Closed Bug 469012 Opened 13 years ago Closed 13 years ago
TM: Crash [@nanojit::Lir
Buf Writer::ins Link To Far] - ecma/Function Objects/15 .3 .5-1 .js - ecma/Function Objects/15 .3 .2 .1-3 .js
Rick, It appears that http://hg.mozilla.org/tracemonkey/rev/2274c22d3611 is the regression changset. This landed on tm on Dec 9, but it landed on mc on Nov 14. I don't think I've seen this on mc.
Assertion failed: _buf->_thresholdPage (/work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/nanojit/LIR.cpp:161)
Summary: TM: Crash [@nanojit::LirBufWriter::insLinkToFar] → TM: Crash [@nanojit::LirBufWriter::insLinkToFar] - ecma/FunctionObjects/15.3.5-1.js - ecma/FunctionObjects/220.127.116.11-3.js
I got the same crash today while on gmail. http://crash-stats.mozilla.com/report/index/32918212-7069-4f84-b437-e76792081216 @ nanojit::LirBufWriter::insLinkTo(nanojit::LOpcode, nanojit::LIns*) js/src/nanojit/LIR.cpp:189
The code as written assumes that one will be approaching the end of a page in small increments and therefore the tests will transition from not-passing to passing in a particular order: first no tests will pass (you're >256 slots from the end of the page), then the outer test alone will pass (you're within 256 slots, but not stepping over the edge) but not the inner one, and then finally the inner test will pass (you're stepping over the edge). Tracemonkey sometimes writes large stack snapshots into LIR buffers (native stack snapshots) so we violate the assumption: we go from "not near the end" to "stepping over the edge" in a single state transition, which it can't handle. It has no threshold page is allocated by the time we're at the edge, and we crash. Solution is minor: move the test order around so it doesn't assume this progression. Allocate the threshold page as soon as we're getting close by any measure.
Assignee: general → graydon
Status: NEW → ASSIGNED
Attachment #353763 - Flags: review?(gal)
Attachment #353763 - Flags: review?(gal) → review?(danderson)
13 years ago
Attachment #353763 - Flags: review?(danderson) → review+
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Has this been merged to the main trunk yet? (did it ever exist there?)
yes it did exist there, but the last failure on trunk was on 2008-12-26.
Crash Signature: [@nanojit::LirBufWriter::insLinkToFar]
You need to log in before you can comment on or make changes to this bug.