Assertion failure: false (MOZ_ASSUME_UNREACHABLE(Modified registers between VM call and OsiPoint)), at jit/shared/CodeGenerator-shared.cpp:532

VERIFIED FIXED in mozilla28

Status

()

defect
--
critical
VERIFIED FIXED
6 years ago
6 years ago

People

(Reporter: decoder, Assigned: sunfish)

Tracking

(Blocks 1 bug, {assertion, testcase})

Trunk
mozilla28
x86_64
Linux
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(2 attachments)

The following testcase asserts on mozilla-central revision 16949049f03d (threadsafe build, run with --fuzzing-safe --ion-eager --ion-regalloc=backtracking):


enableOsiPointRegisterChecks();
function rec(x, self) {
    if (1 && this) {}
}
for (var i = 0; i < 20; ++i)
    rec(1, rec);
The immediate difference between LinearScan and Backtracking here is the odd way that LinearScan does liveness. The allocators register allocate the same way:

 [16,17 Value] [def v4 =rcx]
 [18,19 ComputeThis] [def v5 =rcx] [use v4:r =rcx]

LinearScan calls this LiveInterval of rcx [16,18>, while Backtracking calls it [17,19>.

addLiveRegistersForInterval is doing a lookup to determine which interval contains the use at position 18. For LinearScan, [16,18> doesn't contain 18. For Backtracking, [17,19> does.
Blocks: 826741
This patch fixes the given testcase by fixing a few places in safepoint handling to account for the different ways that LinearScan and Backtracking use liveness.
Assignee: general → sunfish
Attachment #829994 - Flags: review?(bhackett1024)
Attachment #829994 - Flags: review?(bhackett1024) → review+
https://hg.mozilla.org/mozilla-central/rev/0aeda4bd3113
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla28
Blocks: 926904
Blocks: 941617
Keywords: verifyme
With Nightly js shell builds from 2013-11-10 and 2013-11-11 I get nothing on Ubuntu 13.10 x64.
The same with FF 28 beta 2 shell.
Is there any other way to reproduce this assertion and verify the fix?
Flags: needinfo?(dgohman)
I've verified this.

autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/0aeda4bd3113
user:        Dan Gohman
date:        Tue Nov 12 05:46:43 2013 -0800
summary:     Bug 936891 - IonMonkey: Fix safepoint handling to mind the differences between LSRA and Backtracking. r=bhackett
Status: RESOLVED → VERIFIED
Flags: needinfo?(dgohman)
Keywords: verifyme
You need to log in before you can comment on or make changes to this bug.