Closed Bug 942604 Opened 11 years ago Closed 11 years ago

Assertion failure: consumer->isConsistentFloat32Use(), at jit/IonAnalysis.cpp

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla28
Tracking Flags:
Tracking Status
firefox27 --- fixed
firefox28 --- fixed

People

(Reporter: gkw, Assigned: djvj)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])

Attachments

(2 files, 1 obsolete file)

stack
4.54 KB, text/plain
Details
Updated patch.
1.47 KB, patch
bbouvier
: review+
lsblakk
: approval-mozilla-beta+
Details | Diff | Splinter Review
Attached file stack 
for (var j = 0; j < 999; ++j) {
    try {
        (function() {
            function f(x) {
                x = (new Float32Array)[i >> 2];
                {}(w) = arguments[0]
            }
            return f
        })()();
    } catch (e) {}
}

asserts js debug shell on m-c changeset 74ab61b8d0f0 without any CLI arguments at Assertion failure: consumer->isConsistentFloat32Use(), at jit/IonAnalysis.cpp

My configure flags are:

CC="clang -Qunused-arguments" AR=ar CXX="clang++ -Qunused-arguments" sh ./configure --target=x86_64-apple-darwin12.5.0 --enable-optimize --enable-debug --enable-profiling --enable-gczeal --enable-debug-symbols --enable-methodjit --enable-type-inference --disable-tests --enable-more-deterministic --with-ccache --enable-threadsafe <other NSPR options>
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/2963a336e7ec
user:        Kannan Vijayan
date:        Mon Sep 30 10:24:30 2013 -0400
summary:     Bug 921120 - Enable Ion-compilation of JSOP_SETARG for functions which use magic arguments. r=nbp

Kannan, is bug 921120 a likely regressor?
Blocks: 921120
Flags: needinfo?(kvijayan)
Yeah.  MSetFrameArgument doesn't handle Float32 incomings.  Taking bug.
Assignee: general → kvijayan
Flags: needinfo?(kvijayan)
Attached patch bug-942604.patch (obsolete) — Splinter Review 
Fixes this by adding a ToDouble prior to to MSetFrameArgument if the incoming value is typed Float32.
Attachment #8338003 - Flags: review?(benj)
Comment on attachment 8338003 [details] [diff] [review]
bug-942604.patch

Review of attachment 8338003 [details] [diff] [review]:
-----------------------------------------------------------------

Good news! You can do simpler, just by making MSetFrameArgument a NoFloatPolicy for the value argument (see also MArrayPush for instance). Then you don't have to worry about adding yourself the ToDouble before the operation.
Attachment #8338003 - Flags: review?(benj)
Attached patch Updated patch.Splinter Review 
Fixed patch as per recommendation.
Attachment #8338003 - Attachment is obsolete: true
Attachment #8338545 - Flags: review?(benj)
Comment on attachment 8338545 [details] [diff] [review]
Updated patch.

Review of attachment 8338545 [details] [diff] [review]:
-----------------------------------------------------------------

Cool, thanks!
Attachment #8338545 - Flags: review?(benj) → review+
https://hg.mozilla.org/mozilla-central/rev/ce322969a746
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla28
Comment on attachment 8338545 [details] [diff] [review]
Updated patch.

decoder said he hits this one on beta and uplifting should be trivial.

[Approval Request Comment]
Bug caused by (feature/regressing bug #): 888109
User impact if declined: correctness issues
Testing completed (on m-c, etc.): testing on m-i and m-c completed
Risk to taking this patch (and alternatives if risky): very low, if not no risk at all
String or IDL/UUID changes made by this patch: N/A
Attachment #8338545 - Flags: approval-mozilla-beta?
Attachment #8338545 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: