887772 - Assertion failure: numPredecessors() >= 2, at ion\MIRGraph.h:316

Status: RESOLVED DUPLICATE of bug 880377

(Core :: JavaScript Engine, defect)

Description

[Carsten Book [:Tomcat]]

Attachment: stack

Assertion failure: numPredecessors() >= 2, at c:\work\mozilla\builds\aurora\mozilla\js\src\ion\MIRGraph.h:316 found via bughunter and crashes on load (working on a testcase).

crashes on aurora and mc nightly debug builds on windows 7 

Stack is attached too

Comment 1

[Carsten Book [:Tomcat]]

Attachment: testcase

will also try to reduce it a little more

Comment 2

[Jan de Mooij [:jandem]]

Thanks! I will take a look next week :)

Comment 3

[Carsten Book [:Tomcat]]

seems the regression range is somewhere between http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=7ba8c86f1a56&tochange=cea75ce9a559

Comment 4

[Andrew McCreight [:mccr8]]

I'm going to assume violating IonMonkey CFG invariants is a bad thing until proven otherwise...

Comment 5

[Jan de Mooij [:jandem]]

Thanks Tomcat, great testcase! Here's a script that asserts in the shell:

function do_tabmagic() {
    var tabmain = {};
    if (tabmain != undefined)
        var x = new Int32Array();
    if (x != undefined) {
        for (var j = 0; j < 1; j++){
            for (var i = 0; i < 10000; i++) {
            }
        }
    }
}
do_tabmagic();

Comment 6

[Jan de Mooij [:jandem]]

Niko, this is an UCE problem. We end up with a loop header with one predecessor and this breaks some invariants.

We should probably not remove any predecessors of loop headers if we are not going to remove the loop header itself, but needinfo?-ing you since you're more familiar with UCE.

Comment 7

[Niko Matsakis [:nmatsakis]]

I believe this is a dup of bug 880377. I had started on a fix some time ago but never finished it. I wasn't able to find a satisfying way to express the nodes that should not be removed and it fell of my radar. Let me take another look at this.