Closed Bug 958432 Opened 7 years ago Closed 7 years ago

Assertion failure: !type->canonicalSpill() || type->canonicalSpill() == typeAlloc, at jit/LinearScan.cpp

Categories

(Core :: JavaScript Engine: JIT, defect)

x86
All
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla29
tracking-b2g backlog

People

(Reporter: gkw, Assigned: jandem)

References

Details

(Keywords: assertion, regression, testcase)

Attachments

(2 files)

Attached file stack
function h(i, i) {
    i = ([Infinity([])])(1 ? l : arguments)
}
for (var j = 0; j < 2; ++j) {
    try {
        h(-Number, -Number)
    } catch (e) {}
}

asserts js debug shell on m-c changeset 30f3710477c2 with --ion-parallel-compile=off --ion-eager at Assertion failure: !type->canonicalSpill() || type->canonicalSpill() == typeAlloc, at jit/LinearScan.cpp

My configure flags are:

AR=ar sh ./configure --enable-optimize --enable-debug --enable-profiling --enable-gczeal --enable-debug-symbols --enable-methodjit --enable-type-inference --disable-tests --enable-more-deterministic --enable-threadsafe <other NSPR options>
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/9aba403595d5
user:        Jan de Mooij
date:        Thu Jan 09 12:10:14 2014 +0100
summary:     Bug 955850 - Fix regalloc safepoint issue. r=djvj

Jan, is bug 955850 a likely regressor?
Blocks: 955850
Flags: needinfo?(jdemooij)
I have a 32-bit Mac testcase which I'll carry on reducing tomorrow.
Attached patch PatchSplinter Review
Bogus asserts. I thought it was important/necessary for these conditions to hold, but it isn't of course: as long as the payload is in an argument slot (and hence is marked), it doesn't matter where the type tag is (register, stack slot etc) because GC only cares about the payload.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Attachment #8358350 - Flags: review?(kvijayan)
Flags: needinfo?(jdemooij)
function f() {
    function f(i0, i1) {
        i0 = i0 | 0;
        i = i1 | 0;
        switch (1) {
            case -3:
                switch (f) {}
        } {
            return 0
        }(arguments)
    }
    return f
};
for (var j = 0; j < 999; ++j) {
    (function(x) {
        f()(f()(x, f()()))
    })()
}

This is a testcase that asserts on 32-bit Mac.

Jan, do you think you can land these testcases (comment 0 and this) as well, when you land the patch for landing?
Flags: needinfo?(jdemooij)
OS: Windows 7 → All
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #4)
> Jan, do you think you can land these testcases (comment 0 and this) as well,
> when you land the patch for landing?

Sure :)
Flags: needinfo?(jdemooij)
Attachment #8358350 - Flags: review?(kvijayan) → review+
Pushed directly to b2g-inbound as requested by gwagner, to unbreak b2g emulator debug builds.

https://hg.mozilla.org/integration/b2g-inbound/rev/058c053e2f07

Setting needinfo to add the tests; I didn't want to block this trivial patch on that.
Flags: needinfo?(jdemooij)
Duplicate of this bug: 958732
https://hg.mozilla.org/mozilla-central/rev/058c053e2f07
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla29
Keywords: verifyme
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
Keywords: verifyme
It took a while, but just added the tests:

https://hg.mozilla.org/integration/mozilla-inbound/rev/3eeb45f8ec21
Flags: needinfo?(jdemooij)
blocking-b2g: --- → 1.3?
blocking-b2g: 1.3? → backlog
See Also: → 993317
(In reply to Joe Cheng [:jcheng] from comment #12)
> 1.3T? to discuss https://bugzilla.mozilla.org/show_bug.cgi?id=993317#c6

:jcheng lets not block on this unless their is a known user impact
triage; let's not block tarako reelase with this. if we have a safe solution ,let's evaluate if we can uplift to 1.3T thanks
blocking-b2g: 1.3T? → backlog
blocking-b2g: backlog → ---
You need to log in before you can comment on or make changes to this bug.