Closed Bug 810802 Opened 13 years ago Closed 13 years ago

IonMonkey: Assertion failure: false (could not find use), at ion/MIR.cpp:256 or Crash [@ js::ion::MNode::replaceOperand]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 766592

People

(Reporter: decoder, Unassigned)

References

Details

(4 keywords, Whiteboard: [jsbugmon:])

Crash Data

The following testcase asserts on mozilla-central revision b2bdbfe06b10 (run with --ion-eager): eval("(function() {\ var arr = 'instanceof RangeError';\ var out = [];\ for (var i = 0; i < 10; ++i)\ for (var j = 0; j < arr.length; ++j)\ out.push(String.prototype.indexOf.call(arr[i], 'object'));\ for (var i = 0; i < out.length; ++i)\ (function n( f = exitFunc ('test'), j = 1) {})[i]\ })();");
Crash trace: Program received signal SIGSEGV, Segmentation fault. js::ion::MNode::replaceOperand (this=0x8599800, index=0, def=0x0) at /srv/repos/mozilla-central/js/src/ion/MIR.cpp:250 250 if (i->index() == index && i->node() == this) { (gdb) bt #0 js::ion::MNode::replaceOperand (this=0x8599800, index=0, def=0x0) at /srv/repos/mozilla-central/js/src/ion/MIR.cpp:250 #1 0x083b50e7 in js::ion::MBasicBlock::discard (this=0x8599180, ins=0x8599800) at /srv/repos/mozilla-central/js/src/ion/MIRGraph.cpp:446 #2 0x083871a7 in js::ion::Loop::hoistInstructions (this=0xffffb6cc, toHoist=..., boundsChecks=...) at /srv/repos/mozilla-central/js/src/ion/LICM.cpp:268 #3 0x08387624 in optimize (this=0xffffb6cc) at /srv/repos/mozilla-central/js/src/ion/LICM.cpp:229 #4 js::ion::LICM::analyze (this=0xffffb7b4) at /srv/repos/mozilla-central/js/src/ion/LICM.cpp:105 #5 0x08345a18 in js::ion::CompileBackEnd (mir=0x8597980) at /srv/repos/mozilla-central/js/src/ion/Ion.cpp:890 #6 0x083462fa in js::ion::IonCompile (cx=0x8577be0, script=0x8597980, fun=0xf7413ec0, osrPc=0x858e61e "\343V", constructing=false) at /srv/repos/mozilla-central/js/src/ion/Ion.cpp:1091 #7 0x083468d2 in js::ion::Compile (cx=<optimized out>, script=0xf740f178, fun=0xf7413ec0, osrPc=0x858e61e "\343V", constructing=false) at /srv/repos/mozilla-central/js/src/ion/Ion.cpp:1231 #8 0x08346acc in Compile (constructing=<optimized out>, osrPc=0x858e61e "\343V", fun=0xf7413ec0, script=0xf740f178, cx=0x8577be0) at /srv/repos/mozilla-central/js/src/ion/Ion.cpp:1205 #9 js::ion::CanEnterAtBranch (cx=0x8577be0, script=..., fp=0xf76970d8, pc=0x858e61e "\343V") at /srv/repos/mozilla-central/js/src/ion/Ion.cpp:1273 #10 0x080f270a in js::Interpret (cx=0x8577be0, entryFrame=0xf7697088, interpMode=js::JSINTERP_NORMAL) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:1394 #11 0x080fc943 in js::RunScript (cx=0x8577be0, script=..., fp=0xf7697088) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:326 #12 0x080fcbf3 in js::ExecuteKernel (cx=0x8577be0, script=..., scopeChain=..., thisv=..., type=js::EXECUTE_DIRECT_EVAL, evalInFrame=0x0, result=0xf7697060) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:512 #13 0x08265ccb in EvalKernel (cx=<optimized out>, args=..., evalType=DIRECT_EVAL, caller=0xf7697020, scopeobj=...) at /srv/repos/mozilla-central/js/src/builtin/Eval.cpp:286 #14 0x08266fa6 in js::DirectEval (cx=0x8577be0, args=...) at /srv/repos/mozilla-central/js/src/builtin/Eval.cpp:335 #15 0x080f2e48 in js::Interpret (cx=0x8577be0, entryFrame=0xf7697020, interpMode=js::JSINTERP_NORMAL) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:2293 #16 0x080fc943 in js::RunScript (cx=0x8577be0, script=..., fp=0xf7697020) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:326 #17 0x080fdb06 in ExecuteKernel (result=0x0, thisv=..., scopeChain=..., script=..., cx=0x8577be0, type=<optimized out>, evalInFrame=<optimized out>) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:512 #18 js::Execute (cx=0x8577be0, script=..., scopeChainArg=..., rval=0x0) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:550 #19 0x08069278 in JS_ExecuteScript (cx=0x8577be0, objArg=0xf740b040, scriptArg=0xf740f088, rval=0x0) at /srv/repos/mozilla-central/js/src/jsapi.cpp:5529 #20 0x080535b8 in Process (cx=0x8577be0, obj_=<optimized out>, filename=0xffffd087 "min.js", forceTTY=false) at /srv/repos/mozilla-central/js/src/shell/js.cpp:441 #21 0x080569ae in ProcessArgs (op=0xffffcdc0, obj_=0xf740b040, cx=0x8577be0) at /srv/repos/mozilla-central/js/src/shell/js.cpp:4741 #22 Shell (cx=0x8577be0, op=0xffffcdc0, envp=0xffffcee4) at /srv/repos/mozilla-central/js/src/shell/js.cpp:4778 #23 0x0804b66c in main (argc=3, argv=0xffffced4, envp=0xffffcee4) at /srv/repos/mozilla-central/js/src/shell/js.cpp:4976 (gdb) x /i $pc => 0x842f69c <js::ion::MNode::replaceOperand(unsigned int, js::ion::MDefinition*)+44>: cmp 0x8(%edx),%esi (gdb) info reg edx edx 0x0 0
Blocks: IonFuzz
Crash Signature: [@ js::ion::MNode::replaceOperand]
Keywords: crash
Whiteboard: [jsbugmon:update,bisect]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 109092:f8af70ee46f7 user: Marshall Culpepper date: Wed Oct 03 12:50:07 2012 -0500 summary: Bug 797154: A new virtualenv frontend for B2G mochitests. r=jgriffin This iteration took 259.622 seconds to run.
(In reply to Christian Holler (:decoder) from comment #2) > The first bad revision is: > changeset: 109092:f8af70ee46f7 > user: Marshall Culpepper > date: Wed Oct 03 12:50:07 2012 -0500 > summary: Bug 797154: A new virtualenv frontend for B2G mochitests. > r=jgriffin Whoa! Are you sure? This sounds ultimately unlikely to me.
(In reply to Nicolas B. Pierron [:pierron] [:nbp] from comment #3) > Whoa! Are you sure? This sounds ultimately unlikely to me. Agreed. Maybe the bug is behaving non-deterministic and I did not notice that when I was reducing it earlier.
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 6eca73d185d0).
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:update,reconfirm,bisectfix]
Whiteboard: [jsbugmon:update,reconfirm,bisectfix] → [jsbugmon:update,reconfirm,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision ae2d36c5dc26). JSBugMon: Fix Bisection requested, failed due to error (try manually).
Whiteboard: [jsbugmon:update,reconfirm,ignore] → [jsbugmon:bisectfix]
Whiteboard: [jsbugmon:bisectfix] → [jsbugmon:]
JSBugMon: Fix Bisection requested, failed due to error (try manually).
Trying this once more on the new server.
Whiteboard: [jsbugmon:] → [jsbugmon:bisectfix]
Whiteboard: [jsbugmon:bisectfix] → [jsbugmon:]
JSBugMon: Fix Bisection requested, failed due to error (try manually).
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 106543:3359300edfe7 user: David Anderson date: Thu Jul 12 13:29:17 2012 -0700 summary: Simplify handling of lazy argument values in MIR (bug 772903, r=pierron). (tested on Mac - maybe your error is specific to Linux. What's your error log?)
Blocks: 772903
This is likely fixed by: autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: 114092:89e5db8cf62f user: Brian Hackett date: Fri Nov 23 23:23:03 2012 -0500 summary: Add symbolic range analysis for loop induction variables, bug 766592. r=mjrosenb Brian, do you think this is possible?
Flags: needinfo?(bhackett1024)
Yes, this is possible. The crash is in LICM hoisting code which was changed some by bug 766592.
Flags: needinfo?(bhackett1024)
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.