m = (function(stdlib, n, heap) { "use asm" var Float64ArrayView = new stdlib.Float64Array(heap) var Int16ArrayView = new stdlib.Int16Array(heap) function f(i0) { i0 = i0 | 0 i0 = i0 | 0 Int16ArrayView[0] = (i0 << 0) + i0 Float64ArrayView[0] } return f })(this, {}, Array) for (var j = 0; j < 9; j++) { m() } asserts js debug shell on m-c changeset 2795a48dfebe with --fuzzing-safe --no-threads --ion-eager at Assertion failure: !iter->hasLiveDefUses(), at jit/IonAnalysis.cpp and crashes js opt shell at js::jit::LiveInterval::addRangeAtHead. Configure options: CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests python -u ~/fuzzing/js/compileShell.py -b "--enable-debug --enable-more-deterministic --enable-nspr-build" -r 2795a48dfebe === Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20150312105732" and the hash "25b9c28d877e". The "bad" changeset has the timestamp "20150312110326" and the hash "7529425ef21f". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=25b9c28d877e&tochange=7529425ef21f Nicolas, is bug 1105574 a likely regressor?

(lldb) bt 5 * thread #1: tid = 0xd9c05, 0x00000001004f5f86 js-dbg-64-dm-nsprBuild-darwin-2795a48dfebe`js::jit::AssertBasicGraphCoherency(graph=<unavailable>) + 6150 at IonAnalysis.cpp:1950, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0) * frame #0: 0x00000001004f5f86 js-dbg-64-dm-nsprBuild-darwin-2795a48dfebe`js::jit::AssertBasicGraphCoherency(graph=<unavailable>) + 6150 at IonAnalysis.cpp:1950 frame #1: 0x00000001004f6afa js-dbg-64-dm-nsprBuild-darwin-2795a48dfebe`js::jit::AssertGraphCoherency(graph=0x0000000105807840) + 42 at IonAnalysis.cpp:2055 frame #2: 0x00000001004f7bbd js-dbg-64-dm-nsprBuild-darwin-2795a48dfebe`js::jit::AssertExtendedGraphCoherency(graph=0x0000000105807840) + 45 at IonAnalysis.cpp:2142 frame #3: 0x00000001004f3bcb js-dbg-64-dm-nsprBuild-darwin-2795a48dfebe`js::jit::OptimizeMIR(mir=0x00000001058079a8) + 4011 at Ion.cpp:1424 frame #4: 0x00000001005009f6 js-dbg-64-dm-nsprBuild-darwin-2795a48dfebe`js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned char*, bool, bool) [inlined] js::jit::CompileBackEnd(mir=0x00000001058079a8, aRhs=<unavailable>) + 42 at Ion.cpp:1619 (lldb)

(lldb) bt 5 * thread #1: tid = 0xdcbc8, 0x00000001003481c0 js-64-dm-nsprBuild-darwin-2795a48dfebe`js::jit::LiveInterval::addRangeAtHead(js::jit::CodePosition, js::jit::CodePosition) [inlined] mozilla::VectorBase<js::jit::LiveInterval::Range, 1ul, js::jit::JitAllocPolicy, js::Vector<js::jit::LiveInterval::Range, 1ul, js::jit::JitAllocPolicy> >::empty(this=0x0000000000000010) const at Vector.h:407, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x20) * frame #0: 0x00000001003481c0 js-64-dm-nsprBuild-darwin-2795a48dfebe`js::jit::LiveInterval::addRangeAtHead(js::jit::CodePosition, js::jit::CodePosition) [inlined] mozilla::VectorBase<js::jit::LiveInterval::Range, 1ul, js::jit::JitAllocPolicy, js::Vector<js::jit::LiveInterval::Range, 1ul, js::jit::JitAllocPolicy> >::empty(this=0x0000000000000010) const at Vector.h:407 frame #1: 0x00000001003481c0 js-64-dm-nsprBuild-darwin-2795a48dfebe`js::jit::LiveInterval::addRangeAtHead(this=0x0000000000000000, from=<unavailable>, to=<unavailable>) + 16 at LiveRangeAllocator.cpp:157 frame #2: 0x00000001003ce9ea js-64-dm-nsprBuild-darwin-2795a48dfebe`js::jit::LiveRangeAllocator<js::jit::BacktrackingVirtualRegister, false>::buildLivenessInfo(this=0x00007fff5fbfcf68) + 3114 at LiveRangeAllocator.cpp:859 frame #3: 0x000000010022e7c5 js-64-dm-nsprBuild-darwin-2795a48dfebe`js::jit::BacktrackingAllocator::go(this=0x00007fff5fbfcf68) + 21 at BacktrackingAllocator.cpp:83 frame #4: 0x00000001002ebc1c js-64-dm-nsprBuild-darwin-2795a48dfebe`js::jit::GenerateLIR(mir=0x00000001040ad788) + 1932 at Ion.cpp:1553 (lldb)

This patch ignores any optimization attempt if one of the operands is recovered on bailout.

Comment on attachment 8583816 [details] [diff] [review] Do not optimize instruction recovered on bailout with effective addresses. Why would IR nodes be "recoevered on bailout" during asm.js compilation? There are necessarily zero bailouts. Anyhow, forwarding review to sunfish.

(In reply to Luke Wagner [:luke] from comment #4) > Comment on attachment 8583816 [details] [diff] [review] > Do not optimize instruction recovered on bailout with effective addresses. > > Why would IR nodes be "recoevered on bailout" during asm.js compilation? > There are necessarily zero bailouts. Anyhow, forwarding review to sunfish. There's a link failure error, because we pass Array as the heap argument, so we switch to interpreted JS, and Ion steps in quickly because --ion-eager.

Ah, I see; and we run EAA not only when compilingAsmJS.

Comment on attachment 8583816 [details] [diff] [review] Do not optimize instruction recovered on bailout with effective addresses. Review of attachment 8583816 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/jit-test/tests/ion/bug1143216.js @@ +1,2 @@ > +m = (function(stdlib, n, heap) { > + "use asm" > There's a link failure error, because we pass Array as the heap argument, so > we switch to interpreted JS, and Ion steps in quickly because --ion-eager. This is pretty subtle. A brief comment in this test mentioning that it's expected to get a link failure would help save some confusion in the future :). ::: js/src/jit/EffectiveAddressAnalysis.cpp @@ +61,5 @@ > last = add; > } > > + if (last->isRecoveredOnBailout()) > + return; We already checked last when it was lsh above, so these lines can be moved up into the if body above.

(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #0) > Nicolas, is bug 1105574 a likely regressor? Yes, it is.