Closed Bug 936891 Opened 11 years ago Closed 11 years ago

Assertion failure: false (MOZ_ASSUME_UNREACHABLE(Modified registers between VM call and OsiPoint)), at jit/shared/CodeGenerator-shared.cpp:532

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla28

People

(Reporter: decoder, Assigned: sunfish)

References

Details

(Keywords: assertion, testcase)

Attachments

(2 files)

[crash-signature] Machine-readable crash signature
409 bytes, text/plain
Details
regalloc-safepoint-positions.patch
4.13 KB, patch
bhackett1024
: review+
Details | Diff | Splinter Review 
The following testcase asserts on mozilla-central revision 16949049f03d (threadsafe build, run with --fuzzing-safe --ion-eager --ion-regalloc=backtracking):


enableOsiPointRegisterChecks();
function rec(x, self) {
    if (1 && this) {}
}
for (var i = 0; i < 20; ++i)
    rec(1, rec);
The immediate difference between LinearScan and Backtracking here is the odd way that LinearScan does liveness. The allocators register allocate the same way:

 [16,17 Value] [def v4 =rcx]
 [18,19 ComputeThis] [def v5 =rcx] [use v4:r =rcx]

LinearScan calls this LiveInterval of rcx [16,18>, while Backtracking calls it [17,19>.

addLiveRegistersForInterval is doing a lookup to determine which interval contains the use at position 18. For LinearScan, [16,18> doesn't contain 18. For Backtracking, [17,19> does.
Blocks: 826741
This patch fixes the given testcase by fixing a few places in safepoint handling to account for the different ways that LinearScan and Backtracking use liveness.
Assignee: general → sunfish
Attachment #829994 - Flags: review?(bhackett1024)
Attachment #829994 - Flags: review?(bhackett1024) → review+
https://hg.mozilla.org/mozilla-central/rev/0aeda4bd3113
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla28
Blocks: 926904
Blocks: 941617
Keywords: verifyme
With Nightly js shell builds from 2013-11-10 and 2013-11-11 I get nothing on Ubuntu 13.10 x64.
The same with FF 28 beta 2 shell.
Is there any other way to reproduce this assertion and verify the fix?
Flags: needinfo?(dgohman)
I've verified this.

autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/0aeda4bd3113
user:        Dan Gohman
date:        Tue Nov 12 05:46:43 2013 -0800
summary:     Bug 936891 - IonMonkey: Fix safepoint handling to mind the differences between LSRA and Backtracking. r=bhackett
Status: RESOLVED → VERIFIED
Flags: needinfo?(dgohman)
Keywords: verifyme
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: