Closed Bug 609393 Opened 14 years ago Closed 13 years ago

resourceConsistencyCheck x87 stack assert can fire

Categories

(Tamarin Graveyard :: Virtual Machine, defect, P3)

Product:
Tamarin Graveyard
Component:
Virtual Machine
Platform:
x86
All
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
Q4 11 - Anza

People

(Reporter: stejohns, Assigned: wmaddox)

Details

(Whiteboard: WE:2801964,assertion-failure,fixed-in-nanojit,fixed-in-tamarin,fixed-in-tracemonkey)

Attachments

(1 file, 3 obsolete files)

ver 2 - final patch which includes whitespace cleanup
5.93 KB, patch
Details | Diff | Splinter Review 
Steps:
-- use tamarin-redux in a Flash Win32 Standalone Debug non-Debugger build
-- open http://help.adobe.com/en_US/flex/using/movies/SparkTextAreaControl.swf
-- get an assert, fpuStckChk == -2 while jitting flashx.textLayout.property::NumberOrPercentProperty/computeActualPropertyValue
Note that I inserted extra output for FPU_PSH and FPU_POP to show where push/pop occurs.
Observation: we always do fpu_push/fpu_pop around CALL() if the return type is "d", but this is really only correct if the calling convention returns in FST0; in at least one case here we are getting the return in xmm0, which shouldn't trigger the push/pop. (Not sure if this is causing the assert.)
Michelle is seeing the following fire:

NanoAssert((_allocator.active[FST0] && _fpuStkDepth == -1) ||
                   (!_allocator.active[FST0] && _fpuStkDepth == 0));
 
NanoAssertMsgf(_fpuStkDepth == 0,"_fpuStkDepth %d\n",_fpuStkDepth);
 

 against;  http://www.google.com/finance?q=NYSE:RIG
Targeting for Serrano.   Fixing failing assertions is a priority so we can enable assertions during all Player testing.
Depends on: Andre
Flags: flashplayer-qrb?
Flags: flashplayer-injection-
Flags: flashplayer-bug+
Priority: -- → P3
Whiteboard: WE:2801964, assertion-failure
Target Milestone: --- → Q3 11 - Serrano
Assignee: nobody → rreitmai
Flags: flashplayer-qrb? → flashplayer-qrb+
Target Milestone: Q3 11 - Serrano → Q4 11 - Anza
Assignee: rreitmai → wmaddox
Attached patch disable assert on sse2 machines (obsolete) — Splinter Review 
We believe the assert is firing due to bad accounting and that there is not an issue with the underlying code that the assert is attempting to protect.

This is not a given, so it probably doesn't make sense to completely defeat the assert.

So instead this patch restricts it to fire only on architectures where we are actually generating non-sse2 (i.e. fpu) instructions, then at least we're clearing out some of the false-positive noise.
Attachment #533429 - Flags: review?(wmaddox)
Comment on attachment 533429 [details] [diff] [review]
disable assert on sse2 machines

Review of attachment 533429 [details] [diff] [review]:
-----------------------------------------------------------------

This looks good to me.  It is unlikely that any routine engineering or testing is being done on non-sse2 capable machines anymore.
Note that it would be wise to continue avmshell testing with the assertion in place, which can be done with the -nosse flag on the
avmshell command line.  Are we testing a -nosse configuration in our automated testing?
Attachment #533429 - Flags: review?(wmaddox) → review+
Note that we don't need old hardware to test this code, you just have to turn off sse2 support.  plus, sse2-capable x86-32 machines still use FST(0) for return values, and so this logic should be fixed asap.
Attached patch ver1 (obsolete) — Splinter Review 
Analysis showed that the assert in resourceConsistencyCheck() was firing due to the code not resetting fpuStkDepth in the case of LIR_ret (see asm_jmp for a similar treatment).
Assignee: wmaddox → rreitmai
Attachment #488011 - Attachment is obsolete: true
Attachment #533429 - Attachment is obsolete: true
Status: NEW → ASSIGNED
Attachment #534132 - Flags: review?(wmaddox)
Comment on attachment 534132 [details] [diff] [review]
ver1

Review of attachment 534132 [details] [diff] [review]:
-----------------------------------------------------------------

The substance of the fix is treating the unreachability of the code following a return in the same way as code following an unconditional branch, which is clearly needed and uncontroversial.  It's also nice to see some more platform-specific code migrate out of Assembler.cpp, with another #ifdef biting the dust.
Attachment #534132 - Flags: review?(wmaddox) → review+
what actually landed for posterity.
Attachment #534132 - Attachment is obsolete: true
rreitmai http://hg.mozilla.org/projects/nanojit-central/rev/87a15611dc19
Whiteboard: WE:2801964, assertion-failure → WE:2801964,assertion-failure,fixed-in-nanojit
changeset: 6333:2fec52cc4356
user:      Rick Reitmaier <rreitmai@adobe.com>
summary:   Bug 609393 - resourceConsistencyCheck x87 stack assert can fire (r+wmaddox)

http://hg.mozilla.org/tamarin-redux/rev/2fec52cc4356
Whiteboard: WE:2801964,assertion-failure,fixed-in-nanojit → WE:2801964,assertion-failure,fixed-in-nanojit,fixed-in-tamarin
Bill, can we close this bug? Removing Andre blocker.
Assignee: rreitmai → wmaddox
No longer depends on: Andre
The issue is resolved for Tamarin.  We keep nanojit bugs open until Mozilla has confirmed that fix has made it into Tracemonkey.  I've added Nick to the CC list.
Oh, I must have missed marking this one:

http://hg.mozilla.org/tracemonkey/rev/a163ff4b8bf1
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Whiteboard: WE:2801964,assertion-failure,fixed-in-nanojit,fixed-in-tamarin → WE:2801964,assertion-failure,fixed-in-nanojit,fixed-in-tamarin,fixed-in-tracemonkey
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: