Closed Bug 543161 Opened 15 years ago Closed 15 years ago

TM: "Assertion failed: LIR structure error (end of writer pipeline): argument 1 of 'ov' is 'add' (expected located immediately prior, but isn't): 0 (../nanojit/LIR.cpp"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: assertion, regression, Whiteboard: fixed-in-tracemonkey)

Assertion failed: LIR structure error (end of writer pipeline): in instruction with opcode: ov argument 1 has opcode: add it should be: located immediately prior, but isn't One way to debug this: change the failing NanoAssertMsgf(0, ...) call to a printf(...) call and rerun with verbose output. If you're lucky, this error message will appear before the block containing the erroneous instruction. : 0 (../nanojit/LIR.cpp:2339) I get this multi-line assertion occasionally in jsfunfuzz but have been unable to get a reproducible testcase. This did not used to happen in previous TM revisions. http://hg.mozilla.org/tracemonkey/file/3c3b005de959/js/src/nanojit/LIR.cpp#l2339
This isn't as bad as it first seems. 1. The bad news is that this problem has probably been around for a while. LIR structure checking was recently added (bug 463137). It didn't introduce the problem, it just gave us a way to identify it. Furthermore, without a test case it's unclear what the effect will be; it could be a correctness bug and/or a performance bug. 'ov' is an overflow check and it must immediately follow an add/sub/mul/neg, otherwise the generated code ends up checking the condition codes when they are in an unknown state, which probably leads to a guard exiting/not exiting more-or-less randomly. This ov-must-immediately-follow-an-arith-op constraint is really nasty and error-prone (see bug 538484 for a similar case). 2. The good news is that 'ov' is slated for removal precisely because it is so error-prone (bug 539874). It's going to be replaced with some less error-prone opcodes. With that change this bug will go away.
Depends on: 539874
Summary: TM: LIR structure error assertion → TM: "Assertion failed: LIR structure error (end of writer pipeline): argument 1 of 'ov' is 'add' (expected located immediately prior, but isn't): 0 (../nanojit/LIR.cpp"
Bug 539874 (which makes this bug go away) is now marked fixed-in-tracemonkey.
Whiteboard: fixed-in-tracemonkey
Bug 539874 is now RESOLVED FIXED, so this bug is too.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.