Closed Bug 606829 Opened 14 years ago Closed 14 years ago

Assertion failure: !isConstant && !u.s.isTypeKnown in js/src/methodjit/RematInfo.h:70

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
blocking2.0 --- beta7+

People

(Reporter: bc, Assigned: billm)

References

(
URL
)

Details

(Keywords: assertion, Whiteboard: [jmcrash], fixed-in-tracemonkey)

Attachments

(1 file)

fix
1.09 KB, patch
sstangl
: review+
Details | Diff | Splinter Review 
1. http://phandroid.com/2010/10/10/android-market-gets-a-hot-update-to-add-froyos-once-exclusive-features/
2. Assertion failure: !isConstant && !u.s.isTypeKnown, at /work/mozilla/builds/2.0.0/mozilla/js/src/methodjit/RematInfo.h:70

mac, winxp/win7

perating system: Mac OS X
                  10.5.8 9L34
CPU: x86
     GenuineIntel family 6 model 26 stepping 5
     1 CPU

Crash reason:  EXC_BAD_ACCESS / KERN_PROTECTION_FAILURE
Crash address: 0x0

Thread 0 (crashed)
 0  XUL!JS_Assert [jsutil.cpp : 80 + 0x5]
    eip = 0x0638e7ab   esp = 0xbfff6160   ebp = 0xbfff6188   ebx = 0x0638e762
    esi = 0x00000012   edi = 0x176a16c0   eax = 0x00000000   ecx = 0x00000000
    edx = 0x00000000   efl = 0x00010246
    Found by: given as instruction pointer in context
 1  XUL!ValueRemat::typeReg [RematInfo.h : 70 + 0x3c]
    eip = 0x0646fd8a   esp = 0xbfff6190   ebp = 0xbfff61a8   ebx = 0x0646fd4c
    esi = 0x00000012   edi = 0x176a16c0
    Found by: call frame info
 2  XUL!js::mjit::Compiler::jsop_equality_int_string [FastArithmetic.cpp : 1055 + 0xa]
    eip = 0x06459202   esp = 0xbfff61b0   ebp = 0xbfff62f8   ebx = 0x06458c30
    esi = 0x00000012   edi = 0x176a16c0
    Found by: call frame info
 3  XUL!js::mjit::Compiler::jsop_relational [FastOps.cpp : 741 + 0x26]
    eip = 0x06466ce3   esp = 0xbfff6300   ebp = 0xbfff6348   ebx = 0x064669e6
    esi = 0x00000012   edi = 0x176a16c0
    Found by: call frame info
 4  XUL!js::mjit::Compiler::generateMethod [Compiler.cpp : 894 + 0x32]
    eip = 0x06442893   esp = 0xbfff6350   ebp = 0xbfff66d8   ebx = 0x064418e9
    esi = 0x00000012   edi = 0x176a16c0
    Found by: call frame info
 5  XUL!js::mjit::Compiler::performCompilation [Compiler.cpp : 195 + 0xa]
    eip = 0x06448b3b   esp = 0xbfff66e0   ebp = 0xbfff6748   ebx = 0x064488f7
    esi = 0x16c4c8e8   edi = 0x176a16c0
    Found by: call frame info
 6  XUL!js::mjit::Compiler::compile [Compiler.cpp : 130 + 0x11]
    eip = 0x06448d20   esp = 0xbfff6750   ebp = 0xbfff6788   ebx = 0x06448c12
    esi = 0x0000000c   edi = 0x176a16c0
    Found by: call frame info
 7  XUL!js::mjit::TryCompile [Compiler.cpp : 228 + 0xd]
    eip = 0x06449142   esp = 0xbfff6790   ebp = 0xbfff9678   ebx = 0x06449090
    esi = 0x0000000c   edi = 0x176a16c0
    Found by: call frame info
 8  XUL!UncachedInlineCall [InvokeHelpers.cpp : 386 + 0x11]
    eip = 0x064844d6   esp = 0xbfff9680   ebp = 0xbfff9708   ebx = 0x0648428f
    esi = 0x0000000c   edi = 0x176a16c0
    Found by: call frame info
 9  XUL!js::mjit::stubs::UncachedCallHelper [InvokeHelpers.cpp : 463 + 0x18]
    eip = 0x06484687   esp = 0xbfff9710   ebp = 0xbfff9738   ebx = 0x06484590
    esi = 0x0000c000   edi = 0x176a16c0
    Found by: call frame info
10  XUL!CallCompiler::update [MonoIC.cpp : 787 + 0x25]
    eip = 0x0647365c   esp = 0xbfff9740   ebp = 0xbfff97a8   ebx = 0x06473602
    esi = 0x0000c000   edi = 0x176a16c0
    Found by: call frame info
11  XUL!js::mjit::ic::Call [MonoIC.cpp : 845 + 0xa]
    eip = 0x0646ed14   esp = 0xbfff97b0   ebp = 0xbfff97f8   ebx = 0x01000078
    esi = 0x0000c000   edi = 0x176a16c0
    Found by: call frame info
12  0x16606524
    eip = 0x16606525   esp = 0xbfff9800   ebp = 0xbfff9838   ebx = 0x01000078
    esi = 0x0000c000   edi = 0x176a16c0
    Found by: call frame info
13  XUL!js::mjit::EnterMethodJIT [MethodJIT.cpp : 742 + 0x1f]
    eip = 0x06426a31   esp = 0xbfff9840   ebp = 0xbfff9888
    Found by: previous frame's frame pointer
14  XUL!CheckStackAndEnterMethodJIT [MethodJIT.cpp : 767 + 0x1f]
    eip = 0x06426b48   esp = 0xbfff9890   ebp = 0xbfff98c8   ebx = 0x06426bbb
    esi = 0x1660575c
    Found by: call frame info
15  XUL!js::mjit::JaegerShot [MethodJIT.cpp : 784 + 0x1c]
    eip = 0x06426c70   esp = 0xbfff98d0   ebp = 0xbfff98f8   ebx = 0x06426bbb
    esi = 0x1660575c
    Found by: call frame info
16  XUL!js::RunScript [jsinterp.cpp : 634 + 0xa]
    eip = 0x062c9a5a   esp = 0xbfff9900   ebp = 0xbfff9938   ebx = 0x062c9984
    esi = 0x00000000
    Found by: call frame info
Whiteboard: [jmcrash]
Here's a reduced testcase. I'll fix this now.

function f(x)
{
    if ("hi" == (x & 3)) {
	return 1;
    }
}
f(12);
Status: NEW → ASSIGNED
Attached patch fixSplinter Review 
This patches guarantees that the call to lvr.typeReg() will not occur if lhs has a known type. The if condition is logically equivalent to:
  (lhs->isTypeKnown() ==> lhsInt) && (rhs->isTypeKnown() ==> rhsInt)
Taking the contrapositive:
  (!lhsInt ==> !lhs->isTypeKnown()) && (!rhsInt ==> !rhs->isTypeKnown())
Since each type test is guarded by !lhsInt or !rhsInt, this is exactly what we need.
Attachment #485820 - Flags: review?(dvander)
Apparently this crash causes Gmail failures. A debug stack is attached for bug 607239.
Comment on attachment 485820 [details] [diff] [review]
fix

Stealing with permission of dvander.
Attachment #485820 - Flags: review?(dvander) → review+
http://hg.mozilla.org/tracemonkey/rev/beb157e79468

Pushed on request from Brendan. Fixed a related, nearby issue in a quick way.
Whiteboard: [jmcrash] → [jmcrash], fixed-in-tracemonkey
sstangl id'ed this as a cause of my woe. Isn't this is a Jaegershot topcrash in release builds? If so, is it a topcrash? It sure is for me! :-(

/be
Assignee: general → wmccloskey
blocking2.0: --- → ?
Sounds like it could cause any method JIT crash on trunk since the 18th.
blocking2.0: ? → beta7+
only bug I see with the test url in comment zero has this signature on windows

KERNELBASE.dll@0xb727	http://phandroid.com/2010/10/10/android-market-gets-a-hot-update-to-add-froyos-once-exclusive-features/	http://crash-stats.mozilla.com/report/index/5d2e3265-3780-45b7-9bc8-5830d2101011

that signature has just has a few crashes per day and ranks around #150

are there other signatures to look for.

if this is in tracemonkey it maybe going to trunk soon so it would make it to b7 too.
See comment #9, the crash in comment #0 is only a debug mode assertion. Also I don't think the regressing patch landed on beta 7.
http://hg.mozilla.org/mozilla-central/rev/beb157e79468
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: