Assertion failure: !type->canonicalSpill() || type->canonicalSpill() == typeAlloc, at jit/LinearScan.cpp

VERIFIED FIXED in mozilla29

Status

()

defect
--
critical
VERIFIED FIXED
6 years ago
4 years ago

People

(Reporter: gkw, Assigned: jandem)

Tracking

(Blocks 1 bug, {assertion, regression, testcase})

Trunk
mozilla29
x86
All
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(tracking-b2g:backlog)

Details

Attachments

(2 attachments)

Reporter

Description

6 years ago
Posted file stack
function h(i, i) {
    i = ([Infinity([])])(1 ? l : arguments)
}
for (var j = 0; j < 2; ++j) {
    try {
        h(-Number, -Number)
    } catch (e) {}
}

asserts js debug shell on m-c changeset 30f3710477c2 with --ion-parallel-compile=off --ion-eager at Assertion failure: !type->canonicalSpill() || type->canonicalSpill() == typeAlloc, at jit/LinearScan.cpp

My configure flags are:

AR=ar sh ./configure --enable-optimize --enable-debug --enable-profiling --enable-gczeal --enable-debug-symbols --enable-methodjit --enable-type-inference --disable-tests --enable-more-deterministic --enable-threadsafe <other NSPR options>
Reporter

Comment 1

6 years ago
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/9aba403595d5
user:        Jan de Mooij
date:        Thu Jan 09 12:10:14 2014 +0100
summary:     Bug 955850 - Fix regalloc safepoint issue. r=djvj

Jan, is bug 955850 a likely regressor?
Blocks: 955850
Flags: needinfo?(jdemooij)
Reporter

Comment 2

6 years ago
I have a 32-bit Mac testcase which I'll carry on reducing tomorrow.
Assignee

Comment 3

6 years ago
Posted patch PatchSplinter Review
Bogus asserts. I thought it was important/necessary for these conditions to hold, but it isn't of course: as long as the payload is in an argument slot (and hence is marked), it doesn't matter where the type tag is (register, stack slot etc) because GC only cares about the payload.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Attachment #8358350 - Flags: review?(kvijayan)
Flags: needinfo?(jdemooij)
Reporter

Comment 4

6 years ago
function f() {
    function f(i0, i1) {
        i0 = i0 | 0;
        i = i1 | 0;
        switch (1) {
            case -3:
                switch (f) {}
        } {
            return 0
        }(arguments)
    }
    return f
};
for (var j = 0; j < 999; ++j) {
    (function(x) {
        f()(f()(x, f()()))
    })()
}

This is a testcase that asserts on 32-bit Mac.

Jan, do you think you can land these testcases (comment 0 and this) as well, when you land the patch for landing?
Flags: needinfo?(jdemooij)
OS: Windows 7 → All
Assignee

Comment 5

6 years ago
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #4)
> Jan, do you think you can land these testcases (comment 0 and this) as well,
> when you land the patch for landing?

Sure :)
Flags: needinfo?(jdemooij)
Attachment #8358350 - Flags: review?(kvijayan) → review+
Assignee

Comment 6

6 years ago
Pushed directly to b2g-inbound as requested by gwagner, to unbreak b2g emulator debug builds.

https://hg.mozilla.org/integration/b2g-inbound/rev/058c053e2f07

Setting needinfo to add the tests; I didn't want to block this trivial patch on that.
Flags: needinfo?(jdemooij)
Assignee

Updated

6 years ago
Duplicate of this bug: 958732
https://hg.mozilla.org/mozilla-central/rev/058c053e2f07
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla29

Updated

5 years ago
Keywords: verifyme
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.

Updated

5 years ago
Keywords: verifyme
Assignee

Comment 10

5 years ago
It took a while, but just added the tests:

https://hg.mozilla.org/integration/mozilla-inbound/rev/3eeb45f8ec21
Flags: needinfo?(jdemooij)

Updated

5 years ago
blocking-b2g: --- → 1.3?
blocking-b2g: 1.3? → backlog

Updated

5 years ago
See Also: → 993317
(In reply to Joe Cheng [:jcheng] from comment #12)
> 1.3T? to discuss https://bugzilla.mozilla.org/show_bug.cgi?id=993317#c6

:jcheng lets not block on this unless their is a known user impact
triage; let's not block tarako reelase with this. if we have a safe solution ,let's evaluate if we can uplift to 1.3T thanks
blocking-b2g: 1.3T? → backlog
blocking-b2g: backlog → ---
You need to log in before you can comment on or make changes to this bug.