Closed Bug 543161 Opened 15 years ago Closed 15 years ago

TM: "Assertion failed: LIR structure error (end of writer pipeline): argument 1 of 'ov' is 'add' (expected located immediately prior, but isn't): 0 (../nanojit/LIR.cpp"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: assertion, regression, Whiteboard: fixed-in-tracemonkey) 

Assertion failed: 

  LIR structure error (end of writer pipeline):
    in instruction with opcode: ov
    argument 1 has opcode: add
    it should be: located immediately prior, but isn't
  One way to debug this:  change the failing NanoAssertMsgf(0, ...) call to a
  printf(...) call and rerun with verbose output.  If you're lucky, this error
  message will appear before the block containing the erroneous instruction.

: 0 (../nanojit/LIR.cpp:2339)


I get this multi-line assertion occasionally in jsfunfuzz but have been unable to get a reproducible testcase. This did not used to happen in previous TM revisions.

http://hg.mozilla.org/tracemonkey/file/3c3b005de959/js/src/nanojit/LIR.cpp#l2339
This isn't as bad as it first seems.

1. The bad news is that this problem has probably been around for a while.  LIR structure checking was recently added (bug 463137).  It didn't introduce the problem, it just gave us a way to identify it.  Furthermore, without a test case it's unclear what the effect will be;  it could be a correctness bug and/or a performance bug.  'ov' is an overflow check and it must immediately follow an add/sub/mul/neg, otherwise the generated code ends up checking the condition codes when they are in an unknown state, which probably leads to a guard exiting/not exiting more-or-less randomly.  This ov-must-immediately-follow-an-arith-op constraint is really nasty and error-prone (see bug 538484 for a similar case).

2. The good news is that 'ov' is slated for removal precisely because it is so error-prone (bug 539874).  It's going to be replaced with some less error-prone opcodes.  With that change this bug will go away.
Depends on: 539874
Summary: TM: LIR structure error assertion → TM: "Assertion failed: LIR structure error (end of writer pipeline): argument 1 of 'ov' is 'add' (expected located immediately prior, but isn't): 0 (../nanojit/LIR.cpp"
Bug 539874 (which makes this bug go away) is now marked fixed-in-tracemonkey.
Whiteboard: fixed-in-tracemonkey
Bug 539874 is now RESOLVED FIXED, so this bug is too.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.