Closed Bug 854103 Opened 12 years ago Closed 12 years ago

bug507180.js:31:4 Error: Assertion failed: got "imacro produces incorrect result for obj == any", expected "fail" on linux64 when built with gcc4.7

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla23

People

(Reporter: glandium, Assigned: glandium)

References

Details

Attachments

(3 files)

minized bug 507180.js
436 bytes, text/plain
Details
Never inline js::mjit::StubEqualityOp
864 bytes, patch
Details | Diff | Splinter Review
ignore the high bits of returnReg on x86_64 when it actually holds a bool
1.01 KB, patch
dvander
: review+
Details | Diff | Splinter Review
https://tbpl.mozilla.org/php/getParsedLog.php?id=21010620&tree=Try FAIL - /builds/slave/try-l64-d-00000000000000000000/build/js/src/jit-test/tests/basic/bug507180.js TEST-UNEXPECTED-FAIL | /builds/slave/try-l64-d-00000000000000000000/build/js/src/jit-test/tests/basic/bug507180.js | --no-ion --always-mjit: /builds/slave/try-l64-d-00000000000000000000/build/js/src/jit-test/tests/basic/bug507180.js:31:4 Error: Assertion failed: got "imacro produces incorrect result for obj == any", expected "fail" FAIL - /builds/slave/try-l64-d-00000000000000000000/build/js/src/jit-test/tests/basic/bug507180.js TEST-UNEXPECTED-FAIL | /builds/slave/try-l64-d-00000000000000000000/build/js/src/jit-test/tests/basic/bug507180.js | --no-ion --always-mjit --debugjit: /builds/slave/try-l64-d-00000000000000000000/build/js/src/jit-test/tests/basic/bug507180.js:31:4 Error: Assertion failed: got "imacro produces incorrect result for obj == any", expected "fail"
Only happens on debug builds, not opt.
Summary: bug507180.js:31:4 Error: Assertion failed: got "imacro produces incorrect result for obj == any", expected "fail" on linux64 when built with gcc4.7 → bug507180.js:31:4 Error: Assertion failed: got "imacro produces incorrect result for obj == any", expected "fail" on linux64 debug when built with gcc4.7
GCC 4.7 can be tested on try with: --- a/build/unix/mozconfig.linux +++ b/build/unix/mozconfig.linux @@ -1,4 +1,4 @@ . "$topsrcdir/build/mozconfig.common" -CC=/tools/gcc-4.5-0moz3/bin/gcc -CXX=/tools/gcc-4.5-0moz3/bin/g++ +CC=/tools/gcc-4.7.2-0moz1/bin/gcc +CXX=/tools/gcc-4.7.2-0moz1/bin/g++
Blocks: gcc-4.7
Attached file minized bug 507180.js
This is a minimal version of bug507180.js that fails for me too. Note the empty for loop, function call to assert() and the object weirdness all seem to be required. Also note that this only seems to fail with --args='--no-ion --no-baseline --always-mjit' :(
Attachment #735716 - Attachment mime type: application/javascript → text/plain
Summary: bug507180.js:31:4 Error: Assertion failed: got "imacro produces incorrect result for obj == any", expected "fail" on linux64 debug when built with gcc4.7 → bug507180.js:31:4 Error: Assertion failed: got "imacro produces incorrect result for obj == any", expected "fail" on linux64 when built with gcc4.7
So, It seems that js::methodjit::stubs::Equal() returns false and sets argv[-2] to a false jsval correctly, but when we get to js::AssertEq() the first arg is true. I sort of suspect js/src/methodjit/InvokeHelpers.cpp:883 but don't know teh code well enough to really say if that's a reasonable explanation of what's happening. I supose another approach we could take is to just disable testing of JM (dvander was suprised we are testing it and apparently its about to be removed) in which case we could just hope its not a compiler bug and move on.
(In reply to Trevor Saunders (:tbsaunde) from comment #5) > So, It seems that js::methodjit::stubs::Equal() returns false and sets > argv[-2] to a false jsval correctly, but when we get to js::AssertEq() the > first arg is true. I sort of suspect js/src/methodjit/InvokeHelpers.cpp:883 > but don't know teh code well enough to really say if that's a reasonable > explanation of what's happening. So, in fact, js::mjit::stubs::Equal is not returning false properly. It returns JSVAL_FALSE instead of false. That is, it forgets to do the toBoolean(). Well, gcc 4.7 makes it forget to do it, which seems to be a case of bad inlining. This patch works for me locally.
Assignee: general → mh+mozilla
And it works on try with gcc 4.7. https://tbpl.mozilla.org/?tree=Try&rev=d12149b3030d PGO still building, but at this point there's no reason it should fail. https://tbpl.mozilla.org/?tree=Try&rev=bc85d9bb84c9
Comment on attachment 736203 [details] [diff] [review] Never inline js::mjit::StubEqualityOp All green on try with gcc 4.7.
Attachment #736203 - Flags: review?(jorendorff)
Comment on attachment 736203 [details] [diff] [review] Never inline js::mjit::StubEqualityOp As discussed on irc, this probably isn't the right fix, the root cause is somewhere else.
Attachment #736203 - Flags: review?(jorendorff)
The actual problem is between INLINE_STUBCALL and JaegerInterpoline. Essentially, all stub calls are treated as if they returned void *, and that void * ends up as returnReg in js_InternalInterpret. The problem is that on 64-bits platforms, stubs returning a JSBool, may leave garbage in the 32 upper bits, which end up in that void *. Now, the question is, is REJOIN_PUSH_BOOLEAN the only rejoin value where the called stub returns a JSBool?
If this is only a problem on mozilla-central, we should just stop testing JM on tbpl, as we don't expect to ship it enabled with Firefox 23.
(In reply to David Anderson [:dvander] from comment #11) > If this is only a problem on mozilla-central, we should just stop testing JM > on tbpl, as we don't expect to ship it enabled with Firefox 23. If we don't have test coverage of all the possible combinations that can lead to such problems, which can theoretically happen with any compiler, we may have a hidden bug on any release using JM.
I wrote this before you commented, and so figure I might as well post it. Also we probably don't need to, but I guess we might want to take it on branches... p.s. sorry its not diff -U8 -p it was written on a machine I don't normally use and I forgot until just now.
Attachment #736476 - Flags: review?(dvander)
(In reply to David Anderson [:dvander] from comment #11) > If this is only a problem on mozilla-central, we should just stop testing JM > on tbpl, as we don't expect to ship it enabled with Firefox 23. filed bug 860915 to stop testing JM since I assume you'll want to do that at some point if not now.
Attachment #736476 - Flags: review?(dvander) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/a777fa3031f3 Sorry, I appear to have forgotten to hg qref -u
https://hg.mozilla.org/mozilla-central/rev/a777fa3031f3
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla23
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: