Assertion failure: safepoint->hasSlotsOrElementsPointer(alloc), at ion/RegisterAllocator.cpp

RESOLVED FIXED in mozilla25

Status

()

--
critical
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: gkw, Assigned: jandem)

Tracking

(Blocks: 1 bug, {assertion, regression, testcase})

Trunk
mozilla25
x86_64
Mac OS X
assertion, regression, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite ?

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [fuzzblocker])

Attachments

(2 attachments)

(Reporter)

Description

5 years ago
function f() {
	for (x = 1; x < 9; x++) {}
}
new f


asserts js debug shell on m-c changeset bc99f68f8946 with --ion-eager --ion-regalloc=backtracking at Assertion failure: safepoint->hasSlotsOrElementsPointer(alloc), at ion/RegisterAllocator.cpp

This blocks fuzzing with --ion-regalloc=backtracking, as it is blowing up jsfunfuzz.
(Reporter)

Comment 1

5 years ago
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/9a62d56be0bc
user:        Jan de Mooij
date:        Wed Jul 03 20:27:39 2013 +0200
summary:     Bug 888872 - Keep track of slots/elements pointers stored in Ion frames for generational GC. r=dvander,terrence
Blocks: 888872
Flags: needinfo?(jdemooij)
(Reporter)

Comment 2

5 years ago
Created attachment 771572 [details]
stack

Tested on m-c tip rev 17fe59f6c54a.
(Assignee)

Comment 3

5 years ago
Created attachment 771983 [details] [diff] [review]
Patch

Ah, the backtracking allocator no longer uses the regalloc verifier to fill safepoints so bug 888872 broke it.
Assignee: general → jdemooij
Status: NEW → ASSIGNED
Attachment #771983 - Flags: review?(bhackett1024)
Flags: needinfo?(jdemooij)
Attachment #771983 - Flags: review?(bhackett1024) → review+
https://hg.mozilla.org/mozilla-central/rev/8e1f9400edde

Should this have a test?
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla25
(Reporter)

Updated

5 years ago
Blocks: 826741
You need to log in before you can comment on or make changes to this bug.