Closed
Bug 524694
Opened 15 years ago
Closed 15 years ago
Assertion failed: config.vfp || ins->isop(LIR_icall) (c:/mobilla/js/src/nanojit/NativeARM.cpp:829)
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 524587
People
(Reporter: crowderbt, Unassigned)
Details
Attachments
(1 file)
394 bytes,
patch
|
Details | Diff | Splinter Review |
Running a debug build in Windows Mobile, I am hitting this assertion today.
Here is the callstack:
> mozjs.dll!NanoAssertFail(void) Line: 64, Byte Offsets: 0x04 C++
mozjs.dll!nanojit::Assembler::asm_call(nanojit::LIns* ins = 0x5b9db4f0) Line: 835, Byte Offsets: 0xc4 C++
mozjs.dll!nanojit::Assembler::gen(nanojit::LirFilter* reader = 0x23bc6d64) Line: 1415, Byte Offsets: 0xf00 C++
mozjs.dll!nanojit::Assembler::assemble(nanojit::Fragment* frag = 0x5bbce250) Line: 751, Byte Offsets: 0x3ac C++
mozjs.dll!nanojit::compile(nanojit::Assembler* assm = 0x5b866048, nanojit::Fragment* frag = 0x5bbce250, nanojit::Allocator& alloc = {...}, nanojit::LabelMap* labels = 0x5b866808) Line: 1973, Byte Offsets: 0x1e4 C++
mozjs.dll!TraceRecorder::compile(JSTraceMonitor* tm = 0x5b9d3078) Line: 4299, Byte Offsets: 0x174 C++
mozjs.dll!TraceRecorder::closeLoop(SlotMap& slotMap = {...}, VMSideExit* exit = 0x5bbcf448) Line: 4703, Byte Offsets: 0x7d0 C++
mozjs.dll!TraceRecorder::closeLoop(VMSideExit* exit = 0x5bbcf448) Line: 4596, Byte Offsets: 0x5c C++
mozjs.dll!TraceRecorder::closeLoop(void) Line: 4588, Byte Offsets: 0x2c C++
mozjs.dll!TraceRecorder::checkTraceEnd(unsigned char* pc = 0x5ba457e8) Line: 5125, Byte Offsets: 0x20c C++
mozjs.dll!TraceRecorder::relational(nanojit::LOpcode op = 0x0000001c, bool tryBranchAfterCond = true) Line: 8815, Byte Offsets: 0x95c C++
mozjs.dll!TraceRecorder::record_JSOP_LT(void) Line: 10021, Byte Offsets: 0x20 C++
mozjs.dll!TraceRecorder::monitorRecording(JSContext* cx = 0x5b81ce00, TraceRecorder* tr = 0x5e28d000, JSOp op = 0x00000014) Line: 139, Byte Offsets: 0x998 C++
mozjs.dll!js_Interpret(JSContext* cx = 0x5b81ce00) Line: 79, Byte Offsets: 0xa58 C++
mozjs.dll!js_Invoke(JSContext* cx = 0x5b81ce00, unsigned int argc = 0x00000002, int* vp = 0x5e42b160, unsigned int flags = 0x00000000) Line: 1371, Byte Offsets: 0xbc0 C++
xul.dll!nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS* wrapper = 0x5d632200, unsigned short methodIndex = 0x0009, XPTMethodDescriptor* info = 0x5baadd40, nsXPTCMiniVariant* nativeParams = 0x23bc9b88) Line: 1696, Byte Offsets: 0x1338 C++
xul.dll!nsXPCWrappedJS::CallMethod(unsigned short methodIndex = 0x0009, XPTMethodDescriptor* info = 0x5baadd40, nsXPTCMiniVariant* params = 0x23bc9b88) Line: 570, Byte Offsets: 0x7c C++
xul.dll!PrepareAndDispatch(nsXPTCStubBase* self = 0x5e2fd5d0, unsigned int methodIndex = 0x00000009, unsigned int* args = 0x23bc9c74) Line: 109, Byte Offsets: 0x400 C++
0x7b4eff20
Reporter | ||
Comment 1•15 years ago
|
||
If I enable TMFLAGS=full (trying to collect the output for the LIR being generated here), I get a separate crash:
> mozjs.dll!RegExpNativeCompiler::compile(void) Line: 3243, Byte Offsets: 0xa50 C++
mozjs.dll!CompileRegExpToNative(JSContext* cx = 0x5b81ce00, JSRegExp* re = 0x5d682040, nanojit::Fragment* fragment = 0x5b866da8) Line: 3266, Byte Offsets: 0xc8 C++
mozjs.dll!GetNativeRegExp(JSContext* cx = 0x5b81ce00, JSRegExp* re = 0x5d682040) Line: 3289, Byte Offsets: 0xcc C++
mozjs.dll!MatchRegExp(REGlobalData* gData = 0x23bc7280, REMatchState* x = 0x5e46a8b8) Line: 4697, Byte Offsets: 0x68 C++
mozjs.dll!js_ExecuteRegExp(JSContext* cx = 0x5b81ce00, JSRegExp* re = 0x5d682040, JSString* str = 0x5d7e4b30, unsigned int* indexp = 0x23bc73dc, int test = 0x00000001, int* rval = 0x5d6ef278) Line: 4879, Byte Offsets: 0x210 C++
mozjs.dll!DoMatch(JSContext* cx = 0x5b81ce00, int* vp = 0x5d6ef278, JSString* str = 0x5d7e4b30, RegExpGuard& g = {...}, bool (JSContext*, unsigned int, void*)* callback = 0x7960a324, void* data = 0x23bc7450, MatchControlFlags flags = 0x00000007) Line: 1448, Byte Offsets: 0xe0 C++
mozjs.dll!str_replace(JSContext* cx = 0x5b81ce00, unsigned int argc = 0x00000002, int* vp = 0x5d6ef278) Line: 1907, Byte Offsets: 0x330 C++
mozjs.dll!js_Interpret(JSContext* cx = 0x5b81ce00) Line: 2257, Byte Offsets: 0x15fb4 C++
mozjs.dll!js_Invoke(JSContext* cx = 0x5b81ce00, unsigned int argc = 0x00000002, int* vp = 0x5d6ef160, unsigned int flags = 0x00000000) Line: 1371, Byte Offsets: 0xbc0 C++
xul.dll!nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS* wrapper = 0x5d7e7340, unsigned short methodIndex = 0x0009, XPTMethodDescriptor* info = 0x5baadd40, nsXPTCMiniVariant* nativeParams = 0x23bc9b58) Line: 1696, Byte Offsets: 0x1338 C++
xul.dll!nsXPCWrappedJS::CallMethod(unsigned short methodIndex = 0x0009, XPTMethodDescriptor* info = 0x5baadd40, nsXPTCMiniVariant* params = 0x23bc9b58) Line: 570, Byte Offsets: 0x7c C++
xul.dll!PrepareAndDispatch(nsXPTCStubBase* self = 0x5e42e440, unsigned int methodIndex = 0x00000009, unsigned int* args = 0x23bc9c44) Line: 109, Byte Offsets: 0x400 C++
0x7b4eff20
Reporter | ||
Comment 2•15 years ago
|
||
This fix might need its own bug?
Reporter | ||
Comment 3•15 years ago
|
||
Here is the LIR we were generating when we hit the initial assertion:
Trace has unstable loop variable with no stable peer, compiling anyway.
================================================================================
=== BEGIN LIR::compile(5B866048, 5BBCFA80)
===
=== Results of liveness analysis:
===
Live instruction count 75, total 108, max pressure 8
Side exits 8
Showing LIR instructions with live-after variables
state = iparam 0 r0 state
label2: state label2
sp = ld state[0] state sp
rp = ld state[4] state sp rp
cx = ld state[8] state sp rp cx
$var0 = ld sp[-24] $var0 state sp rp cx
ld1 = ld sp[-16] $var0 state ld1 sp rp cx
i2f1 = fcall #i2f ( ld1 ) $var0 state sp rp i2f1 cx
callh1 = callh i2f1 $var0 state sp rp i2f1 callh1 cx
qjoin (i2f1 = fcall #i2f ( ld1 )), callh1
$var0 state sp rp $var1 cx
ld2 = ld sp[-8] ld2 $var0 state sp rp $var1 cx
i2f2 = fcall #i2f ( ld2 ) i2f2 $var0 state sp rp $var1 cx
callh2 = callh i2f2 i2f2 callh2 $var0 state sp rp $var1 cx
qjoin (i2f2 = fcall #i2f ( ld2 )), callh2
$var2 $var0 state sp rp $var1 cx
ld3 = ld cx[0] $var2 ld3 $var0 state sp rp $var1 cx
eq1 = eq ld3, NULL $var2 $var0 eq1 state sp rp $var1 cx
xf1: xf eq1 -> pc=5BA457BE imacpc=00000000 sp+0 rp+0 (GuardID=001)
$var2 $var0 state sp rp $var1 cx
ld4 = ld cx[148] $var2 $var0 state sp ld4 rp $var1
ld5 = ld ld4[56] $var2 $var0 state sp rp ld5 $var1
sti sp[0] = PCVAL_TO_OBJECT(pcval)
$var2 $var0 state sp rp ld5 $var1
sti sp[8] = ld5 $var2 $var0 state sp rp $var1
sti sp[16] = $var0 $var2 $var0 state sp rp $var1
map = ld obj[0] $var2 $var0 map state sp rp $var1
ops = ldc map[0] $var2 $var0 map state ops sp rp $var1
ldc1 = ldc ops[12] $var2 $var0 map state sp ldc1 rp $var1
guard(native-map) = eq ldc1, ptr
$var2 $var0 map state sp rp guard(native-map) $var1
xf2: xf guard(native-map) -> pc=5BA457C5 imacpc=00000000 sp+24 rp+0 (GuardID=002)
$var2 $var0 map state sp rp $var1
shape = ld map[4] shape $var2 $var0 state sp rp $var1
guard_kshape = eq shape, #00003891
guard_kshape $var2 $var0 state sp rp $var1
xf3: xf guard_kshape -> pc=5BA457C5 imacpc=00000000 sp+24 rp+0 (GuardID=003)
$var2 $var0 state sp rp $var1
js_String_p_charCodeAt1 = fcall #js_String_p_charCodeAt ( $var0 $var1 )
$var2 state sp rp $var1 js_String_p_charCodeAt1
callh3 = callh js_String_p_charCodeAt1
$var2 state sp rp $var1 js_String_p_charCodeAt1 callh3
qjoin (js_String_p_charCodeAt1 = fcall #js_String_p_charCodeAt ( $var0 $var1 )), callh3
qjoin1 $var2 state sp rp $var1
stqi sp[16] = qjoin1 qjoin1 $var2 state sp rp $var1
sti rp[0] = fi qjoin1 $var2 state sp $var1
sti sp[24] = NULL qjoin1 $var2 state sp $var1
stqi sp[32] = qjoin1 qjoin1 $var2 state sp $var1
qhi1 = qhi 0 qjoin1 $var2 state sp $var1 qhi1
qlo1 = qlo 0 qjoin1 qlo1 $var2 state sp $var1 qhi1
qjoin (qlo1 = qlo 0), qhi1 qjoin1 qjoin2 $var2 state sp $var1
fcmpge1 = icall #fcmpge ( qjoin1 qjoin2 )
qjoin1 $var2 fcmpge1 state sp $var1
eq2 = eq fcmpge1, 1 qjoin1 $var2 eq2 state sp $var1
sti sp[32] = eq2 qjoin1 $var2 eq2 state sp $var1
eq3 = eq eq2, 1 qjoin1 $var2 state sp eq3 $var1
xf4: xf eq3 -> pc=5D68837E imacpc=00000000 sp+40 rp+4 (GuardID=004)
qjoin1 $var2 state sp $var1
stqi sp[32] = qjoin1 qjoin1 $var2 state sp $var1
qhi2 = qhi 31 qjoin1 $var2 qhi2 state sp $var1
qlo2 = qlo 31 qjoin1 $var2 qhi2 qlo2 state sp $var1
qjoin (qlo2 = qlo 31), qhi2 qjoin1 $var2 qjoin3 state sp $var1
fcmple1 = icall #fcmple ( qjoin1 qjoin3 )
qjoin1 $var2 state fcmple1 sp $var1
eq4 = eq fcmple1, 1 qjoin1 $var2 state sp eq4 $var1
sti sp[32] = eq4 qjoin1 $var2 state sp eq4 $var1
eq5 = eq eq4, 1 qjoin1 $var2 state sp $var1 eq5
xt1: xt eq5 -> pc=5D688387 imacpc=00000000 sp+40 rp+4 (GuardID=005)
qjoin1 $var2 state sp $var1
qhi3 = qhi 127 qjoin1 $var2 qhi3 state sp $var1
qlo3 = qlo 127 qjoin1 $var2 qhi3 state qlo3 sp $var1
qjoin (qlo3 = qlo 127), qhi3
qjoin1 $var2 state qjoin4 sp $var1
fcmpeq1 = icall #fcmpeq ( qjoin1 qjoin4 )
$var2 state sp $var1 fcmpeq1
eq6 = eq fcmpeq1, 1 $var2 state sp $var1 eq6
sti sp[0] = eq6 $var2 state sp $var1 eq6
eq7 = eq eq6, 1 $var2 eq7 state sp $var1
xt2: xt eq7 -> pc=5BA457D3 imacpc=00000000 sp+8 rp+0 (GuardID=006)
$var2 state sp $var1
qhi4 = qhi 1 $var2 state qhi4 sp $var1
qlo4 = qlo 1 $var2 state qhi4 qlo4 sp $var1
qjoin (qlo4 = qlo 1), qhi4 $var2 state sp qjoin5 $var1
fadd1 = fcall #fadd ( $var1 qjoin5 )
$var2 state sp fadd1
callh4 = callh fadd1 $var2 state sp fadd1 callh4
qjoin (fadd1 = fcall #fadd ( $var1 qjoin5 )), callh4
qjoin6 $var2 state sp
stqi sp[-16] = qjoin6 qjoin6 $var2 state sp
stqi sp[0] = qjoin6 qjoin6 $var2 state sp
stqi sp[8] = $var2 qjoin6 $var2 state
fcmplt1 = icall #fcmplt ( qjoin6 $var2 )
state fcmplt1
eq8 = eq fcmplt1, 1 state eq8
xf5: xf eq8 -> pc=5BA457E7 imacpc=00000000 sp+16 rp+0 (GuardID=007)
state
x2: x -> pc=5BA457BE imacpc=00000000 sp+0 rp+0 (GuardID=008)
state
=== Translating LIR fragments into assembly:
=== -- Compile trunk 5BBCFA80: begin
Assertion failed: config.vfp || ins->isop(LIR_icall) (c:/mobilla/js/src/nanojit/NativeARM.cpp:829)
Reporter | ||
Comment 4•15 years ago
|
||
cc:ing jorendorff since he helped with the first fix... :)
Updated•15 years ago
|
OS: Windows XP → Windows Mobile 6 Standard
Hardware: x86 → ARM
Reporter | ||
Updated•15 years ago
|
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•