Closed Bug 1072691 Opened 10 years ago Closed 10 years ago

Crash [@ js::jit::LiveInterval::addRangeAtHead] or Assertion failure: opIter != block->end() (Operand in same block as instruction does not precede), or Assertion failure: opBlock->dominates(*block) (Instruction is not dominated by its operands),

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla35
Tracking Flags:
Tracking Status
firefox35 --- affected

People

(Reporter: gkw, Assigned: h4writer)

References

Details

(4 keywords, Whiteboard: [fuzzblocker][jsbugmon:update])

Crash Data

Attachments

(4 files)

stack for first assertion
3.71 KB, text/plain
Details
stack for second assertion
3.44 KB, text/plain
Details
Opt stack
3.25 KB, text/plain
Details
Only hoist if it doesn't dominate both branches yet.
1.17 KB, patch
nbp
: review+
Details | Diff | Splinter Review 
function g() {
    (x | 0 && 0)()
}
(function(f, s) {
    f()
})(g, [])

asserts js debug shell on m-i changeset e6e63113336d with --no-threads --ion-eager at Assertion failure: opIter != block->end() (Operand in same block as instruction does not precede), at jit/IonAnalysis.cpp.

Debug configure flags:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar sh /Users/skywalker/trees/mozilla-inbound/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

=== Tinderbox Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20140924034358" and the hash "b8e97b8d1d7d".
The "bad" changeset has the timestamp "20140924035355" and the hash "d77b931c4b69".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=b8e97b8d1d7d&tochange=d77b931c4b69

Hannes, is bug 1071879 a possible regressor?
Flags: needinfo?(hv1989)
There are many variations to this fuzzblocker, some including:

===

function g(f, inputs) {
    for (var j = 0; j < 49; ++j) {
        for (var k = 0; k < 49; ++k) {
            try {
                f()
            } catch (e) {}
        }
    }
}
function f1(x, y) {
    (x | 0 ? Number.MAX_VALUE | 0 : x | 0)();
};
function f2(y) {
    f1(y | 0)();
};
g(f2, [Number])

$ ./js-dbg-opt-64-dm-nsprBuild-darwin-e6e63113336d --no-threads --baseline-eager testcase.js
Assertion failure: opBlock->dominates(*block) (Instruction is not dominated by its operands), at /Users/skywalker/trees/mozilla-inbound/js/src/jit/IonAnalysis.cpp:2049
Segmentation fault: 11

===

function h(f) {
    for (var j = 0; j < 99; ++j) {
        for (var k = 0; k < 99; ++k) {
            try {
                f()
            } catch (e) {}
        }
    }
}
function g(x) {
    (x | 0 ? Number.MAX_VALUE | 0 : x | 0)
}
h(g, [Number])

$ ./js-dbg-opt-64-dm-nsprBuild-darwin-e6e63113336d --no-threads --baseline-eager testcase.js
Assertion failure: phi->getOperand(i)->block()->dominates(block->getPredecessor(i)) (Phi input is not dominated by its operand), at /Users/skywalker/trees/mozilla-inbound/js/src/jit/IonAnalysis.cpp:2038
Segmentation fault: 11
Summary: Assertion failure: opIter != block->end() (Operand in same block as instruction does not precede), at jit/IonAnalysis.cpp → Assertion failure: opIter != block->end() (Operand in same block as instruction does not precede), or Assertion failure: opBlock->dominates(*block) (Instruction is not dominated by its operands),
And even:

Assertion failure: isLowered(), at jit/MIR.h

(I don't have a good testcase for this, as everything seems to reduce to either one of the assertions listed in this bug)
(lldb) bt 5
* thread #1: tid = 0x100455, 0x00000001002a58f1 js-dbg-opt-64-dm-nsprBuild-darwin-e6e63113336d`js::jit::AssertExtendedGraphCoherency(js::jit::MIRGraph&) [inlined] AssertDominatorTree(graph=<unavailable>) + 463 at IonAnalysis.cpp:1945, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x00000001002a58f1 js-dbg-opt-64-dm-nsprBuild-darwin-e6e63113336d`js::jit::AssertExtendedGraphCoherency(js::jit::MIRGraph&) [inlined] AssertDominatorTree(graph=<unavailable>) + 463 at IonAnalysis.cpp:1945
    frame #1: 0x00000001002a5722 js-dbg-opt-64-dm-nsprBuild-darwin-e6e63113336d`js::jit::AssertExtendedGraphCoherency(graph=<unavailable>) + 1762 at IonAnalysis.cpp:1991
    frame #2: 0x000000010026a169 js-dbg-opt-64-dm-nsprBuild-darwin-e6e63113336d`js::jit::OptimizeMIR(mir=0x00000001030d5640) + 1369 at Ion.cpp:1525
    frame #3: 0x000000010026ccc7 js-dbg-opt-64-dm-nsprBuild-darwin-e6e63113336d`js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned char*, bool, js::ExecutionMode) [inlined] js::jit::CompileBackEnd(mir=0x00000001030d57a8, aRhs=<unavailable>) + 42 at Ion.cpp:1807
    frame #4: 0x000000010026cc9d js-dbg-opt-64-dm-nsprBuild-darwin-e6e63113336d`js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned char*, bool, js::ExecutionMode) [inlined] js::jit::IonCompile(script=<unavailable>, baselineFrame=<unavailable>, executionMode=SequentialExecution) + 758 at Ion.cpp:2097
(lldb) bt 5
* thread #1: tid = 0x1005b5, 0x00000001002a58f1 js-dbg-opt-64-dm-nsprBuild-darwin-e6e63113336d`js::jit::AssertExtendedGraphCoherency(js::jit::MIRGraph&) [inlined] AssertDominatorTree(graph=<unavailable>) + 463 at IonAnalysis.cpp:1945, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x00000001002a58f1 js-dbg-opt-64-dm-nsprBuild-darwin-e6e63113336d`js::jit::AssertExtendedGraphCoherency(js::jit::MIRGraph&) [inlined] AssertDominatorTree(graph=<unavailable>) + 463 at IonAnalysis.cpp:1945
    frame #1: 0x00000001002a5722 js-dbg-opt-64-dm-nsprBuild-darwin-e6e63113336d`js::jit::AssertExtendedGraphCoherency(graph=<unavailable>) + 1762 at IonAnalysis.cpp:1991
    frame #2: 0x000000010026a169 js-dbg-opt-64-dm-nsprBuild-darwin-e6e63113336d`js::jit::OptimizeMIR(mir=0x00000001040ca840) + 1369 at Ion.cpp:1525
    frame #3: 0x000000010026ccc7 js-dbg-opt-64-dm-nsprBuild-darwin-e6e63113336d`js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned char*, bool, js::ExecutionMode) [inlined] js::jit::CompileBackEnd(mir=0x00000001040caa58, aRhs=<unavailable>) + 42 at Ion.cpp:1807
    frame #4: 0x000000010026cc9d js-dbg-opt-64-dm-nsprBuild-darwin-e6e63113336d`js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned char*, bool, js::ExecutionMode) [inlined] js::jit::IonCompile(script=<unavailable>, baselineFrame=<unavailable>, executionMode=SequentialExecution) + 758 at Ion.cpp:2097
function m(f) {
    f()
}
function g(x) {
    return x ? Math.fround(-Number.MIN_VALUE) : x
}
m(g)
function h() {
    (g(-0 + M))()
}
m(h, [Math - Number])

Crash [@ js::jit::LiveInterval::addRangeAtHead]

AR=ar sh /home/fuzz2lin/trees/mozilla-central/js/src/configure --disable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

(asserts debug build at Assertion failure: opBlock->dominates(*block) (Instruction is not dominated by its operands), at jit/IonAnalysis.cpp)

Opt crash stack:

#0  js::jit::LiveInterval::addRangeAtHead (this=this@entry=0x0, from=..., to=to@entry=...) at /home/fuzz2lin/trees/mozilla-central/js/src/jit/LiveRangeAllocator.cpp:157
#1  0x000000000064de0f in js::jit::LiveRangeAllocator<js::jit::LinearScanVirtualRegister, true>::buildLivenessInfo (this=this@entry=0x7fffffffbac0)
    at /home/fuzz2lin/trees/mozilla-central/js/src/jit/LiveRangeAllocator.cpp:847
#2  0x000000000063343e in js::jit::LinearScanAllocator::go (this=this@entry=0x7fffffffbac0) at /home/fuzz2lin/trees/mozilla-central/js/src/jit/LinearScan.cpp:1291
#3  0x000000000056eec0 in js::jit::GenerateLIR (mir=mir@entry=0x17c97b8) at /home/fuzz2lin/trees/mozilla-central/js/src/jit/Ion.cpp:1722
#4  0x000000000056f425 in js::jit::CompileBackEnd (mir=mir@entry=0x17c97b8) at /home/fuzz2lin/trees/mozilla-central/js/src/jit/Ion.cpp:1810
#5  0x00000000005959ff in IonCompile (optimizationLevel=js::jit::Optimization_Normal, recompile=false, executionMode=js::SequentialExecution, constructing=<optimized out>, osrPc=0x0, baselineFrame=0x0,
    script=<optimized out>, cx=0x169f0c0) at /home/fuzz2lin/trees/mozilla-central/js/src/jit/Ion.cpp:2097
Crash Signature: [@ js::jit::LiveInterval::addRangeAtHead]
Keywords: crash
Summary: Assertion failure: opIter != block->end() (Operand in same block as instruction does not precede), or Assertion failure: opBlock->dominates(*block) (Instruction is not dominated by its operands), → Crash [@ js::jit::LiveInterval::addRangeAtHead] or Assertion failure: opIter != block->end() (Operand in same block as instruction does not precede), or Assertion failure: opBlock->dominates(*block) (Instruction is not dominated by its operands),
Attached file Opt stack 
Seems to be a null deref.
Attachment #8495696 - Attachment description: stack → Opt stack
Small issue. The definition could already dominate both branches and be used by other instructions in that block. This would hoist it after the use. So only hoist if it doesn't dominate yet.
Assignee: nobody → hv1989
Attachment #8495776 - Flags: review?(nicolas.b.pierron)
Flags: needinfo?(hv1989)
Comment on attachment 8495776 [details] [diff] [review]
Only hoist if it doesn't dominate both branches yet.

Review of attachment 8495776 [details] [diff] [review]:
-----------------------------------------------------------------

Oops. :/
Attachment #8495776 - Flags: review?(nicolas.b.pierron) → review+
So apparently I gave the wrong bug number. But that's not that bad. It is a "related" bug report.
https://hg.mozilla.org/integration/mozilla-inbound/rev/61e654fd0637
Crash Signature: [@ js::jit::LiveInterval::addRangeAtHead] → [@ js::jit::LiveInterval::addRangeAtHead] [@ js::jit::LiveInterval::addRangeAtHead(js::jit::CodePosition, js::jit::CodePosition)]
https://hg.mozilla.org/mozilla-central/rev/2bac3aaede24
https://hg.mozilla.org/mozilla-central/rev/61e654fd0637
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla35
Depends on: 1074825
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: