Closed Bug 706896 Opened 13 years ago Closed 13 years ago

IM+TI+Greedy: Assertion failure: [infer failure] Missing type pushed 0: float, at jsinfer.cpp:348

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 711763

People

(Reporter: nbp, Unassigned)

References

Details

command: js --ion -n --ion-regalloc=greedy --ion-inlining=off ./jit-test/tests/ion/inlining/inline-callarg-bailout.js output: ---------- 2000 98 Missing type at #3:00000 pushed 0: float Function #2 ./jit-test/tests/ion/inlining/inline-callarg-bailout.js (line 1): locals: return: int this: void arg0: int arg1: int #2:00000: 2 getarg 0 type 0: int #2:00003: 2 getarg 1 type 0: int #2:00006: 2 add type 0: int #2:00007: 2 return Function #3 ./jit-test/tests/ion/inlining/inline-callarg-bailout.js (line 5): locals: return: int this: void arg0: object[1] <0x7fa800c14400> arg1: int float arg2: int float #3:00000: 6 callarg 0 type 0: object[1] <0x7fa800c14400> type 1: void #3:00003: 6 getarg 1 type 0: int float #3:00006: 6 notearg #3:00007: 6 getarg 2 type 0: int float #3:00010: 6 notearg #3:00011: 6 call 2 typeset 0: int type 0: int barrier: float float #3:00014: 6 return [0x7fa800c03040] : <0x7fa800c02088> unknown {} [0x7fa800c03080] : <0x7fa800c04080> unknown {} <0x7fa800c04080> : <0x7fa800c02088> {} <0x7fa800c00060> : <0x7fa800c02088> {} <0x7fa800c02088> : (null) {} [0x7fa800c03180] : <0x7fa800c07098> {} [0x7fa800c031c0] : <0x7fa800c09028> {} [0x7fa800c03200] : <0x7fa800c0b030> {} [0x7fa800c03240] : <0x7fa800c0b088> {} [0x7fa800c03280] : <0x7fa800c02118> {} [0x7fa800c032c0] : <0x7fa800c021f0> unknown {} Counts: 8/0/0/0 (0 over) Recompilations: 0 Assertion failure: [infer failure] Missing type pushed 0: float, at /home/nicolas/mozilla/ionmonkey/js/src/jsinfer.cpp:348 ---------- The test assertion is failing with an unexpected (uninitialized) result when the inlining is enabled: command: js --ion -n --ion-gvn=off --ion-regalloc=greedy ./jit-test/tests/ion/inlining/inline-callarg-bailout.js output: ---------- 2000 98 ./jit-test/tests/ion/inlining/inline-callarg-bailout.js:26: Error: Assertion failed: got 6.94017282158144e-310, expected 4294967296 ----------
While fixing the GETPROP bug (Bug 701958), I hit a similar issue involving TI+Greedy. The test that I used to reproduce is: function f(v) { return v.x + v.x + v.y; } // 41 is enough to trigger the compilation at the last cycle. for (var i = 41; i; i--) print(f({ x: i, y: i + 1 })); print(f({ x: 1, y: 2 })); This test case cause the TI to identify only one typeset for the "v" argument of the function f. This typeset is then hard coded generateArgumentsChecks function (guardTypeSet) which use graph.entrySnapshot … [Snapshots] Encoding LSnapshot 0xc338e8 (frameCount 1) [Snapshots] starting snapshot with frameCount 1, bailout kind 1 [Snapshots] Starting frame; formals 2, fixed 0, exprs 0 [Snapshots] Writing pc offset 0, nslots 2 [Snapshots] slot 0: value (stack 56) [Snapshots] slot 1: value (reg r14) [Snapshots] ending snapshot total size: 15 bytes (start 0) … to bailout. This snapshot should only contain stack slots to map the arguments of the function. The current snapshot filled by the Greedy allocator is likely to correspond to the snapshot of the start instruction. By looking at the assembler: … 0x7ffff7f43354: add $0x20,%rsp ; end of generateArgumentsChecks 0x7ffff7f43358: sub $0x20,%rsp ; movegroup [arg:8 -> =r14] 0x7ffff7f4335c: mov 0x40(%rsp),%r14 ; visitStart (no assembly produced) 0x7ffff7f43361: mov %r14,%r11 0x7ffff7f43364: shr $0x2f,%r11 The bug show up, because the call which is not inside the loop has a different typeset which cause a bailout with the previous snapshot. The bad result is then obtained by reading r14 register.
(In reply to David Anderson [:dvander] from comment #1) > Chris, could this be bug 706986? Yes. I use a type change (integer overflow) to force a bailout but it didn't actually cause reflow before that bug landed.
Although that command line is doing something funky for me -- somehow trying to reflow info on a NULL typeset? Will have to check that out later. (gdb) bt #0 0x0805d242 in js::HeapPtr<js::types::TypeObject, unsigned int>::operator-> (this=0x4) at /moz/ion-virgin/objdir-js-dbg32/../js/src/gc/Barrier.h:226 #1 0x0805a50e in JSObject::hasSingletonType (this=0x0) at /moz/ion-virgin/objdir-js-dbg32/../js/src/jsobj.h:801 #2 0x0809eadd in js::types::Type::ObjectType (obj=0x0) at /moz/ion-virgin/objdir-js-dbg32/../js/src/jsinferinlines.h:65 #3 0x0809eb9d in js::types::GetValueType (cx=0x86266a0, val=...) at /moz/ion-virgin/objdir-js-dbg32/../js/src/jsinferinlines.h:91 #4 0x080e2e4c in js::types::TypeScript::SetArgument (cx=0x86266a0, script=0xf74061c0, arg=0, value=...) at /moz/ion-virgin/objdir-js-dbg32/../js/src/jsinferinlines.h:689 #5 0x08411bc6 in ReflowArgTypes (cx=0x86266a0) at /moz/ion-virgin/js/src/ion/Bailouts.cpp:314 #6 0x08411c58 in js::ion::ReflowTypeInfo (bailoutResult=2) at /moz/ion-virgin/js/src/ion/Bailouts.cpp:325 #7 0xf73cc27a in ?? ()
These are all due to greedy register allocator bugs, which will be fixed in bug 711763.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.