Closed
Bug 955822
Opened 11 years ago
Closed 10 years ago
Crash [@ js::ThreadPoolWorker::getSlice] or Assertion failure: !used(), at jit/shared/Assembler-shared.h
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1026919
People
(Reporter: gkw, Unassigned)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:])
Crash Data
Attachments
(1 file)
|
4.71 KB,
text/plain
|
Details |
function h(g, x) {
for (var j = 0; j < 99; ++j) {
try {
g(x[j], x[j]);
} catch (e) {}
}
}
f = (function(x, y) {
((-(Math.asinh(Math.fround(Math.fround(Math.round(x) < Math.fround(2))
> Math.fround((-(~x)) >> 0)) !== eval("this")) >> 0)) | 0)
(Math.n())
});
h(f, [-0])
asserts js debug shell on m-c changeset 4b242b19b006 with --ion-eager --ion-inlining=off --ion-check-range-analysis --ion-parallel-compile=off at Assertion failure: !used(), at jit/shared/Assembler-shared.h
My configure flags are:
CC="gcc -mfloat-abi=softfp -B/usr/lib/gcc/arm-linux-gnueabi/4.7" AR=ar CXX="g++ -mfloat-abi=softfp -B/usr/lib/gcc/arm-linux-gnueabi/4.7" sh ./configure --target=arm-linux-gnueabi --enable-optimize --enable-debug --enable-profiling --enable-gczeal --enable-debug-symbols --enable-methodjit --enable-type-inference --disable-tests --enable-more-deterministic --with-ccache --enable-threadsafe <other NSPR options>
Setting needinfo from some folks who have fixed ARM / range analysis bugs recently.Flags: needinfo?(sunfish)
Flags: needinfo?(dtc-moz)
|
Reporter | |
Comment 1•11 years ago
|
||
> asserts js debug shell on m-c changeset 4b242b19b006 with This was tested on the changeset rev with the patch in bug 952810 comment 2 applied.
|
||
Comment 2•11 years ago
|
||
This appears to be related to issues with the buffer pools on the ARM backend. The assertion failure occurs after an internal failure to pack the pools, which for now causes a compilation bailout that has any appearance of an OOM. [Pools] [0] Finishing pool 1 [Pools] [0] Linking entry 2 in pool 1 [Pools] [0] Fixing offset to -1668 [Pools] [0] Linking entry 1 in pool 1 [Pools] [0] Fixing offset to -1508 [Pools] [0] Linking entry 6 in pool 0 [Pools] [0] Fixing offset to -1372 [Pools] [0]***Offset was still out of range!*** [Pools] [0] Too complicated; bailingp The work in bug 760642 might address this. However it might also indicate a failure in the OOM bailout paths.
Depends on: 760642
Flags: needinfo?(dtc-moz)
|
||
Comment 3•10 years ago
|
||
Clearing my needinfo, since comment 2 doesn't sound related to my changes.
Flags: needinfo?(sunfish)
|
|
Reporter | |
Comment 5•10 years ago
|
||
Variant testcases crash at js::ThreadPoolWorker::getSlice and assert similarly. (It is really difficult for me to get a reduced testcase that crashes but not asserts though)
Crash Signature: [@ js::ThreadPoolWorker::getSlice]
Summary: Assertion failure: !used(), at jit/shared/Assembler-shared.h → Crash [@ js::ThreadPoolWorker::getSlice] or Assertion failure: !used(), at jit/shared/Assembler-shared.h
|
||
Updated•10 years ago
|
Whiteboard: [jsbugmon:update,bisect]
|
|
||
Updated•10 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]
|
|
||
Comment 6•10 years ago
|
||
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
|
|
||
Updated•10 years ago
|
Whiteboard: [jsbugmon:bisect] → [jsbugmon:]
|
|
Reporter | |
Comment 7•10 years ago
|
||
Doug, another one likely fixed by the recent assembler buffer changes?
Flags: needinfo?(dtc-moz)
|
|
||
Comment 8•10 years ago
|
||
The pool allocation failure is resolved by bug 1026919, but it still bails out if the code goes over 32M or on OOM and these might still invoke the asserting failure. It should no longer fail on this test, so I am guessing this is reason enough to close this bug.
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(mrosenberg)
Flags: needinfo?(dtc-moz)
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•