Closed Bug 970261 Opened 10 years ago Closed 9 years ago

Assertion failure: !used(), at jit/shared/Assembler-shared.h:360

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
ARM
Linux
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox30 --- affected

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: assertion, testcase, Whiteboard: [jsbugmon:bisectfix]) 

The following testcase asserts on mozilla-central revision f550b112a19b (x86 ARM simulator build, run with --fuzzing-safe --arm-sim-icache-checks --ion-eager --ion-check-range-analysis --ion-regalloc=backtracking):


function f1() {
    return !!([1].x++) * 0.1;
} 
function rnd(n) {
  return Math.floor(f1() * n)
};
function f2(d, b) {
  rnd(4);
  return f2();
}
f2();
Blocks: 959597
No longer blocks: IonFuzz
status-firefox30: --- → affected
Looks like problems in the OOM paths.  The assertion does not look reliable - the OOM might have occurred after the label was used.
Yea I think this assertion caused lots of problems before with OOM conditions and we even considered removing it before. If in this case it's also an OOM (and not some other, more important bug), then I'd really vote for killing this assertion.
Douglas, you also mentioned OOM in a possibly-related bug 955822.
(In reply to Gary Kwong [:gkw] [:nth10sd] catching up on email/bugmail from comment #3)
> Douglas, you also mentioned OOM in a possibly-related bug 955822.

Sorry, I misread the code, it's not an OOM issue but clearly another ARM constant pool packing failure.  It's being worked on.
Depends on: 760642
Assignee: general → nobody
Whiteboard: [jsbugmon:update,bisect]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,bisect,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 951e3a671279).
Whiteboard: [jsbugmon:update,bisect,ignore] → [jsbugmon:bisectfix]
Whiteboard: [jsbugmon:bisectfix] → [jsbugmon:]
JSBugMon: Fix Bisection requested, failed due to error (try manually).
I retested this and it still reproduces.
Whiteboard: [jsbugmon:] → [jsbugmon:update,bisect]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,bisect,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision f92e4d13b3c6).
Whiteboard: [jsbugmon:update,bisect,ignore] → [jsbugmon:bisectfix]
Flags: needinfo?(bhackett1024)
I can't reproduce this, can you still do so decoder?  Does anyone know if this is a backtracking allocator bug, or an ARM assembler bug (i.e. comment 4)?
Flags: needinfo?(bhackett1024)
(In reply to Brian Hackett (:bhackett) from comment #9)
> I can't reproduce this, can you still do so decoder?  Does anyone know if
> this is a backtracking allocator bug, or an ARM assembler bug (i.e. comment
> 4)?

It appeared to be a problem in the OOM paths, and not a backtracking allocator bug.

Comment 4 noted that a constant pool packing consistency check failed, and this caused a bail out from compilation like an OOM. The assertion failure looks like a poorly handled OOM path.

The assembler no longer has these constant pool packing failures and the bailout path on longer exists so this test case is not expected to reproduce the assertion failure.

There might still be issues with the OOM paths, but these could use targeted testing.

I suggest closing this bug.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.