Closed Bug 980400 Opened 7 years ago Closed 7 years ago

Assertion failure: false (MOZ_ASSUME_UNREACHABLE(NYI: SIMDUnaryFunction)), at jit/MOpcodes.h:244 or Crash [@ js::jit::LiveInterval::addRangeAtHead]

Categories

(Core :: JavaScript Engine: JIT, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla30
Tracking Status
firefox30 --- affected

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: assertion, crash, testcase, Whiteboard: [fuzzblocker] [jsbugmon:update,ignore])

Crash Data

Attachments

(1 file, 1 obsolete file)

The following testcase asserts on mozilla-central revision 8122ffa9e1aa (run with --fuzzing-safe --ion-compile-try-catch --ion-eager --ion-eager):


var float32x4 = SIMD.float32x4;
function test() {
  var a = float32x4(1, 4, 9, 16);
  var c = SIMD.float32x4.sqrt(a);
  assertEq(c.x, 1);
}
test();
test();
Options in comment 0 are messed up, --ion-eager is the only one needed.

This assert also pops up in slight variations (SIMDBinaryFunction, SIMDTernaryFunction). I assume these are all the same bug, so the signature attached covers them all.

Needinfo from Niko, this is a fuzzblocker (triggers all the time).
Crash Signature: [@ js::jit::LiveInterval::addRangeAtHead]
Flags: needinfo?(nmatsakis)
Keywords: crash
Whiteboard: [jsbugmon:update,bisect][fuzzblocker]
Attachment #8386876 - Attachment is obsolete: true
Crash Signature: [@ js::jit::LiveInterval::addRangeAtHead] → [@ js::jit::LiveInterval::addRangeAtHead] [@ js::jit::ObjectPolicy<0u>::staticAdjustInputs]
Blocks: 943769
Crash Signature: [@ js::jit::LiveInterval::addRangeAtHead] [@ js::jit::ObjectPolicy<0u>::staticAdjustInputs] → [@ js::jit::LiveInterval::addRangeAtHead] [@ js::jit::ObjectPolicy<0u>::staticAdjustInputs]
Whiteboard: [jsbugmon:update,bisect][fuzzblocker] → [fuzzblocker] [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/7efaabf97f0c
user:        Haitao Feng
date:        Tue Mar 04 20:06:26 2014 -0500
summary:     Bug 943769 Part 2 -- Set up SIMD inlining infrastructure r=nmatsakis

This iteration took 0.957 seconds to run.
Whiteboard: [fuzzblocker] [jsbugmon:update] → [fuzzblocker] [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 0dc1be930880).
Crash Signature: [@ js::jit::LiveInterval::addRangeAtHead] [@ js::jit::ObjectPolicy<0u>::staticAdjustInputs] → [@ js::jit::LiveInterval::addRangeAtHead] [@ js::jit::ObjectPolicy<0u>::staticAdjustInputs]
This was due to the incomplete patch that was backed out.
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: needinfo?(nmatsakis)
Resolution: --- → FIXED
Target Milestone: --- → mozilla30
You need to log in before you can comment on or make changes to this bug.