Closed
Bug 879647
Opened 11 years ago
Closed 11 years ago
Assertion failure: label->used(), at jit/arm/CodeGenerator-arm.cpp
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
RESOLVED
FIXED
mozilla27
People
(Reporter: gkw, Assigned: mjrosenb)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [fuzzblocker] [jsbugmon:][qa-])
Attachments
(3 files, 1 obsolete file)
|
716 bytes,
text/plain
|
Details | |
|
3.90 KB,
text/plain
|
Details | |
|
1.59 KB,
patch
|
jbramley
:
review+
lsblakk
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
(function () {
(! (o == "" && typeof b == ""))
s = [, 0 / 0, 1 / 0, 1 / 0, , , 80001, -0, -0, , 0xffffffff, 0x100000000, 0x100000001]
return {
c: s,
r: o
}
})()
asserts js debug shell on m-c changeset 7e3a4ebcf067 with --ion-eager at Assertion failure: label->used() && !label->bound(), at ion/arm/CodeGenerator-arm.cpp
This seems different from bug 829534, the regression changeset shown below is a lot later than that one.
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: http://hg.mozilla.org/mozilla-central/rev/63b006573c65
user: Brian Hackett
date: Wed May 22 11:36:29 2013 -0600
summary: Bug 870052 - Various tweaks to reduce recompilation on asm.js style apps, r=jandem.
|
Reporter | |
Updated•11 years ago
|
Flags: needinfo?(bhackett1024)
|
||
Comment 1•11 years ago
|
||
Yep, this looks like what I'm seeing too. I'll come up with a signature.
|
|
||
Comment 2•11 years ago
|
||
|
|
||
Updated•11 years ago
|
Whiteboard: [fuzzblocker] [jsbugmon:update] → [fuzzblocker] [jsbugmon:]
|
|
||
Comment 3•11 years ago
|
||
JSBugMon: Cannot process bug: Error: Unsupported architecture "ARM" required by bug
|
||
Comment 4•11 years ago
|
||
It's hard to tell what's going on here, but bug 870052 doesn't have anything to do with it and if anything exposed an existing bug in the assembler.
Flags: needinfo?(bhackett1024)
|
|
Reporter | |
Comment 5•11 years ago
|
||
Setting needinfo from Marty based on comment 4.
Flags: needinfo?(mrosenberg)
|
|
Reporter | |
Comment 6•11 years ago
|
||
... and setting needinfo from myself to retest since bug 879701 has landed, likely modifying this assert.
Flags: needinfo?(gary)
|
|
Reporter | |
Comment 7•11 years ago
|
||
This assert turned into: Assertion failure: label->used(), at jit/arm/CodeGenerator-arm.cpp Tested on 32-bit debug Ubuntu Linux m-c rev d8a62355ea26 on ARM.
Flags: needinfo?(gary)
Summary: Assertion failure: label->used() && !label->bound(), at ion/arm/CodeGenerator-arm.cpp → Assertion failure: label->used(), at jit/arm/CodeGenerator-arm.cpp
|
|
Reporter | |
Comment 8•11 years ago
|
||
Attachment #758397 -
Attachment is obsolete: true
|
Assignee | |
Comment 9•11 years ago
|
||
So looking into this, the issue appears to be: (gdb) p lir->mir()->resultTypeSet()->empty() $1 = true which leads to us never generating a branch to the fail path, so the label throws an assertion due to not having anything branching to it. I'm looking into why the result typeset is empty.
Flags: needinfo?(mrosenberg)
|
||
Updated•11 years ago
|
Assignee: general → mrosenberg
|
||
Updated•11 years ago
|
Component: JavaScript Engine → JavaScript Engine: JIT
|
|
Assignee | |
Comment 10•11 years ago
|
||
previous assessment is wrong. It turns out this landed in a tricky situation that the assembler buffer can't handle. (there is code for handling it, but it is subtly wrong, so I decided to just abort ION in this case.) anyhow, nobody told the bind code that compilation has been aborted, so it throws an assertion. This patch just has us bail out sooner, so we don't get to the assertion case.
Attachment #815959 -
Flags: review?(Jacob.Bramley)
|
||
Comment 11•11 years ago
|
||
(In reply to Marty Rosenberg [:mjrosenb] from comment #10) > Created attachment 815959 [details] [diff] [review] > fixAssertion-r0.patch > > (there is code for handling it, but it is subtly wrong, so I decided to just > abort ION in this case.) Can it be fixed? Is there a TODO or bug in place?
|
|
||
Comment 12•11 years ago
|
||
Comment on attachment 815959 [details] [diff] [review] fixAssertion-r0.patch Review of attachment 815959 [details] [diff] [review]: ----------------------------------------------------------------- If the assembler buffer gets fixed, this bailout presumably isn't needed, but it will probably get forgotten. Could you add a TODO explaining that it should be removed at some point?
Attachment #815959 -
Flags: review?(Jacob.Bramley) → review+
|
|
Reporter | |
Comment 14•11 years ago
|
||
I'd like this to be landed before the upcoming merge window, please. This assertion is also one of the asserts blocking Android 2.2 debug tests, see bug 866795 comment 15.
status-firefox27:
--- → affected
tracking-firefox27:
--- → ?
|
|
Assignee | |
Comment 15•11 years ago
|
||
landed: https://hg.mozilla.org/integration/mozilla-inbound/rev/cacd16757698
Flags: needinfo?(mrosenberg)
|
||
Updated•11 years ago
|
|
||
Comment 16•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/cacd16757698
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla27
|
||
Updated•11 years ago
|
Whiteboard: [fuzzblocker] [jsbugmon:] → [fuzzblocker] [jsbugmon:][qa-]
|
|
Reporter | |
Comment 17•11 years ago
|
||
Is there any chance this can be nominated for backport? (this bug appears pretty frequently on ARM fuzzing prior to the fix)
Flags: needinfo?(mrosenberg)
|
|
Assignee | |
Comment 18•11 years ago
|
||
Comment on attachment 815959 [details] [diff] [review] fixAssertion-r0.patch [Approval Request Comment] Bug caused by (feature/regressing bug #): IM landing User impact if declined: assertions in debug builds, annoyance for fuzzers Testing completed (on m-c, etc.): it has been on m-c for a while Risk to taking this patch (and alternatives if risky): corner cases and OOM are handled slightly differently now. String or IDL/UUID changes made by this patch:
Attachment #815959 -
Flags: approval-mozilla-aurora?
|
|
||
Comment 19•11 years ago
|
||
Comment on attachment 815959 [details] [diff] [review] fixAssertion-r0.patch [
Attachment #815959 -
Flags: approval-mozilla-aurora? → approval-mozilla-beta?
|
|
||
Comment 20•11 years ago
|
||
(In reply to bhavana bajaj [:bajaj] from comment #19) > Comment on attachment 815959 [details] [diff] [review] > fixAssertion-r0.patch > > [ whoops hit save too fast. Switched the nom from aurora to beta given Firefox27 is already fixed here.
|
||
Updated•11 years ago
|
Attachment #815959 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
|
||
Comment 21•11 years ago
|
||
https://hg.mozilla.org/releases/mozilla-beta/rev/46ff69fc509e
status-firefox26:
--- → fixed
Flags: needinfo?(mrosenberg)
|
|
||
Comment 22•11 years ago
|
||
https://hg.mozilla.org/releases/mozilla-b2g26_v1_2/rev/dcc8c99781dc
status-b2g-v1.2:
--- → fixed
|
|
Reporter | |
Comment 23•11 years ago
|
||
(In reply to Ryan VanderMeulen [:RyanVM UTC-5] from comment #22) > https://hg.mozilla.org/releases/mozilla-b2g26_v1_2/rev/dcc8c99781dc This is likely wrong, it should be: https://hg.mozilla.org/releases/mozilla-b2g26_v1_2/rev/46ff69fc509e
You need to log in
before you can comment on or make changes to this bug.
Description
•