1414849 - Assertion failure: loc1 == loc2, at js/src/jit/CacheIRCompiler.cpp:474

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect, P1)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 4e6df5159df3 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --enable-debug --without-intl-api --enable-optimize --target=i686-pc-linux-gnu, run with --fuzzing-safe --cpu-count=2 --ion-eager --ion-offthread-compile=off):

var msPerHour = 3600000;
var TZ_DIFF = getTimeZoneDiff();
var TZ_ADJUST = TZ_DIFF * msPerHour;
var UTC_1_JAN_2005 = TimeInYear(2001) + TimeInYear(2002) + TimeInYear(2003) + TimeInYear(2004);
function getTimeZoneDiff() {}
function TimeInYear(y) {
  addDateTestCase(UTC_1_JAN_2005 - TZ_ADJUST);
  function addDateTestCase(date_given_in_milliseconds)
    givenDate = new Date(date_given_in_milliseconds);
  expect = extractTimeString(givenDate);
  function extractTimeString(date) {
    regexp = new RegExp(date.toDateString() + '(.*)' + '\$');
    hopeThisIsTimeString = date.toString().match(regexp)[1];
    return trimL(trimR(hopeThisIsTimeString));
    function trimL(s) {}
    function trimR(s) {
      for (var i = s; i!=-1; i--)
        if (s[i] != ' ') break;
    }
 }
}


Backtrace:

received signal SIGSEGV, Segmentation fault.
0x0829067e in js::jit::CacheRegisterAllocator::fixupAliasedInputs (this=0xffffb3f0, masm=...) at js/src/jit/CacheIRCompiler.cpp:473
#0  0x0829067e in js::jit::CacheRegisterAllocator::fixupAliasedInputs (this=0xffffb3f0, masm=...) at js/src/jit/CacheIRCompiler.cpp:473
#1  0x0832227f in js::jit::IonCacheIRCompiler::compile (this=0xffffa9a0) at js/src/jit/IonCacheIRCompiler.cpp:556
#2  0x0832e6c3 in js::jit::IonIC::attachCacheIRStub (this=0xf5eca130, cx=0xf791d000, writer=..., kind=<incomplete type>, ionScript=0xf5eca000, attached=0xffffb873, typeCheckInfo=0x0) at js/src/jit/IonCacheIRCompiler.cpp:2428
#3  0x0836ec2d in js::jit::IonGetPropertyIC::update (cx=0xf791d000, outerScript=..., ic=0xf5eca130, val=..., idVal=..., res=...) at js/src/jit/IonIC.cpp:146
#4  0x299a4653 in ?? ()
Backtrace stopped: previous frame inner to this frame (corrupt stack?)
eax	0x0	0
ebx	0xffffb458	-19368
ecx	0xf7da4864	-136689564
edx	0x0	0
esi	0x0	0
edi	0x5	5
ebp	0xffffa848	4294944840
esp	0xffffa810	4294944784
eip	0x829067e <js::jit::CacheRegisterAllocator::fixupAliasedInputs(js::jit::MacroAssembler&)+718>
=> 0x829067e <js::jit::CacheRegisterAllocator::fixupAliasedInputs(js::jit::MacroAssembler&)+718>:	movl   $0x0,0x0
   0x8290688 <js::jit::CacheRegisterAllocator::fixupAliasedInputs(js::jit::MacroAssembler&)+728>:	ud2

Comment 1

[Jan de Mooij [:jandem]]

Attachment: Patch

Ion ICs can have inputs that alias each other. In fixupAliasedInputs we deal with this pretty uncommon case by spilling to the stack (to simplify CacheIR regalloc).

The assert is checking that if we have two aliasing ValueOperands, they are equal, but that's not always true. Here we have something like loc1 = (r0, r1) and loc2 = (r2, r1) - same payload reg, different type regs.

It's just a bogus assert. The code does not depend on this and will do the right thing.

Comment 2

[Ted Campbell [:tcampbell]]

Comment on attachment 8929024 [details] [diff] [review]
Patch

Review of attachment 8929024 [details] [diff] [review]:
-----------------------------------------------------------------

Makes sense.

Comment 3

[Pulsebot]

Pushed by jandemooij@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/65010575ea90
Remove a bogus assert. r=tcampbell

Comment 4

[Bogdan Tara[:bogdan_tara | bogdant]]

https://hg.mozilla.org/mozilla-central/rev/65010575ea90