// Randomly chosen test: js/src/tests/js1_5/Expressions/regress-394673.js var a = []; for (var i = 1; i < 60000; ++i) { a.push("f()"); } Function(a.join("||"))(); asserts js debug 32-bit shell on m-c changeset 69b64e65fbb2 with --fuzzing-safe --no-threads --ion-eager --ion-limit-script-size=off at Assertion failure: index < VREG_MASK, at jit/LIR.h. Debug configure options: LD=ld CROSS_COMPILE=1 CC="clang -Qunused-arguments -msse2 -mfpmath=sse -arch i386" RANLIB=ranlib CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse -arch i386" AS=$CC AR=ar STRIP="strip -x -S" HOST_CC="clang -Qunused-arguments -msse2 -mfpmath=sse" AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 HOST_CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse" sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=i386-apple-darwin9.2.0 --enable-macos-target=10.5 --enable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests Setting s-s and assuming sec-critical because LIR seems to be involved. I'm running bisection soon.

(lldb) bt 5 * thread #1: tid = 0x281af, 0x0055f46a js-dbg-opt-32-dm-nsprBuild-darwin-69b64e65fbb2`js::jit::LUse::setVirtualRegister(this=<unavailable>, index=<unavailable>) + 186 at LIR.h:276, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0) * frame #0: 0x0055f46a js-dbg-opt-32-dm-nsprBuild-darwin-69b64e65fbb2`js::jit::LUse::setVirtualRegister(this=<unavailable>, index=<unavailable>) + 186 at LIR.h:276 frame #1: 0x004adffa js-dbg-opt-32-dm-nsprBuild-darwin-69b64e65fbb2`js::jit::LIRGeneratorShared::usePayload(js::jit::MDefinition*, js::jit::LUse::Policy) [inlined] js::jit::LUse::LUse(this=0x0000001a, vreg=<unavailable>, usedAtStart=<unavailable>) + 218 at LIR.h:255 frame #2: 0x004adfce js-dbg-opt-32-dm-nsprBuild-darwin-69b64e65fbb2`js::jit::LIRGeneratorShared::usePayload(js::jit::MDefinition*, js::jit::LUse::Policy) [inlined] js::jit::LUse::LUse(this=0x0000001a, usedAtStart=<unavailable>) at LIR.h:256 frame #3: 0x004adfce js-dbg-opt-32-dm-nsprBuild-darwin-69b64e65fbb2`js::jit::LIRGeneratorShared::usePayload(this=0xbfffea10, mir=<unavailable>, policy=KEEPALIVE) + 174 at Lowering-shared-inl.h:459 frame #4: 0x00499593 js-dbg-opt-32-dm-nsprBuild-darwin-69b64e65fbb2`js::jit::LIRGeneratorShared::buildSnapshot(this=<unavailable>, ins=0x0217a010, rp=0x0d8f9a30, kind=<unavailable>) + 483 at Lowering-shared.cpp:204 (lldb

This was found by combining random js tests together with jsfunfuzz, the specific file(s) is/are: http://hg.mozilla.org/mozilla-central/file/69b64e65fbb2/js/src/tests/js1_5/Expressions/regress-394673.js

JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.

autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/872df69a912c user: Brian Hackett date: Tue Dec 09 07:28:44 2014 -0700 summary: Bug 1107774 - Make LIRGenerator visit() methods infallible, r=jandem. Brian, is bug 1107774 a likely regressor? (note that this seems 32-bit only)

This is a bogus assert. LIRGeneratorShared::defineBox calls getVirtualRegister twice on NUNBOX32 builds but ignores the return value of the second call, as it normally will equal the result of the first call + 1. But when we hit the VREG cap the second call returns a different value, and we end up with a value that is too high, though the compilation is about to OOM anyways (as triggered by the second getVirtualRegister call) so this doesn't matter.

Bogus assert, not s-s.

Comment on attachment 8544280 [details] [diff] [review] patch Review of attachment 8544280 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/jit/shared/Lowering-shared.h @@ +165,5 @@ > } > > uint32_t getVirtualRegister() { > uint32_t vreg = lirGraph_.getVirtualRegister(); > + if (vreg + 1 >= MAX_VIRTUAL_REGISTERS) { I can imagine somebody thinking the +1 is an off-by-one and removing it, so maybe very briefly mention why it's necessary.