Assertion failed: !s0->isQuad() && !s1->isQuad()

RESOLVED FIXED

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
8 years ago
8 years ago

People

(Reporter: mats, Unassigned)

Tracking

({assertion, regression})

Trunk
x86_64
All
assertion, regression
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

8 years ago
Firefox debug build, x86_64 on Linux.
I think this is a regression in the past day or so.
STR: run mochitest layout/xul/base/test/test_bug393970.xul


Assertion failed: !s0->isQuad() && !s1->isQuad() (js/src/nanojit/LIR.cpp:2475)

Program received signal SIGABRT, Aborted.
0x00007ff454a05fb5 in raise () from /lib/libc.so.6
(gdb) bt 25
#0  0x00007ff454a05fb5 in raise () from /lib/libc.so.6
#1  0x00007ff454a07bc3 in abort () from /lib/libc.so.6
#2  0x00007ff458d0d939 in NanoAssertFail () at js/src/nanojit/avmplus.cpp:72
#3  0x00007ff458d0562e in nanojit::SanityFilter::ins2 (this=0x2128748, v=nanojit::LIR_rsh, s0=0x1a198e8, s1=0x1a19710) at js/src/nanojit/LIR.cpp:2480
#4  0x00007ff458ce0800 in TraceRecorder::record_JSOP_LENGTH (this=0x1ef02c0) at js/src/jstracer.cpp:14843
#5  0x00007ff458cf6845 in TraceRecorder::monitorRecording (this=0x1ef02c0, op=JSOP_LENGTH) at js/src/jsopcode.tbl:550
#6  0x00007ff458c33ca8 in js_Interpret (cx=0x1558220) at js/src/jsops.cpp:78
#7  0x00007ff458c42016 in js_Invoke (cx=0x1558220, argc=2, vp=0x1507a00, flags=<value optimized out>) at js/src/jsinterp.cpp:1384
#8  0x00007ff458c10ae2 in js_fun_apply (cx=0x1558220, argc=2, vp=0x1507990) at js/src/jsfun.cpp:2036
#9  0x00007ff458c2e6de in js_Interpret (cx=0x1558220) at js/src/jsops.cpp:2263
#10 0x00007ff458c42016 in js_Invoke (cx=0x1558220, argc=3, vp=0x1507930, flags=<value optimized out>) at js/src/jsinterp.cpp:1384
#11 0x00007ff458c10ae2 in js_fun_apply (cx=0x1558220, argc=3, vp=0x15078c0) at js/src/jsfun.cpp:2036
#12 0x00007ff458c2e6de in js_Interpret (cx=0x1558220) at js/src/jsops.cpp:2263
#13 0x00007ff458c42016 in js_Invoke (cx=0x1558220, argc=2, vp=0x1507418, flags=<value optimized out>) at js/src/jsinterp.cpp:1384
#14 0x00007ff458c4287b in js_InternalInvoke (cx=0x1558220, obj=0x7ff43c8ba740, fval=140686836755584, flags=0, argc=2, argv=0x1f933f0, rval=0x7fff6160df60) at js/src/jsinterp.cpp:1439
#15 0x00007ff458bc8249 in JS_CallFunctionValue (cx=0x1558220, obj=0x7ff43c8ba740, fval=140686836755584, argc=2, argv=0x1f933f0, rval=0x7fff6160df60) at js/src/jsapi.cpp:5120
#16 0x00007ff4468a2e92 in nsJSContext::CallEventHandler (this=0x15581b0, aTarget=0x1f25ef0, aScope=<value optimized out>, aHandler=0x7ff434edec80, aargv=0x1f933b8, arv=0x7fff6160e140) at dom/base/nsJSEnvironment.cpp:2168
#17 0x00007ff4468cb7cf in nsGlobalWindow::RunTimeout (this=0x1f25ef0, aTimeout=0x1f93410) at dom/base/nsGlobalWindow.cpp:8104
#18 0x00007ff4468cbc22 in nsGlobalWindow::TimerCallback (aTimer=<value optimized out>, aClosure=0x1f93410) at dom/base/nsGlobalWindow.cpp:8448
#19 0x00007ff45871a6c0 in nsTimerImpl::Fire (this=0xada550) at xpcom/threads/nsTimerImpl.cpp:427
#20 0x00007ff45871a7ad in nsTimerEvent::Run (this=0x7ff438007330) at xpcom/threads/nsTimerImpl.cpp:519
#21 0x00007ff458715e87 in nsThread::ProcessNextEvent (this=0x6b4b70, mayWait=1, result=0x7fff6160e2cc) at xpcom/threads/nsThread.cpp:527
#22 0x00007ff4586cacba in NS_ProcessNextEvent_P (thread=0x17c1, mayWait=1) at nsThreadUtils.cpp:250
#23 0x00007ff44784a3c4 in nsBaseAppShell::Run (this=0xc85a90) at widget/src/xpwidgets/nsBaseAppShell.cpp:177
#24 0x00007ff44390ca66 in nsAppStartup::Run (this=0xefe440) at toolkit/components/startup/src/nsAppStartup.cpp:182
(gdb) fr 3
#3  0x00007ff458d0562e in nanojit::SanityFilter::ins2 (this=0x2128748, v=nanojit::LIR_rsh, s0=0x1a198e8, s1=0x1a19710) at js/src/nanojit/LIR.cpp:2480
2480                NanoAssert(s0->isQuad() && !s1->isQuad());
(gdb) p s0->isQuad()
$1 = true
(gdb) p s1->isQuad()
$2 = false
(gdb) p *s0
$3 = {{lastWord = {arIndex = 0, reg = nanojit::RAX, used = 0, opcode = nanojit::LIR_ldq}, dummy = 0x4a000000}}
(gdb) p *s1
$4 = {{lastWord = {arIndex = 0, reg = nanojit::RAX, used = 0, opcode = nanojit::LIR_int}, dummy = 0x18000000}}
(gdb)

Comment 1

8 years ago
Not just Linux. The assertion is triggering consistently for me on a 64-bit debug build on Mac OS X 10.6 (Intel).

Assertion failed: !s0->isQuad() && !s1->isQuad() (.../js/src/nanojit/LIR.cpp:2475)
[shortened full path to "..."]
OS: Linux → All
Created attachment 421879 [details] [diff] [review]
fix
Attachment #421879 - Flags: review?(dmandelin)
Comment on attachment 421879 [details] [diff] [review]
fix

Can you also add a reduced shell test case to trace-tests/tests/arguments? r+ with that.
Attachment #421879 - Flags: review?(dmandelin) → review+

Comment 4

8 years ago
That patch fixes the 64-bit debug build on Mac OS X 10.6.
http://hg.mozilla.org/tracemonkey/rev/30eb740d71d2

this was actually the cause behind a bunch of trace-tests failures (anything using arguments.length) so it should have adequate coverage already.
merged to m-c early because of complaints on IRC.

http://hg.mozilla.org/mozilla-central/rev/925d39fa7d16
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
So is this a dup of Bug 540404?
And it there something to fix on 1.9.2 branch?
64-bit JIT isn't supported on 1.9.2, so it's not an issue for that branch.
Duplicate of this bug: 540404
You need to log in before you can comment on or make changes to this bug.