Closed Bug 953337 Opened 9 years ago Closed 9 years ago

Assertion failure: popped[i]->isImplicitlyUsed() || popped[i]->isNewDerivedTypedObject() || popped[i]->defUseCount() > poppedUses[i], at jit/IonBuilder.cpp:1338

Categories

(Core :: JavaScript Engine: JIT, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla29

People

(Reporter: decoder, Assigned: jandem)

Details

(Keywords: assertion, testcase)

Attachments

(2 files, 2 obsolete files)

The following testcase asserts on mozilla-central revision fe7f7ead589c (run with --fuzzing-safe):


setJitCompilerOption("ion.usecount.trigger", 50);
var proxy = new Boolean({ get: function() {} }, {});
Function.prototype.__proto__ = proxy;
function g(x, y) {}
function f() {
  g.apply(this, arguments);
}
for (var i = 0; i < 1000; ++i) {
  f(i, i*2);
}
Attached file windows stack
also found via bughunter on http://saint-marc.ws/index.php
Attached patch Patch (obsolete) — Splinter Review
Just need an extra setFoldedUnchecked call.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Attachment #8355203 - Flags: review?(nicolas.b.pierron)
Comment on attachment 8355203 [details] [diff] [review]
Patch

Review of attachment 8355203 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/jit/IonBuilder.cpp
@@ +4935,5 @@
>  
>          MArgumentsLength *numArgs = MArgumentsLength::New(alloc());
>          current->add(numArgs);
>  
>          MApplyArgs *apply = MApplyArgs::New(alloc(), target, argFunc, numArgs, argThis);

We are adding a use of argFunc here, The second part of the assertion should be verified in this case.

@@ +4971,5 @@
>      callInfo.setThis(argThis);
>  
>      // Pop function parameter.
>      MDefinition *argFunc = current->pop();
> +    argFunc->setFoldedUnchecked();

Is the function inlined?  If it is not, then the MCall should have a use of argFunc and the second part of the assertion should be verified too.

Otherwise the issue is likely located in the inlining code.
Attachment #8355203 - Flags: review?(nicolas.b.pierron)
Loading http://www.theb-hotels.com/the-b-roppongi/en/ yielded:

Assertion failure: popped[i]->isImplicitlyUsed() || popped[i]->isNewDerivedTypedObject() || popped[i]->defUseCount() > poppedUses[i], at /home/dbaron/builds/ssd/mozilla-central/mozilla/js/src/jit/IonBuilder.cpp:1338

which looks like it's the same, although the first piece of the || chain has changed since the bug was filed.
Yeah, bug 953256 changed isFolded to isImplicitlyUsed.
Summary: Assertion failure: popped[i]->isFolded() || popped[i]->isNewDerivedTypedObject() || popped[i]->defUseCount() > poppedUses[i], at jit/IonBuilder.cpp:1338 → Assertion failure: popped[i]->isImplicitlyUsed() || popped[i]->isNewDerivedTypedObject() || popped[i]->defUseCount() > poppedUses[i], at jit/IonBuilder.cpp:1338
Attached patch Patch v2 (obsolete) — Splinter Review
Attachment #8355203 - Attachment is obsolete: true
Attachment #8360317 - Flags: review?(nicolas.b.pierron)
Attached patch PatchSplinter Review
Realized there's another place where we should set the flag. Sorry for the bugspam.
Attachment #8360317 - Attachment is obsolete: true
Attachment #8360317 - Flags: review?(nicolas.b.pierron)
Attachment #8360320 - Flags: review?(nicolas.b.pierron)
Attachment #8360320 - Flags: review?(nicolas.b.pierron) → review+
https://hg.mozilla.org/mozilla-central/rev/103c0b6c135d
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla29
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.