Closed
Bug 579348
Opened 14 years ago
Closed 14 years ago
"Assertion failure: "Constantly false branch detected""
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| blocking2.0 | --- | beta5+ |
People
(Reporter: gkw, Assigned: n.nethercote)
References
Details
(Keywords: assertion, regression, testcase)
for(a in[0,0,0]) {
([])[-1]
}
asserts js debug shell on TM tip with -j at Assertion failure: "Constantly false branch detected": 0 (../nanojit/LIR.cpp:1070)
Program received signal SIGABRT, Aborted.
0xf7fdf430 in __kernel_vsyscall ()
(gdb) bt
#0 0xf7fdf430 in __kernel_vsyscall ()
#1 0xf7fb7610 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/pt-raise.c:42
#2 0x081fae0a in avmplus::AvmAssertFail () at ../nanojit/avmplus.cpp:78
#3 0x081f1125 in nanojit::ExprFilter::insBranch (this=0x82c62a4, v=nanojit::LIR_jf, c=0x82c3170, t=0x0) at ../nanojit/LIR.cpp:1070
#4 0x08146f59 in nanojit::LirWriter::insBranch (this=0x82c62ac, v=nanojit::LIR_jf, condition=0x82c3170, to=0x0) at ../nanojit/LIR.h:1492
#5 0x081f7558 in nanojit::ValidateWriter::insBranch (this=0x82c62b4, op=nanojit::LIR_jf, cond=0x82c3170, to=0x0) at ../nanojit/LIR.cpp:3291
#6 0x081c92a6 in js::TraceRecorder::denseArrayElement (this=0x82c26f8, oval=..., ival=..., vp=@0xffffc4a0, v_ins=@0xffffc4dc, addr_ins=@0xffffc4a4) at ../jstracer.cpp:13661
#7 0x081c4bc8 in js::TraceRecorder::record_JSOP_GETELEM (this=0x82c26f8) at ../jstracer.cpp:12537
#8 0x081b0ed7 in js::TraceRecorder::monitorRecording (this=0x82c26f8, op=JSOP_GETELEM) at ../jsopcode.tbl:176
#9 0x0820cb17 in js::Interpret (cx=0x82bb680) at ../jsinterp.cpp:2462
#10 0x080d5347 in js::Execute (cx=0x82bb680, chain=0xf7501000, script=0x82c3078, down=0x0, flags=0, result=0xffffd200) at ../jsinterp.cpp:880
#11 0x0806f68c in JS_ExecuteScript (cx=0x82bb680, obj=0xf7501000, script=0x82c3078, rval=0xffffd200) at ../jsapi.cpp:4639
#12 0x0804c0db in Process (cx=0x82bb680, obj=0xf7501000, filename=0x0, forceTTY=0) at ../../shell/js.cpp:532
#13 0x0804cc45 in ProcessArgs (cx=0x82bb680, obj=0xf7501000, argv=0xffffd408, argc=1) at ../../shell/js.cpp:853
#14 0x080552ad in shell (cx=0x82bb680, argc=1, argv=0xffffd408, envp=0xffffd410) at ../../shell/js.cpp:5029
#15 0x080553c9 in main (argc=1, argv=0xffffd408, envp=0xffffd410) at ../../shell/js.cpp:5116
|
Reporter | |
Comment 1•14 years ago
|
||
(This changeset caused the assert regardless of message to occur) autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 43266:42fc5e98b20e user: Steven Johnson date: Thu Jun 03 10:35:26 2010 -0700 summary: Bug 527512 - ExprFilter missing trivial optimizations for ugt, ult (r=edwsmith,nnethercote) http://hg.mozilla.org/tracemonkey/rev/411debd27bf1 (or bug 578290) turned the assert into "false branch" instead of "false guard".
|
|
Assignee | |
Comment 2•14 years ago
|
||
(In reply to comment #1) > > autoBisect shows this is probably related to the following changeset: > > The first bad revision is: > changeset: 43266:42fc5e98b20e > user: Steven Johnson > date: Thu Jun 03 10:35:26 2010 -0700 > summary: Bug 527512 - ExprFilter missing trivial optimizations for ugt, ult > (r=edwsmith,nnethercote) Note that this change isn't the problem, it just exposed an underlying problem by increasing the amount of constant folding going on. The real problem is in jstracer.cpp somewhere.
|
||
Updated•14 years ago
|
Assignee: general → nnethercote
blocking2.0: ? → beta5+
|
|
Assignee | |
Comment 3•14 years ago
|
||
Nb: bug 570663 is probably a dup of this, I'll confirm once I fix it.
|
|
Assignee | |
Comment 4•14 years ago
|
||
(In reply to comment #3) > Nb: bug 570663 is probably a dup of this, I'll confirm once I fix it. Hmm, it's probably not a dup. Gary, I can't reproduce this on 32-bit or 64-bit Mac. Does it still happen for you? I suspect not, there are no longer any calls to insBranch() in denseArrayElement(). Gal's been changing stuff in there recently, simplifying things; bug 580846 was one but there have been several others after that. If you can still reproduce it, can you post a backtrace and the revision number?
|
|
Reporter | |
Comment 5•14 years ago
|
||
(In reply to comment #4) > Gary, I can't reproduce this on 32-bit or 64-bit Mac. Does it still happen for > you? I suspect not, there are no longer any calls to insBranch() in > denseArrayElement(). Gal's been changing stuff in there recently, simplifying > things; bug 580846 was one but there have been several others after that. You're right, it's now indeed fixed by bug 580846. autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: 48011:219fa035af88 user: Andreas Gal date: Thu Jul 22 18:45:21 2010 -0700 summary: Remove hole count from dense arrays (580846, r=njn).
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
|
||
Comment 6•11 years ago
|
||
Automatically extracted testcase for this bug was committed: https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•