Closed Bug 453563 Opened 16 years ago Closed 16 years ago

TM: assertion when running unit tests with the JIT on

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.9.1b1

People

(Reporter: mrbkap, Assigned: brendan)

References

Details

Attachments

(1 file)

fix, pro tem
795 bytes, patch
dvander
: review+
Details | Diff | Splinter Review 
Due to a mistake in my first merge, we had been running the unit tests with the JIT on. There has been a regression on the TraceMonkey branch (recently merged back to mozilla-central) which causes us to hit:

#3  0x4014d3bd in JS_Assert (
    s=0x401e5e30 "(traceMonitor->globalSlots->data()[n]) < (uint32)(globalObj)->dslots[-1]", 
    file=0x401e510c "/home/mrbkap/work/tm-browser/mozilla/js/src/jstracer.cpp", ln=1398)
    at /home/mrbkap/work/tm-browser/mozilla/js/src/jsutil.cpp:58

from

#4  0x40170a7a in TraceRecorder::snapshot (this=0x832c778, exitType=nanojit::MISMATCH_EXIT)
    at /home/mrbkap/work/tm-browser/mozilla/js/src/jstracer.cpp:1391

We should figure out what regressed and fix it. Perhaps when we do fix it, we can purposely (and correctly) turn the JIT back on for unittests.

The assertion happens during shutdown during the extensionmanager tests (testable by running 'make check' from <objdir>/toolkit/mozapps/).
Priority: -- → P1
Target Milestone: --- → mozilla1.9.1b1
This is because of global objects changing as function calls inline across static scope boundaries. Blake, were you gonna take this? Or is there another bug that is a dup of it, already on your list? I could not find one by searching, but bugzilla search frustrates me.

/be
Attached patch fix, pro temSplinter Review 
This is the right short-term fix to cure crashes and assertbotches -- tracing across globals requires nested recorders and tracemonitor refactoring.

/be
Assignee: general → brendan
Status: NEW → ASSIGNED
Attachment #338046 - Flags: review?(danderson)
OS: Linux → All
Hardware: PC → All
Attachment #338046 - Flags: review?(danderson) → review+
I would suggest we intern only globals from the frame we start it. Other globals we access via a slow path and some builtins. So if currentGlobal != globalObj then read & unbox.
I filed bug 454739 for the better fix, please comment there (note that a guard snapshot may see the wrong global scoping the top frame's function). Waiting for green to commit this bug's workaround patch.

/be
Fixed:

http://hg.mozilla.org/tracemonkey/rev/f66159540713
http://hg.mozilla.org/mozilla-central/rev/54b9017577ea

/be
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
covered by unittests
Flags: in-testsuite+
Flags: in-litmus-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: