Closed Bug 1529377 Opened 5 years ago Closed 5 years ago

Assertion failure: !canNotPlacePool_, at js/src/jit/shared/IonAssemblerBufferWithConstantPools.h:971 on ARM64

Categories

(Core :: JavaScript Engine: JIT, defect, P2)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
ARM64
Unspecified
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1534840
Tracking Flags:
Tracking Status
firefox67 --- affected

People

(Reporter: gkw, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: assertion)

Attachments

(2 files)

stack
21.77 KB, text/plain
Details
testcase.js
209.08 KB, text/plain
Details
Attached file stack

With the patch in bug 1528869 comment 1, I keep getting asserts repeatedly with a stack like this, but they are non-reproducible.

Compiled on m-c rev bf3951daded0 with --enable-debug --enable-more-deterministic --enable-simulator=arm64 and runtime flags like --fuzzing-safe --execute="setJitCompilerOption("ion.forceinlineCaches",1)" --ion-extra-checks --ion-warmup-threshold=100 --ion-eager --ion-gvn=off --more-compartments --ion-offthread-compile=off --gc-zeal=23,146 --no-threads --baseline-eager (not sure if all are needed)

Filing a new bug to block bug 1528869 as requested by :nbp in bug 1528869 comment 6.

Flags: needinfo?(sstangl)
Flags: needinfo?(nicolas.b.pierron)

:nbp mentioned in bug 1528869 comment 6 he had previously fixed this one before, so cancelling needinfo? from Sean.

Flags: needinfo?(sstangl)
Attached file testcase.js

I have this reproducible but only with Kannan's patch in bug 1401624 comment 107. Tested on m-c rev bf3951daded0 and I get the following different output with the two sets of runtime flags. (The testcase itself seems resistant to easy reduction)

$ ./js-dbg-64-dm-armsim64-linux-x86_64-1528869-c1_diff-706914cd2477-bf3951daded0 --fuzzing-safe --no-threads --ion-eager --ion-gvn=off testcase.js
Hit MOZ_CRASH(PatchJump target not reachable) at js/src/jit/arm64/Assembler-arm64.cpp:377

$ ./js-dbg-64-dm-armsim64-linux-x86_64-1528869-c1_diff-706914cd2477-bf3951daded0 --fuzzing-safe --no-threads --ion-eager testcase.js
Assertion failure: !canNotPlacePool_, at js/src/jit/shared/IonAssemblerBufferWithConstantPools.h:971

(I'm not sure which is at fault - ARM64 or Kannan's patch, so please thrash it out)

Flags: needinfo?(kvijayan)
Blocks: arm64-js-fuzz-bugs
Flags: needinfo?(nicolas.b.pierron)

Hey Gary!

Wait, I'm surprised you even got ARM64 building with that patch applied. Yes I would highly recommend against using the arm64 build of that patch. I'm surprised it builds actually - I have a draft of the ARM64 changes in a delta patch (obnan-arm64.patch) in bug 1401624 comment 106, but that one just builds, haven't actually gotten it passing tests yet.

I'll make this more explicit in the original thread - that at this point there's only really value in fuzzing against x86-64.

Flags: needinfo?(kvijayan)

Gary, does that sounds fine if we mark this bug as invalid until you find it againwithout Kannan's patches?

Flags: needinfo?(nth10sd)
Priority: -- → P2

I'd say a dupe as it still occurs - bug 1534840 has more information.

Status: NEW → RESOLVED
Closed: 5 years ago
Flags: needinfo?(nth10sd)
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: