1349298 - Assertion failure: numOptimizedStubs_ < 16, at js/src/jit/ICState.h:104

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

The following testcase crashes on mozilla-central revision 9fb5e850ab7a (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --baseline-eager --no-ion):

for (var d of [0, objectEmulatingUndefined(), objectEmulatingUndefined(),
                  objectEmulatingUndefined(), objectEmulatingUndefined(),
                  objectEmulatingUndefined(), objectEmulatingUndefined(),
                  objectEmulatingUndefined(), objectEmulatingUndefined(),
                  objectEmulatingUndefined(), objectEmulatingUndefined(),
                  objectEmulatingUndefined(), objectEmulatingUndefined(),
                  objectEmulatingUndefined(), objectEmulatingUndefined(),
                  objectEmulatingUndefined(), objectEmulatingUndefined()
]) {
    ''.search(d);
}


Backtrace:

#0  js::jit::ICState::trackAttached (this=<optimized out>) at js/src/jit/ICState.h:104
#1  js::jit::ICFallbackStub::addNewStub (this=this@entry=0x7f731efb4170, stub=<optimized out>) at js/src/jit/SharedIC.h:804
#2  0x00000000005efe24 in js::jit::DoTypeOfFallback (cx=0x7f731ef71000, frame=<optimized out>, stub=0x7f731efb4170, val=..., res=...) at js/src/jit/BaselineIC.cpp:4339
/snip

For detailed crash information, see attachment.

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: Detailed Crash Information

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/f98a326bcf8d
user:        Jan de Mooij
date:        Mon Mar 20 14:00:33 2017 +0100
summary:     Bug 1328140 - Improve handling of IC failures, add megamorphic IC stubs. r=h4writer

Jan, is bug 1328140 a likely regressor?

Comment 3

[Jan de Mooij [:jandem]]

Hmm it looks like Baseline's TypeOf IC can attach an unlimited number of stubs :( Bug 1328140 just happens to add stronger asserts to catch these issues. I'll fix it this week.

Comment 4

[Jan de Mooij [:jandem]]

Attachment: Patch

Simple fix, just check the number of stubs.

Comment 5

[Pulsebot]

Pushed by jandemooij@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/8a543634c620
Add a stub limit to Baseline's TypeOf IC. r=h4writer

Comment 6

[Wes Kocher (:KWierso) (Not reading bugmail; email directly if needed)]

https://hg.mozilla.org/mozilla-central/rev/8a543634c620

Comment 7

[Jan de Mooij [:jandem]]

Comment on attachment 8850898 [details] [diff] [review]
Patch

I guess it can't hurt to backport this and it might make a difference somewhere.

Approval Request Comment
[Feature/Bug causing the regression]: Old bug.
[User impact if declined]: Worse performance and memory usage in some cases.
[Is this code covered by automated tests?]: Yes.
[Has the fix been verified in Nightly?]: Yes.
[Needs manual test from QE? If yes, steps to reproduce]: No.
[List of other uplifts needed for the feature/fix]: None.
[Is the change risky?]: No.
[Why is the change risky/not risky?]: It just limits the number of stubs we attach, like we do elsewhere.
[String changes made/needed]: None.

Comment 8

[Gerry Chang [:gchang]]

Comment on attachment 8850898 [details] [diff] [review]
Patch

Fix an assertion failure. Aurora54+ & Beta53+.

Comment 9

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/releases/mozilla-aurora/rev/832553662a98

Comment 10

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/releases/mozilla-beta/rev/cedc5c3f53b5