867753 - Assertion failure: isLowered(), at ion/MIR.h:472 or Crash [@ getInterval]

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase asserts on mozilla-central revision 02aa81c59df6 (run with --ion-eager):


function f0() {
    var v0;
    if ((v0 ^ v0) + "") {}
}
f0()

Comment 1

[Christian Holler (:decoder)]

Crash looks harmless:

Program received signal SIGSEGV, Segmentation fault.
0x083ab3cb in getInterval (i=0, this=<optimized out>) at js/src/ion/LiveRangeAllocator.h:403
403             return intervals_[i];
(gdb) bt
#0  0x083ab3cb in getInterval (i=0, this=<optimized out>) at js/src/ion/LiveRangeAllocator.h:403
#1  js::ion::LiveRangeAllocator<js::ion::LinearScanVirtualRegister>::buildLivenessInfo (this=0xffffbf9c) at js/src/ion/LiveRangeAllocator.cpp:722
#2  0x083a4069 in js::ion::LinearScanAllocator::go (this=0xffffbf9c) at js/src/ion/LinearScan.cpp:1136
#3  0x08344b8e in js::ion::GenerateLIR (mir=0x9106cc8) at js/src/ion/Ion.cpp:1151
#4  0x08346184 in CompileBackEnd (mir=<optimized out>, maybeMasm=<optimized out>) at js/src/ion/Ion.cpp:1231
#5  compile (autoDelete=<synthetic pointer>, builder=<optimized out>, this=<optimized out>, graph=<optimized out>) at js/src/ion/Ion.cpp:1427
#6  IonCompile<js::ion::SequentialCompileContext> (compileContext=..., constructing=false, osrPc=0x0, fp=..., script=0x9106cc8, cx=0x90eefc8) at js/src/ion/Ion.cpp:1367
#7  js::ion::Compile<js::ion::SequentialCompileContext> (cx=0x90eefc8, script=0xf7434180, fp=..., osrPc=0x0, constructing=false, compileContext=...) at js/src/ion/Ion.cpp:1598
#8  0x083471a4 in js::ion::CompileFunctionForBaseline (cx=0x90eefc8, script=0xf7434180, fp=..., isConstructing=false) at js/src/ion/Ion.cpp:1734
#9  0x08536562 in EnsureCanEnterIon (jitcodePtr=<synthetic pointer>, pc=0x90e9f88 "V", script=0xf7434180, frame=0xffffc2dc, cx=0x90eefc8, stub=<optimized out>)
    at js/src/ion/BaselineIC.cpp:661
#10 DoUseCountFallback (infoPtr=0xffffc2c0, frame=0xffffc2dc, stub=0x90fc7b8, cx=0x90eefc8) at js/src/ion/BaselineIC.cpp:844
#11 js::ion::DoUseCountFallback (cx=0x90eefc8, stub=0x90fc7b8, frame=0xffffc2dc, infoPtr=0xffffc2c0) at js/src/ion/BaselineIC.cpp:803
#12 0xf7fcf45a in ?? ()
[...]
(gdb) x /i $pc
=> 0x83ab3cb <js::ion::LiveRangeAllocator<js::ion::LinearScanVirtualRegister>::buildLivenessInfo()+2939>:       mov    (%eax),%eax
(gdb) info reg eax
eax            0x0      0

Comment 2

[Christian Holler (:decoder)]

Attachment: [crash-signature] Machine-readable crash signature

Comment 3

[Christian Holler (:decoder)]

Attachment: [crash-signature] Machine-readable crash signature

Comment 4

[Christian Holler (:decoder)]

JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   130326:d53be0e3442d
user:        Brian Hackett
date:        Tue Apr 30 05:35:11 2013 -0600
summary:     Bug 866670 - Don't fold unnecessary bitops until after analyzing truncated instructions, r=jandem.

This iteration took 120.098 seconds to run.

Comment 5

[Christian Holler (:decoder)]

Brian, can you take a look based on comment 4?

Comment 6

[Christian Holler (:decoder)]

JSBugMon: The testcase found in this bug no longer reproduces (tried revision b980d32c366f).

Comment 7

[Christian Holler (:decoder)]

JSBugMon: The testcase found in this bug no longer reproduces (tried revision b980d32c366f).
JSBugMon: Fix Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   131109:357af4877abd
user:        Brian Hackett
date:        Tue May 07 05:11:46 2013 -0600
summary:     Bug 865059 - Move pc -> type set map out of script analysis, don't analyze scripts until they are compiled by Ion, r=jandem.

This iteration took 345.410 seconds to run.

Comment 8

[Christian Holler (:decoder)]

Brian, did the bug in comment 7 fix this? Thanks :)

Comment 9

[Brian Hackett [Laid off!]]

Yeah, I rolled the fix into that patch.