529147 - TM: "Assertion failure: numSideExitsBefore >= fragment->root->treeInfo->sideExits.length(), at ../jstracer.cpp"

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

var magicNumbers = [1, -1, 0, 0];
var magicIndex = 0;

function foo(n) {
    for (var i = 0; i < n; ++i) {
        bar();
    }
}

function bar() {
    var q = magicNumbers[magicIndex++];
    if (q != -1) {
        foo(q);
    }
}

foo(3);


asserts js debug shell with -j on TM tip at Assertion failure: numSideExitsBefore >= fragment->root->treeInfo->sideExits.length(), at ../jstracer.cpp:2560

Many thanks to Jesse for his help in reduction of the testcase.

autoBisect shows this has the following (not exactly the smallest regression window):

http://hg.mozilla.org/tracemonkey/pushloghtml?fromchange=81afd53646d4&tochange=30f8f6dcf808

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

This is impacting jsfunfuzz significantly. :(

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

After some manual bisects, this is probably related to bug 520636.

Comment 3

[Luke Wagner [:luke]]

Attachment: fix flipped assert, add test

Flipped relational operator; pretty dim on my part.  At first I was surprised that something so wrong could pass debug trace-tests, but its actually quite a corner case, so I'm adding it.  Thanks again Gary!

Comment 4

[Luke Wagner [:luke]]

http://hg.mozilla.org/tracemonkey/rev/81b3a2e0c807

Comment 5

[Robert Sayre]

http://hg.mozilla.org/mozilla-central/rev/81b3a2e0c807

Comment 6

[Christian Holler (:decoder)]

A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/testBug529147.js.