Closed
Bug 678072
Opened 13 years ago
Closed 13 years ago
IonMonkey: Assertion failure: live->empty(), at ion/LinearScan.cpp:514
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
People
(Reporter: h4writer, Assigned: adrake)
References
Details
Attachments
(2 files, 2 obsolete files)
(deleted),
application/javascript
|
Details | |
(deleted),
patch
|
dvander
:
review+
|
Details | Diff | Splinter Review |
The following testcase asserts on x64 with:
Assertion failure: live->empty(), at ion/LinearScan.cpp:514
Reporter | ||
Updated•13 years ago
|
Reporter | ||
Updated•13 years ago
|
Assignee | ||
Comment 1•13 years ago
|
||
Unbox instructions snapshot their own outputs, causing liveness analysis to show the output as live into the instruction. This patch adds a case to avoid propagating liveness from uses of just-defined values, with the assertion that they are snapshot inputs.
dvander: This seems kind of strange from a snapshot perspective -- should LIR snapshots really include values defined by their assigned instructions?
Snapshotting your own output is totally bad. We should look into that instead. Type analysis is somewhat careful to make sure that doesn't happen - but that would be the first place to look.
Assignee | ||
Updated•13 years ago
|
Attachment #552307 -
Flags: review?(dvander)
Assignee | ||
Comment 3•13 years ago
|
||
Explicitly include the "this" parameter when setting snapshots so we don't leave off the last argument. If we should be excluding the this slot, or if there's a less-hacky way than +1, I'll do that instead.
Attachment #552307 -
Attachment is obsolete: true
Attachment #552329 -
Flags: review?(dvander)
Assignee | ||
Comment 4•13 years ago
|
||
Attachment #552329 -
Attachment is obsolete: true
Attachment #552329 -
Flags: review?(dvander)
Attachment #552330 -
Flags: review?(dvander)
Comment on attachment 552330 [details] [diff] [review]
Patch v1, now with 100% more patch
Review of attachment 552330 [details] [diff] [review]:
-----------------------------------------------------------------
::: js/src/ion/IonBuilder.cpp
@@ +187,5 @@
> current->makeStart(start);
>
> // Attach start's snapshot to each parameter, so the type analyzer doesn't
> // replace uses in the snapshot.
> + for (uint32 i = 0; i < nargs() + 1; i++) {
Nice catch. Could you use i < CountArgSlots(fun()) instead?
Attachment #552330 -
Flags: review?(dvander) → review+
Assignee | ||
Comment 6•13 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•