Closed Bug 706896 Opened 13 years ago Closed 13 years ago

IM+TI+Greedy: Assertion failure: [infer failure] Missing type pushed 0: float, at jsinfer.cpp:348

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 711763

People

(Reporter: nbp, Unassigned)

References

Details

command: js --ion -n --ion-regalloc=greedy --ion-inlining=off ./jit-test/tests/ion/inlining/inline-callarg-bailout.js
output:

----------
2000
98
Missing type at #3:00000 pushed 0: float
Function #2 ./jit-test/tests/ion/inlining/inline-callarg-bailout.js (line 1):
locals:
    return: int
    this: void
    arg0: int
    arg1: int
#2:00000:   2  getarg 0
  type 0: int
#2:00003:   2  getarg 1
  type 0: int
#2:00006:   2  add
  type 0: int
#2:00007:   2  return

Function #3 ./jit-test/tests/ion/inlining/inline-callarg-bailout.js (line 5):
locals:
    return: int
    this: void
    arg0: object[1] <0x7fa800c14400>
    arg1: int float
    arg2: int float
#3:00000:   6  callarg 0
  type 0: object[1] <0x7fa800c14400>
  type 1: void
#3:00003:   6  getarg 1
  type 0: int float
#3:00006:   6  notearg
#3:00007:   6  getarg 2
  type 0: int float
#3:00010:   6  notearg
#3:00011:   6  call 2
  typeset 0: int
  type 0: int
  barrier: float float
#3:00014:   6  return

[0x7fa800c03040] : <0x7fa800c02088> unknown {}
[0x7fa800c03080] : <0x7fa800c04080> unknown {}
<0x7fa800c04080> : <0x7fa800c02088> {}
<0x7fa800c00060> : <0x7fa800c02088> {}
<0x7fa800c02088> : (null) {}
[0x7fa800c03180] : <0x7fa800c07098> {}
[0x7fa800c031c0] : <0x7fa800c09028> {}
[0x7fa800c03200] : <0x7fa800c0b030> {}
[0x7fa800c03240] : <0x7fa800c0b088> {}
[0x7fa800c03280] : <0x7fa800c02118> {}
[0x7fa800c032c0] : <0x7fa800c021f0> unknown {}
Counts: 8/0/0/0 (0 over)
Recompilations: 0
Assertion failure: [infer failure] Missing type pushed 0: float, at /home/nicolas/mozilla/ionmonkey/js/src/jsinfer.cpp:348
----------

The test assertion is failing with an unexpected (uninitialized) result when the inlining is enabled:

command: js --ion -n --ion-gvn=off --ion-regalloc=greedy ./jit-test/tests/ion/inlining/inline-callarg-bailout.js
output:

----------
2000
98
./jit-test/tests/ion/inlining/inline-callarg-bailout.js:26: Error: Assertion failed: got 6.94017282158144e-310, expected 4294967296
----------
While fixing the GETPROP bug (Bug 701958), I hit a similar issue involving TI+Greedy.
The test that I used to reproduce is:

function f(v)
{
    return v.x + v.x + v.y;
}

// 41 is enough to trigger the compilation at the last cycle.
for (var i = 41; i; i--)
    print(f({ x: i, y: i + 1 }));

print(f({ x: 1, y: 2 }));


This test case cause the TI to identify only one typeset for the "v" argument of the function f.  This typeset is then hard coded generateArgumentsChecks function (guardTypeSet) which use graph.entrySnapshot …

[Snapshots] Encoding LSnapshot 0xc338e8 (frameCount 1)
[Snapshots] starting snapshot with frameCount 1, bailout kind 1
[Snapshots] Starting frame; formals 2, fixed 0, exprs 0
[Snapshots] Writing pc offset 0, nslots 2
[Snapshots]     slot 0: value (stack 56)
[Snapshots]     slot 1: value (reg r14)
[Snapshots] ending snapshot total size: 15 bytes (start 0)

… to bailout.  This snapshot should only contain stack slots to map the arguments of the function.  The current snapshot filled by the Greedy allocator is likely to correspond to the snapshot of the start instruction.  By looking at the assembler:

   …
   0x7ffff7f43354:      add    $0x20,%rsp
   ; end of generateArgumentsChecks
   0x7ffff7f43358:      sub    $0x20,%rsp
   ; movegroup [arg:8 -> =r14]
   0x7ffff7f4335c:      mov    0x40(%rsp),%r14
   ; visitStart (no assembly produced)
   0x7ffff7f43361:      mov    %r14,%r11
   0x7ffff7f43364:      shr    $0x2f,%r11

The bug show up, because the call which is not inside the loop has a different typeset which cause a bailout with the previous snapshot.  The bad result is then obtained by reading r14 register.
(In reply to David Anderson [:dvander] from comment #1)
> Chris, could this be bug 706986?

Yes. I use a type change (integer overflow) to force a bailout but it didn't actually cause reflow before that bug landed.
Although that command line is doing something funky for me -- somehow trying to reflow info on a NULL typeset? Will have to check that out later.

(gdb) bt
#0  0x0805d242 in js::HeapPtr<js::types::TypeObject, unsigned int>::operator-> (this=0x4) at /moz/ion-virgin/objdir-js-dbg32/../js/src/gc/Barrier.h:226
#1  0x0805a50e in JSObject::hasSingletonType (this=0x0) at /moz/ion-virgin/objdir-js-dbg32/../js/src/jsobj.h:801
#2  0x0809eadd in js::types::Type::ObjectType (obj=0x0) at /moz/ion-virgin/objdir-js-dbg32/../js/src/jsinferinlines.h:65
#3  0x0809eb9d in js::types::GetValueType (cx=0x86266a0, val=...) at /moz/ion-virgin/objdir-js-dbg32/../js/src/jsinferinlines.h:91
#4  0x080e2e4c in js::types::TypeScript::SetArgument (cx=0x86266a0, script=0xf74061c0, arg=0, value=...) at /moz/ion-virgin/objdir-js-dbg32/../js/src/jsinferinlines.h:689
#5  0x08411bc6 in ReflowArgTypes (cx=0x86266a0) at /moz/ion-virgin/js/src/ion/Bailouts.cpp:314
#6  0x08411c58 in js::ion::ReflowTypeInfo (bailoutResult=2) at /moz/ion-virgin/js/src/ion/Bailouts.cpp:325
#7  0xf73cc27a in ?? ()
These are all due to greedy register allocator bugs, which will be fixed in bug 711763.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.