Closed Bug 505314 Opened 15 years ago Closed 15 years ago

"Assertion failed: i != 0" on collecta.com

Categories

(Core :: JavaScript Engine, defect)

x86
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: jruderman, Assigned: dmandelin)

References

()

Details

(Keywords: assertion)

Attachments

(2 files, 2 obsolete files)

Loading http://collecta.com/ in a debug build triggers:

Assertion failed: i != 0 (/Users/jruderman/central/js/src/nanojit/Assembler.cpp:1605)
Important catch. Can you grab a local copy? Is this reproducible?
This seems to involve js_Arguments
Assignee: general → dmandelin
Attached patch Patch 3Splinter Review
I don't have a reduced test case either. The bug seems to depend on the exact state of the register allocator, which is hard to control by writing JS.

The problem seems to be caused by writing a LIR_ialloc instruction with size 0. Somehow that makes the allocator get confused. It ends up giving slot 2 in the AR to 2 different calls. When call 1 is processed, it ends up clearing the slot. When call 2 is processed, it tries to clear the slot and asserts. 

I fixed by making the call not allocate a 0-sized buffer, and improved the nanojit asserts so they should be able to catch related problems faster in the future.
Attachment #389591 - Flags: review?(gal)
Attached file testcase, partially reduced (obsolete) —
Attachment #389560 - Attachment is obsolete: true
Attachment #389591 - Flags: review?(gal) → review+
Getting harder to reduce :(
Attachment #389598 - Attachment is obsolete: true
Pushed to TM as 57f03473969d.
http://hg.mozilla.org/mozilla-central/rev/57f03473969d
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Filter on qa-project-auto-change:

Bug in removed tracer code, setting in-testsuite- flag.
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: