Closed Bug 1053431 Opened 5 years ago Closed 5 years ago

Assertion failure: Modified registers between VM call and OsiPoint, at jit/IonMacroAssembler.cpp

Categories

(Core :: JavaScript Engine: JIT, defect, critical)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86_64
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla34

People

(Reporter: gkw, Assigned: jandem)

References

(Blocks 2 open bugs)

Details

(Keywords: assertion, regression)

Attachments

(2 files)

stack
17.71 KB, text/plain
Details
Patch
2.65 KB, patch
nbp
: review+
Details | Diff | Splinter Review 
This intermittent assertion has no reliable testcase and last occurred for me on https://hg.mozilla.org/mozilla-central/rev/391f42c733fc - it has been occurring since many months ago.

Jan thinks he has discovered the cause.
Flags: needinfo?(jdemooij)
Attached file stack 
Example stack off m-c rev 9fdb8047f07d on Linux.
Excellent. I'm hitting this as well sometimes, never got a reproducible test :(
Blocks: 676763
Attached patch PatchSplinter Review 
The problem is a (debug only) race with off-thread compilation:

(1) Off-thread Ion compilation does not emit code to dump the registers because checkOsiPointRegisters = false
(2) Main thread calls enableOsiPointRegisterChecks() and sets JitOptions.checkOsiPointRegisters = true
(3) Off-thread code generator emits code to verify the registers, but because of (1), this will always fail.

That's why this is so hard to reproduce and required off-thread compilation.

This patch just stores the value in the CodeGenerator, so that we will always emit both the dump + verify code. We could also cancel all off-thread compilations in enableOsiPointRegisterChecks(), but that only works for the current runtime. In the shell there's usually only 1 runtime, but this function can also be called in the browser.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Attachment #8472931 - Flags: review?(nicolas.b.pierron)
Flags: needinfo?(jdemooij)
Comment on attachment 8472931 [details] [diff] [review]
Patch

Review of attachment 8472931 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/jit/shared/CodeGenerator-shared.cpp
@@ +60,5 @@
>      sps_(&GetIonContext()->runtime->spsProfiler(), &lastNotInlinedPC_),
>      osrEntryOffset_(0),
>      skipArgCheckEntryOffset_(0),
> +#ifdef CHECK_OSIPOINT_REGISTERS
> +    checkOsiPointRegisters(js_JitOptions.checkOsiPointRegisters),

Do we have races reported by TSan on this issue?
Shouldn't we do something similar to JitCompilerOptions for all jitOptions?
Attachment #8472931 - Flags: review?(nicolas.b.pierron) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/d0470d965f46

(In reply to Nicolas B. Pierron [:nbp] {N/A 22-29/08} from comment #5)
> Do we have races reported by TSan on this issue?

Good question; I don't know if TSan reported this.

> Shouldn't we do something similar to JitCompilerOptions for all jitOptions?

Yeah if we find other races it may be a good idea to refactor js_JitOptions and make a copy for the background thread...
https://hg.mozilla.org/mozilla-central/rev/d0470d965f46
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla34
Flags: qe-verify-
You need to log in before you can comment on or make changes to this bug.