859255 - Assertion failure: offset < script->length, at ion/CodeGenerator.cpp with ParallelArray and -D (--dump-bytecode)

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: stack

ParallelArray(999,function([y]){})

asserts js debug shell on m-c changeset b0d842380959 with -D (or --dump-bytecode) at Assertion failure: offset < script->length, at ion/CodeGenerator.cpp

Running autoBisect now...

Comment 1

[Christian Holler (:decoder)]

JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   127453:1aaed48de5e5
parent:      127452:71ff63071039
parent:      126478:962f5293f87f
user:        Jan de Mooij
date:        Thu Mar 28 11:26:32 2013 +0100
summary:     Merge from mozilla-central.

Not all ancestors of this changeset have been checked.
Use bisect --extend to continue the bisection from
the common ancestor, 5dbcbd03d7ba.

This iteration took 162.080 seconds to run.

Oops! We didn't test rev 962f5293f87f, a parent of the blamed revision! Let's do that now.
Rev 962f5293f87f: Updating... Compiling... Testing... good (Exit code 0)
As expected, the parent's label is the opposite of the blamed rev's label.

The bug was introduced by a merge (it was not present on either parent).
I don't know which patches from each side of the merge contributed to the bug. Sorry.


Jandem, this seems to point to BaselineCompiler - is this likely?

Comment 3

[Jan de Mooij [:jandem]]

Hm this looks like a ParallelArray issue, CC'ing Niko and Shu.

Comment 4

[Niko Matsakis [:nmatsakis]]

Off the top of my head, I'd guess it's related to callsite cloning.  Shu, what do you think?

Comment 5

[Shu-yu Guo [:shu]]

Attachment: fix

Comment 6

[David Anderson [:dvander] - inactive, e-mail if emergency]

Comment on attachment 736904 [details] [diff] [review]
fix

Review of attachment 736904 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/ion/MIRGraph.cpp
@@ +167,4 @@
>  {
> +    MBasicBlock *block = new MBasicBlock(graph, info, entryPc, NORMAL);
> +
> +    resumePoint->block_ = block;

nit: use setBlock()

@@ +167,5 @@
>  {
> +    MBasicBlock *block = new MBasicBlock(graph, info, entryPc, NORMAL);
> +
> +    resumePoint->block_ = block;
> +    block->entryResumePoint_ = resumePoint;

nit: Use setResumePoint()

Comment 7

[Shu-yu Guo [:shu]]

(In reply to David Anderson [:dvander] from comment #6)
> Comment on attachment 736904 [details] [diff] [review]
> fix
> 
> Review of attachment 736904 [details] [diff] [review]:
> -----------------------------------------------------------------
> 
> ::: js/src/ion/MIRGraph.cpp
> @@ +167,4 @@
> >  {
> > +    MBasicBlock *block = new MBasicBlock(graph, info, entryPc, NORMAL);
> > +
> > +    resumePoint->block_ = block;
> 
> nit: use setBlock()
> 
> @@ +167,5 @@
> >  {
> > +    MBasicBlock *block = new MBasicBlock(graph, info, entryPc, NORMAL);
> > +
> > +    resumePoint->block_ = block;
> > +    block->entryResumePoint_ = resumePoint;
> 
> nit: Use setResumePoint()

Those helpers don't exist on MBasicBlock, only MInstruction. Do you want me to add them?

Comment 8

[Shu-yu Guo [:shu]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/a1d95089b0b7

try: https://tbpl.mozilla.org/?tree=Try&rev=01457eb754d5

Comment 9

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/mozilla-central/rev/a1d95089b0b7