Closed Bug 1100123 Opened 7 years ago Closed 7 years ago

Assertion failure: *def->output() != alloc, at jit/RegisterAllocator.cpp

Categories

(Core :: JavaScript Engine: JIT, defect)

x86_64
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla37
Tracking Status
firefox35 --- unaffected
firefox36 --- unaffected
firefox37 --- fixed
firefox-esr31 --- unaffected

People

(Reporter: gkw, Assigned: sunfish)

References

Details

(Keywords: assertion, regression, testcase)

Attachments

(2 files)

(function(m) {
    "use asm"
    var g = m.SIMD.int32x4
    var h = g.select
    function f() {
        var x = g(0, 0, 0, 0)
        var y = g(1, 2, 3, 4)
        u(h(x, y, y))
    }
})()

asserts js debug shell on m-c changeset a52bf59965a0 with --fuzzing-safe --no-threads --ion-eager --ion-regalloc=lsra at Assertion failure: *def->output() != alloc, at jit/RegisterAllocator.cpp.

Debug configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

This was found by combining random jit-tests together with jsfunfuzz. The specific file, which was run with random flag combinations, is:

http://hg.mozilla.org/mozilla-central/file/a52bf59965a0/js/src/jit-test/tests/asm.js/testSIMD.js

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/179193fbcccd
user:        Benjamin Bouvier
date:        Thu Sep 11 08:50:10 2014 +0200
summary:     Bug 1051860: Optimize SimdValueX4 codegen for float32x4 with unpcklps; r=sunfish

Benjamin, is bug 1051860 a possible regressor?

Setting s-s and assuming sec-critical because this seems to involve LIR and SIMD.
Flags: needinfo?(benj)
JSBugMon doesn't test with --ion-regalloc=lsra yet...
Whiteboard: [jsbugmon:update]
Attached file stack
(lldb) bt 5
* thread #1: tid = 0x441db5, 0x00000001003debec js-dbg-opt-64-dm-nsprBuild-darwin-a52bf59965a0`js::jit::AllocationIntegrityState::checkIntegrity(js::jit::LBlock*, js::jit::LInstruction*, unsigned int, js::jit::LAllocation, bool) [inlined] js::jit::LNode::toMoveGroup(this=<unavailable>) + 28 at LIR.h:1834, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x00000001003debec js-dbg-opt-64-dm-nsprBuild-darwin-a52bf59965a0`js::jit::AllocationIntegrityState::checkIntegrity(js::jit::LBlock*, js::jit::LInstruction*, unsigned int, js::jit::LAllocation, bool) [inlined] js::jit::LNode::toMoveGroup(this=<unavailable>) + 28 at LIR.h:1834
    frame #1: 0x00000001003debd0 js-dbg-opt-64-dm-nsprBuild-darwin-a52bf59965a0`js::jit::AllocationIntegrityState::checkIntegrity(this=<unavailable>, block=<unavailable>, ins=<unavailable>, vreg=<unavailable>, populateSafepoints=<unavailable>, alloc=<unavailable>) + 1232 at RegisterAllocator.cpp:192
    frame #2: 0x00000001003dd1d5 js-dbg-opt-64-dm-nsprBuild-darwin-a52bf59965a0`js::jit::AllocationIntegrityState::check(this=0x00007fff5fbfb0a8, populateSafepoints=false) + 1125 at RegisterAllocator.cpp:168
    frame #3: 0x00000001002b5c6f js-dbg-opt-64-dm-nsprBuild-darwin-a52bf59965a0`js::jit::GenerateLIR(mir=0x000000010310bcd8) + 1903 at Ion.cpp:1647
    frame #4: 0x00000001000913e2 js-dbg-opt-64-dm-nsprBuild-darwin-a52bf59965a0`CheckModule(js::ExclusiveContext*, js::frontend::Parser<js::frontend::FullParseHandler>&, js::frontend::ParseNode*, js::ScopedJSDeletePtr<js::AsmJSModule>*, js::ScopedJSFreePtr<char>*) [inlined] CheckFunctionsSequential(m=0x0000000101d01a50)::ModuleCompiler&) + 426 at AsmJSValidate.cpp:7118
(lldb)
Unclear if this is sec-critical, leaving someone else to set the rating.
Keywords: sec-critical
Another LSRA-SIMD bug (that can't show up in the wild for now). This one involves an assertion I don't even understand. Any idea, Dan?
Flags: needinfo?(sunfish)
Simplifying regalloc constraints is a workaround, but LSRA keeps exhibiting frustrating off-by-one liveness bugs, and this seems the safest fix for now. This bug simplifies the Select regalloc constraints to avoid all the problems.
Assignee: nobody → sunfish
Flags: needinfo?(sunfish)
Flags: needinfo?(benj)
Attachment #8535812 - Flags: review?(benj)
Duplicate of this bug: 1108877
Comment on attachment 8535812 [details] [diff] [review]
select-reuse.patch

Review of attachment 8535812 [details] [diff] [review]:
-----------------------------------------------------------------

Thanks!
Attachment #8535812 - Flags: review?(benj) → review+
(Once again, please make sure to add a TODO and open a follow up bug for when we'll have BT enabled by default)
Hmm, actually I've just hit this with BT as well when implementing other tests for select/bitselect in bug 1110164 (so my comment about a TODO and follow-up doesn't apply clearly :/), so I'll mark this one as blocking.
Blocks: 1110164
https://hg.mozilla.org/mozilla-central/rev/3b3479d7b0b7
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla37
Test case added in bug 1103389.
Flags: in-testsuite? → in-testsuite+
Group: javascript-core-security
Group: core-security
You need to log in before you can comment on or make changes to this bug.