_LOG=1 -DEXPOSE_INTL_API=1 -DENABLE_INTL_API=1 -DMOZ_STATIC_JS=1 -DNO_NSPR_10_SUPPORT=1 -DAB_CD=en-US \
	--format omni \
	--removals /home/guido/new/firefox-45.0.1/browser/installer/removed-files.in \
	 \
	 \
	 \
	 \
	--optimizejars \
	 \
	/home/guido/new/firefox-45.0.1/browser/installer/package-manifest.in ../../dist ../../dist/firefox \
	
Executing /home/guido/new/build-firefox-45.0.1/dist/bin/xpcshell -g /home/guido/new/build-firefox-45.0.1/dist/bin/ -a /home/guido/new/build-firefox-45.0.1/dist/bin/ -f /home/guido/new/firefox-45.0.1/toolkit/mozapps/installer/precompile_cache.js -e precompile_startupcache("resource://gre/");
Assertion failure: !isFloat(), at /home/guido/new/firefox-45.0.1/js/src/jit/RegisterSets.h:47
Traceback (most recent call last):
  File "/home/guido/new/firefox-45.0.1/toolkit/mozapps/installer/packager.py", line 406, in <module>
    main()
  File "/home/guido/new/firefox-45.0.1/toolkit/mozapps/installer/packager.py", line 400, in main
    args.source, gre_path, base)
  File "/home/guido/new/firefox-45.0.1/toolkit/mozapps/installer/packager.py", line 161, in precompile_cache
    errors.fatal('Error while running startup cache precompilation')
  File "/home/guido/new/firefox-45.0.1/python/mozbuild/mozpack/errors.py", line 103, in fatal
    self._handle(self.FATAL, msg)
  File "/home/guido/new/firefox-45.0.1/python/mozbuild/mozpack/errors.py", line 98, in _handle
    raise ErrorMessage(msg)
mozpack.errors.ErrorMessage: Error: Error while running startup cache precompilation
/home/guido/new/firefox-45.0.1/toolkit/mozapps/installer/packager.mk:41: set di istruzioni per l'obiettivo "stage-package" non riuscito
make[1]: *** [stage-package] Errore 1
make[1]: uscita dalla directory "/home/guido/new/build-firefox-45.0.1/browser/installer"
/home/guido/new/firefox-45.0.1/browser/build.mk:21: set di istruzioni per l'obiettivo "install" non riuscito
make: *** [install] Errore 2


Expected results:

make install should have installed firefox cleanly
(Reporter)

Updated

2 years ago
OS: Unspecified → Linux
Hardware: Unspecified → x86_64
(Reporter)

Comment 1

a year ago
Affects both 45.0.1 (Branch 45) and 46.0.1 (Branch 46).
(Reporter)

Updated

a year ago
Severity: normal → major
(Reporter)

Updated

a year ago
Component: Untriaged → Installer
(Reporter)

Comment 2

a year ago
Assertion failure: !isFloat(), at /home/guido/new/firefox-45.0.1/js/src/jit/RegisterSets.h:47
resource://gre/components/ActivityMessageConfigurator.js
resource://gre/components/ActivityProxy.js
resource://gre/components/ActivityRequestHandler.js
resource://gre/components/ActivityWrapper.js
resource://gre/components/AlarmsManager.js
resource://gre/components/AppsService.js
resource://gre/components/BrowserElementParent.js
resource://gre/components/BrowserElementProxy.js
resource://gre/components/CSSUnprefixingService.js
resource://gre/components/ChromeNotifications.js
resource://gre/components/ColorAnalyzer.js
resource://gre/components/ConsoleAPIStorage.js
resource://gre/components/ContactManager.js
resource://gre/components/ContentProcessSingleton.js
resource://gre/components/DOMSecureElement.js
resource://gre/components/DataReportingService.js

Thread 8 "JS Helper" received signal SIGSEGV, Segmentation fault.
[Switching to LWP 3085]
0x00007ffff5c3be68 in js::jit::AnyRegister::gpr (this=<optimized out>) at /home/guido/new/firefox-45.0.1/js/src/jit/RegisterSets.h:47
47	        MOZ_ASSERT(!isFloat());
(gdb) where
#0  0x00007ffff5c3be68 in js::jit::MacroAssembler::storeConstantOrRegister<js::jit::Address>(js::jit::ConstantOrRegister, js::jit::Address const&) (this=<optimized out>) at /home/guido/new/firefox-45.0.1/js/src/jit/RegisterSets.h:47
#1  0x00007ffff5c3be68 in js::jit::MacroAssembler::storeConstantOrRegister<js::jit::Address>(js::jit::ConstantOrRegister, js::jit::Address const&) (dest=..., src=..., this=0x7fffd9855058) at /home/guido/new/firefox-45.0.1/js/src/jit/MacroAssembler.h:900
#2  0x00007ffff5c3be68 in js::jit::MacroAssembler::storeConstantOrRegister<js::jit::Address>(js::jit::ConstantOrRegister, js::jit::Address const&) (this=0x7fffd9855058, src=..., dest=...) at /home/guido/new/firefox-45.0.1/js/src/jit/MacroAssembler.h:920
#3  0x00007ffff5c3bfb1 in js::jit::CodeGenerator::visitStoreFixedSlotT(js::jit::LStoreFixedSlotT*) (this=0x7fffd9855000, ins=<optimized out>)
    at /home/guido/new/firefox-45.0.1/js/src/jit/CodeGenerator.cpp:8580
#4  0x00007ffff5c53bf7 in js::jit::CodeGenerator::generateBody() (this=this@entry=0x7fffd9855000)
    at /home/guido/new/firefox-45.0.1/js/src/jit/CodeGenerator.cpp:4263
#5  0x00007ffff5c549b6 in js::jit::CodeGenerator::generate() (this=this@entry=0x7fffd9855000)
    at /home/guido/new/firefox-45.0.1/js/src/jit/CodeGenerator.cpp:7999
#6  0x00007ffff5c61a4a in js::jit::GenerateCode(js::jit::MIRGenerator*, js::jit::LIRGraph*) (mir=mir@entry=0x7fffd988f2b0, lir=0x7fffd98d7b80)
    at /home/guido/new/firefox-45.0.1/js/src/jit/Ion.cpp:1974
#7  0x00007ffff5cb9694 in js::jit::CompileBackEnd(js::jit::MIRGenerator*) (mir=mir@entry=0x7fffd988f2b0)
    at /home/guido/new/firefox-45.0.1/js/src/jit/Ion.cpp:1996
#8  0x00007ffff5ff2cb4 in js::HelperThread::handleIonWorkload() (this=this@entry=0x7fffde1da200)
    at /home/guido/new/firefox-45.0.1/js/src/vm/HelperThreads.cpp:1264
#9  0x00007ffff5ff6627 in js::HelperThread::threadLoop() (this=0x7fffde1da200) at /home/guido/new/firefox-45.0.1/js/src/vm/HelperThreads.cpp:1582
#10 0x00007ffff2928374 in _pt_root (arg=0x7fffe4d7a920) at ptthread.c:216
#11 0x00007ffff7bc3684 in start_thread (arg=0x7fffdccfe700) at pthread_create.c:334
#12 0x00007fffef72349d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109
(Reporter)

Updated

a year ago
Component: Installer → JavaScript Engine: JIT
Product: Firefox → Core
(Reporter)

Updated

a year ago
Severity: major → critical
(Reporter)

Comment 3

a year ago
Bug 1218925 might be a duplicate of this bug.
(Reporter)

Updated

a year ago
See Also: → bug 1218925
(Reporter)

Comment 4

a year ago
Created attachment 8752626 [details]
debug4.txt

More detailed debugging output from gdb
(Reporter)

Comment 5

a year ago
Might be due to a race condition between the two threads

Comment 6

a year ago
I am having the same situation on firefox 47.0b1 at "make install" time

Executing /home/vitti/1tb/vitti/firefox-47.0b1-obj/dist/bin/xpcshell -g /home/vitti/1tb/vitti/firefox-47.0b1-obj/dist/bin/ -a /home/vitti/1tb/vitti/firefox-47.0b1-obj/dist/bin/ -f /home/vitti/1tb/vitti/firefox-47.0b1/toolkit/mozapps/installer/precompile_cache.js -e precompile_startupcache("resource://gre/");
Assertion failure: !isFloat(), at /home/vitti/1tb/vitti/firefox-47.0b1/js/src/jit/RegisterSets.h:47
Traceback (most recent call last):
  File "/home/vitti/1tb/vitti/firefox-47.0b1/toolkit/mozapps/installer/packager.py", line 414, in <module>
    main()
  File "/home/vitti/1tb/vitti/firefox-47.0b1/toolkit/mozapps/installer/packager.py", line 408, in main
    args.source, gre_path, base)
  File "/home/vitti/1tb/vitti/firefox-47.0b1/toolkit/mozapps/installer/packager.py", line 165, in precompile_cache
    errors.fatal('Error while running startup cache precompilation')
  File "/home/vitti/1tb/vitti/firefox-47.0b1/python/mozbuild/mozpack/errors.py", line 103, in fatal
    self._handle(self.FATAL, msg)
  File "/home/vitti/1tb/vitti/firefox-47.0b1/python/mozbuild/mozpack/errors.py", line 98, in _handle
    raise ErrorMessage(msg)
mozpack.errors.ErrorMessage: Error: Error while running startup cache precompilation
(Reporter)

Comment 7

a year ago
Created attachment 8752827 [details]
debug6.txt

More detailed debug for version 46.0.1 (after removing MOZ_ASSERT from js/src/jit/RegisterSets.h).
(Reporter)

Comment 8

a year ago
Created attachment 8752886 [details]
debug-all-backtrace.txt

thread apply all bt
(Reporter)

Comment 9

a year ago
Created attachment 8752887 [details]
debug-bt-full.txt

bt full

Comment 10

a year ago
The optimization defaults for firefox building are -O3 and -freorder-blocks -Os.
By tweaking the two config.status files in object directory and in js/src I built firefox 47.0b1 with no optimization, or -O0.
"make install" executed and completed fine and cleanly. No Assertion failures.
The installed firefox seems to work.
So it looks to me it is a gnu gcc issue in its optimizer, not a firefox issue.
This is using gnu gcc 7.
Yes, see bug 1245783.
Status: UNCONFIRMED → RESOLVED
Last Resolved: a year ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1245783

Comment 12

a year ago
It seems this is connected to gnu gcc bug 70526
(Reporter)

Comment 13

a year ago
I think you meant this (Mozilla bugzilla created a wrong link to Mozilla bugs): https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70526 (gcc bug)

Comment 14

a year ago
(In reply to g.trentalancia from comment #13)
> I think you meant this (Mozilla bugzilla created a wrong link to Mozilla
> bugs): https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70526 (gcc bug)

Yes, unfortunately this is still a bug on my gcc 6.1 and 7.
I should report it on the gcc bugzilla.
(Reporter)

Comment 15

a year ago
The newly created gcc bug https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70526 has been marked as RESOLVED FIX but it does not seem to propose a valid fix with respect to the problem reported in this bug.

Also I am not sure https://bugzilla.mozilla.org/show_bug.cgi?id=1245783#c11 is on the right track, because in the stack trace that I produced, I cannot find a reference to execution of CodeGenerator::toConstantOrRegister()...
(Reporter)

Comment 16

a year ago
Comment 10 does not seem to propose a valid solution either, as for example debugging output "debug6.txt" (https://bugzilla.mozilla.org/attachment.cgi?id=8752827) has been produced by using -O0 on Branch 46 and clearly the problem is still there !
(Reporter)

Comment 17

a year ago
What I found useful is https://bugzilla.mozilla.org/show_bug.cgi?id=1218925#c1
(Reporter)

Comment 18

a year ago
Created attachment 8753449 [details] [diff] [review]
firefox-45.0.1-gcc-bug-70526-comment14.patch

Possible temporary workaround (see https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70526#c14).

Comment 19

a year ago
R. Guenther suggests using -fno-strict-aliasing
My C++ is not good enough to understand if this is a g++ or firefox bug, unfortunately.

Comment 20

a year ago
(In reply to g.trentalancia from comment #16)
> Comment 10 does not seem to propose a valid solution either, as for example
> debugging output "debug6.txt"
> (https://bugzilla.mozilla.org/attachment.cgi?id=8752827) has been produced
> by using -O0 on Branch 46 and clearly the problem is still there !

My experience is on FF 47 which may be different from 46, and just this morning I downloaded FF 49!

Parts of FF have default optimization option -freorder-blocks -Os other parts have -O3.
I had to modify two or three config.status to force -O0 everywhere.
(Reporter)

Comment 21

a year ago
I have not checked -fno-strict-aliasing, because unfortunately full rebuilds are heavily blocked by Bug 1068209.

However, provided that -fno-strict-aliasing (as suggested in Comment 19) is another possible workaround, then -O0 would probably work too because it implies the former. However, I believe -O0 is an extreme solution and generally not advisable, especially in a production build: you should avoid it, unless there are other reasons for using it.

I believe it is a very interesting question to ask whether this is a gcc or firefox bug !

In the first place, my opinion is that tweaking compiler options should be considered as a workaround and not a full fix.

What I mean for a "full fix" is a code modification (in gcc and/or firefox) that allows to use any compiler option to produce correct code.

That said, I bet it's a firefox bug though, the gcc documentation explicitly warns about the fact that -fstrict-aliasing might produce bad code in some cases (see the gcc man page, no need for C++ skills, it uses C code examples).

Comment 22

a year ago
Tweaking config file(s) is a short term solution, fixing the source code is best, of course.
But my C++, C, and time are too short to fix FF source code.

That said I agree that it is interesting exercise to determine if it is a gcc or firefox bug.
For your convenience I am attaching here a C++ code that should be "equivalent" to the firefox situation:

// g++ -Os/-O2/-O3/-Ofast
// 5.3.0 OK
// 6.1 & 7 FAIL
// taken from gcc bugzilla bug 70526
#include <stdint.h>
#include <stdio.h>

template<typename T>
struct AlignedStorage2
{
  union U
  {
    char mBytes[sizeof(T)];
    uint64_t mDummy;
  } u;

  const T* addr() const { return reinterpret_cast<const T*>(u.mBytes); }
  T* addr() { return static_cast<T*>(static_cast<void*>(u.mBytes)); }
};

enum MIRType { MIRType_Object, MIRType_Value, MIRType_None };

struct Register {
    uint32_t reg_;
    static Register FromCode(uint32_t i) {
        Register r = { i };
        return r;
    }
    uint32_t code() const { return reg_; }
};

class TypedOrValueRegister
{
    MIRType type_;
    AlignedStorage2<Register> typed;
    __attribute__((noinline)) Register& dataTyped() { return *typed.addr(); }
  public:
    TypedOrValueRegister()
      : type_(MIRType_None) {}
    TypedOrValueRegister(MIRType type, Register reg)
      : type_(type)
    {
      dataTyped() = reg;
    }
    Register typedReg() const { return *typed.addr(); }
};

class ConstantOrRegister
{
    TypedOrValueRegister reg_;
  public:
    ConstantOrRegister(TypedOrValueRegister reg) : reg_(reg) {}
    TypedOrValueRegister reg() const { return reg_; }
};

class LAllocation
{
public:
  __attribute__((noinline)) bool isConstant() const { return false; }
};

class LInstruction {
  LAllocation alloc;
public:
  virtual __attribute__((noinline)) LAllocation* getOperand(size_t n) { return &alloc; }
};

__attribute__((noinline)) Register
ToAnyRegister(const LAllocation* a)
{
  return Register::FromCode(10);
}

__attribute__((noinline)) ConstantOrRegister ToConstantOrRegister(LInstruction* lir, size_t n, MIRType type) {
    if (type == MIRType_Value)
        return TypedOrValueRegister();
    const LAllocation* value = lir->getOperand(n);
    if (value->isConstant())
        return TypedOrValueRegister();
    return TypedOrValueRegister(type, ToAnyRegister(value));
}

int main() {
    LInstruction lir;
    ConstantOrRegister cr = ToConstantOrRegister(&lir, 0, MIRType_Object);
    if (cr.reg().typedReg().code() != 10)
        fprintf(stderr, "Fail\n");
    return 0;
}


Intel icpc says line 77 violates strict aliasing rules
" const LAllocation* value = lir->getOperand(n);"
(Reporter)

Comment 23

a year ago
That is the attachment https://gcc.gnu.org/bugzilla/attachment.cgi?id=38175 from the newly opened gcc bug 70526.

There is no need that you attach or copy things from the gcc bug, as I am already in the cc list of that bug.

What is not clear to me yet, is where exactly the CodeGenerator::toConstantOrRegister() method is called from within the reported stack trace...

Finally, as I already told you, it's a firefox bug. The gcc bug should not have ever been opened! And what your alternative compiler says about the reduced testcase code simply reinforces this view.
(In reply to g.trentalancia from comment #23)
> Finally, as I already told you, it's a firefox bug. The gcc bug should not
> have ever been opened!

That's not correct - I filed the GCC bug and they *did* fix a GCC bug. That didn't fix the crashes completely though; I'm working on the remaining Firefox issues in bug 1269319.
(Reporter)

Comment 25

a year ago
I do not agree with you.

What gcc bug did they fix ?

It seems to me, they have just suggested the use of correct compiler flags... I cannot see a gcc bug to be honest.
(In reply to g.trentalancia from comment #25)
> What gcc bug did they fix ?
> 
> It seems to me, they have just suggested the use of correct compiler
> flags... I cannot see a gcc bug to be honest.

Er, just read the GCC bug. Start here:

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70526#c6

They pushed the fix here:

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70526#c9

And if there was no GCC bug it wouldn't have been closed as "RESOLVED FIXED".
(Reporter)

Comment 27

a year ago
That's old and unrelated to this bug. I have gcc 6.1.0 and already has the fix you mentioned applied (https://gcc.gnu.org/viewcvs?rev=234749&root=gcc&view=rev).

So, the gcc bug is invalid in relation to this bug and should not have been opened.

Also, thanks for trying to fix the issue, but having several bugs opened all related to the same simple issue doesn't help anyone, as it becomes very difficult to follow the debugging and resolution.
(Reporter)

Comment 28

a year ago
Unfortunately, I cannot help much in the debugging and resolution, as my rebuild attempts are heavily blocked by Bug 1068209.
(Reporter)

Updated

a year ago
Depends on: 1068209
(In reply to g.trentalancia from comment #27)
> So, the gcc bug is invalid in relation to this bug

Well, when I opened it I didn't know there were issues in both Firefox *and* GCC.

> and should not have been opened.

Then a bug in GCC would have gone unfixed, so I'm still glad I filed it :)

> Also, thanks for trying to fix the issue, but having several bugs opened all
> related to the same simple issue doesn't help anyone, as it becomes very
> difficult to follow the debugging and resolution.

I understand, that's why I marked this bug (the one you filed) as duplicate of bug 1245783.
(Reporter)

Updated

a year ago
Status: RESOLVED → UNCONFIRMED
Resolution: DUPLICATE → ---
(Reporter)

Comment 30

a year ago
And it does not call CodeGenerator::toConstantOrRegister() as already mentioned!
Created attachment 8754477 [details] [diff] [review]
firefox-45.0.1-do-not-break-strict-aliasing-rule.patch

Proposed patch to fix bug 1272944 and other duplicate or related bugs.
(Reporter)

Updated

a year ago
Status: UNCONFIRMED → RESOLVED
Last Resolved: a year agoa year ago
Resolution: --- → WORKSFORME
(Reporter)

Updated

a year ago
OS: Linux → All
(Reporter)

Updated

a year ago
Status: RESOLVED → UNCONFIRMED
Resolution: WORKSFORME → ---
(Reporter)

Comment 32

a year ago
Comment on attachment 8754477 [details] [diff] [review]
firefox-45.0.1-do-not-break-strict-aliasing-rule.patch

Review of attachment 8754477 [details] [diff] [review]:
-----------------------------------------------------------------

It won't work.
Created attachment 8754763 [details] [diff] [review]
firefox-45.0.1-do-not-break-strict-aliasing-rule-v2.patch

Second version of the patch proposed to fix Mozilla bug 1272944 and duplicates. Work in progress...
Attachment #8754477 - Attachment is obsolete: true
(Reporter)

Updated

a year ago
Hardware: x86_64 → All

Comment 34

a year ago
Applying patch to FF 47, as proposed in comment 33, "make install" fails with the following message:

Assertion failure: initialized(), at /home/vitti/1tb/vitti/firefox-47.0b1-obj/dist/include/js/RootingAPI.h:1034

in T* address()
(Reporter)

Comment 35

a year ago
I applied the version 2 of the patch (comment 33) to firefox 46.0.1 and I am now writing to you, Vittorio, with a working browser...

My difficulties in rebuilding firefox are enourmous as already explained, so even if I had other ideas, I cannot test them timely at the moment. And beside that, my machine is not very fast!

However, if you want to test, I suggest you do it with stable releases and not beta releases. Try for example, the same v2 patch mentioned above with version 45.0.2, 45.0.1 or 46.0.1.
(Reporter)

Comment 36

a year ago
I have now produced extra stable 45.0.2 release version out of patch in Comment 33.

Please do not use version 1 of the patch: it's a mistake (mistakes happen). And, of course, since this is working in progress, if you need ultra-stable results, please use the gcc flag workaround in Comment 18.

Vittorio, your recent failure might not be due to this bug. js/RootingAPI.h should not share any piece of code with code involved in this bug. Please test with stable versions in order to avoid confusion. Thanks to everybody for the time spent debugging this blocker bug!
(Reporter)

Updated

a year ago
Status: UNCONFIRMED → RESOLVED
Last Resolved: a year agoa year ago
Resolution: --- → WORKSFORME
(Reporter)

Comment 37

a year ago
I have just completed the JetStream (http://browserbench.org/JetStream) testsuite successfully!

Comment 38

a year ago
(In reply to g.trentalancia from comment #37)
> I have just completed the JetStream (http://browserbench.org/JetStream)
> testsuite successfully!

I just found http://peacekeeper.futuremark.com/run.action 
Did you try it?
(Reporter)

Comment 39

a year ago
The test at comment 38 does not work for ANY version, therefore it does not work independently of this bug and the fix.
(Reporter)

Comment 40

a year ago
Oops, I managed to run it now, it needs the cookies enabled...

Apparently it works. Thanks for reporting it!

I don't know how good these external tests are for checking the JavaScript functionality. The other guys in the community seem to use internal tests that ship with the Mozilla code: jit-test and another one. However I could not run them successfully for some reason.
(Reporter)

Comment 41

a year ago
However, I can run a bunch of tests fine from jsapi-tests (in dist/bin) that seem related to Jit:

test_PreserveJitCode
TEST-PASS | test_PreserveJitCode | ok
testJitRegisterSet_FPU
TEST-PASS | testJitRegisterSet_FPU | ok
testJitRegisterSet_GPR
TEST-PASS | testJitRegisterSet_GPR | ok
testJitRangeAnalysis_shiftRight
TEST-PASS | testJitRangeAnalysis_shiftRight | ok
testJitRangeAnalysis_StrictCompareBeta
TEST-PASS | testJitRangeAnalysis_StrictCompareBeta | ok
testJitRangeAnalysis_MathSignBeta
TEST-PASS | testJitRangeAnalysis_MathSignBeta | ok
testJitRangeAnalysis_MathSign
TEST-PASS | testJitRangeAnalysis_MathSign | ok
testJitRValueAlloc_ConstantPool
TEST-PASS | testJitRValueAlloc_ConstantPool | ok
testJitRValueAlloc_UndefinedAndNull
TEST-PASS | testJitRValueAlloc_UndefinedAndNull | ok
testJitRValueAlloc_UntypedStack
TEST-PASS | testJitRValueAlloc_UntypedStack | ok
testJitRValueAlloc_UntypedReg
TEST-PASS | testJitRValueAlloc_UntypedReg | ok
testJitRValueAlloc_TypedStack
TEST-PASS | testJitRValueAlloc_TypedStack | ok
testJitRValueAlloc_TypedReg
TEST-PASS | testJitRValueAlloc_TypedReg | ok
testJitRValueAlloc_FloatStack
TEST-PASS | testJitRValueAlloc_FloatStack | ok
testJitRValueAlloc_FloatReg
TEST-PASS | testJitRValueAlloc_FloatReg | ok
testJitRValueAlloc_Double
TEST-PASS | testJitRValueAlloc_Double | ok
testJitGVN_PinnedPhis
TEST-PASS | testJitGVN_PinnedPhis | ok
testJitGVN_FixupOSROnlyLoopNested
TEST-PASS | testJitGVN_FixupOSROnlyLoopNested | ok
testJitGVN_FixupOSROnlyLoop
TEST-PASS | testJitGVN_FixupOSROnlyLoop | ok
testJitFoldsTo_UnsignedMod
TEST-PASS | testJitFoldsTo_UnsignedMod | ok
testJitFoldsTo_UnsignedDiv
TEST-PASS | testJitFoldsTo_UnsignedDiv | ok
testJitNotNotTest
TEST-PASS | testJitNotNotTest | ok
testJitNotTest
TEST-PASS | testJitNotTest | ok
testJitNotNotNot
TEST-PASS | testJitNotNotNot | ok
testJitNotNot
TEST-PASS | testJitNotNot | ok
testJitFoldsTo_NoDivReciprocal
TEST-PASS | testJitFoldsTo_NoDivReciprocal | ok
testJitFoldsTo_DivReciprocal
TEST-PASS | testJitFoldsTo_DivReciprocal | ok
testJitDCEinGVN_phi
TEST-PASS | testJitDCEinGVN_phi | ok
testJitDCEinGVN_ins
TEST-PASS | testJitDCEinGVN_ins | ok
(Reporter)

Comment 42

a year ago
I have applied the patch at comment 33 (https://bugzilla.mozilla.org/attachment.cgi?id=8754763) to the latest mozjs release (http://ftp.mozilla.org/pub/js/mozjs-24.2.0.tar.bz2) and I ran the jstests there: there is no change in failures (5), so it seems that the patch does not break anything.
Created attachment 8755461 [details] [diff] [review]
firefox-45.0.1-do-not-break-strict-aliasing-rule-v1.patch

Proposed patch to fix Mozilla bug 1272944 and related or duplicate bugs (such as 1218925 and/or 1245783)
Attachment #8754763 - Attachment is obsolete: true
See also https://bugzilla.mozilla.org/show_bug.cgi?id=1245783#c36

We've fixed this on trunk and will try to get these patches backported to aurora/beta/ESR.
(Reporter)

Comment 45

a year ago
I have had a look at the patch that you mention Jan, but it doesn't apply to releases and also it seems a bit of an over-complex...
You need to log in before you can comment on or make changes to this bug.