Closed
Bug 1100123
Opened 9 years ago
Closed 9 years ago
Assertion failure: *def->output() != alloc, at jit/RegisterAllocator.cpp
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
RESOLVED
FIXED
mozilla37
Tracking | Status | |
---|---|---|
firefox35 | --- | unaffected |
firefox36 | --- | unaffected |
firefox37 | --- | fixed |
firefox-esr31 | --- | unaffected |
People
(Reporter: gkw, Assigned: sunfish)
References
Details
(Keywords: assertion, regression, testcase)
Attachments
(2 files)
11.56 KB,
text/plain
|
Details | |
4.29 KB,
patch
|
bbouvier
:
review+
|
Details | Diff | Splinter Review |
(function(m) { "use asm" var g = m.SIMD.int32x4 var h = g.select function f() { var x = g(0, 0, 0, 0) var y = g(1, 2, 3, 4) u(h(x, y, y)) } })() asserts js debug shell on m-c changeset a52bf59965a0 with --fuzzing-safe --no-threads --ion-eager --ion-regalloc=lsra at Assertion failure: *def->output() != alloc, at jit/RegisterAllocator.cpp. Debug configure options: CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests This was found by combining random jit-tests together with jsfunfuzz. The specific file, which was run with random flag combinations, is: http://hg.mozilla.org/mozilla-central/file/a52bf59965a0/js/src/jit-test/tests/asm.js/testSIMD.js autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/179193fbcccd user: Benjamin Bouvier date: Thu Sep 11 08:50:10 2014 +0200 summary: Bug 1051860: Optimize SimdValueX4 codegen for float32x4 with unpcklps; r=sunfish Benjamin, is bug 1051860 a possible regressor? Setting s-s and assuming sec-critical because this seems to involve LIR and SIMD.
Flags: needinfo?(benj)
![]() |
Reporter | |
Comment 1•9 years ago
|
||
JSBugMon doesn't test with --ion-regalloc=lsra yet...
Whiteboard: [jsbugmon:update]
![]() |
Reporter | |
Comment 2•9 years ago
|
||
(lldb) bt 5 * thread #1: tid = 0x441db5, 0x00000001003debec js-dbg-opt-64-dm-nsprBuild-darwin-a52bf59965a0`js::jit::AllocationIntegrityState::checkIntegrity(js::jit::LBlock*, js::jit::LInstruction*, unsigned int, js::jit::LAllocation, bool) [inlined] js::jit::LNode::toMoveGroup(this=<unavailable>) + 28 at LIR.h:1834, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0) * frame #0: 0x00000001003debec js-dbg-opt-64-dm-nsprBuild-darwin-a52bf59965a0`js::jit::AllocationIntegrityState::checkIntegrity(js::jit::LBlock*, js::jit::LInstruction*, unsigned int, js::jit::LAllocation, bool) [inlined] js::jit::LNode::toMoveGroup(this=<unavailable>) + 28 at LIR.h:1834 frame #1: 0x00000001003debd0 js-dbg-opt-64-dm-nsprBuild-darwin-a52bf59965a0`js::jit::AllocationIntegrityState::checkIntegrity(this=<unavailable>, block=<unavailable>, ins=<unavailable>, vreg=<unavailable>, populateSafepoints=<unavailable>, alloc=<unavailable>) + 1232 at RegisterAllocator.cpp:192 frame #2: 0x00000001003dd1d5 js-dbg-opt-64-dm-nsprBuild-darwin-a52bf59965a0`js::jit::AllocationIntegrityState::check(this=0x00007fff5fbfb0a8, populateSafepoints=false) + 1125 at RegisterAllocator.cpp:168 frame #3: 0x00000001002b5c6f js-dbg-opt-64-dm-nsprBuild-darwin-a52bf59965a0`js::jit::GenerateLIR(mir=0x000000010310bcd8) + 1903 at Ion.cpp:1647 frame #4: 0x00000001000913e2 js-dbg-opt-64-dm-nsprBuild-darwin-a52bf59965a0`CheckModule(js::ExclusiveContext*, js::frontend::Parser<js::frontend::FullParseHandler>&, js::frontend::ParseNode*, js::ScopedJSDeletePtr<js::AsmJSModule>*, js::ScopedJSFreePtr<char>*) [inlined] CheckFunctionsSequential(m=0x0000000101d01a50)::ModuleCompiler&) + 426 at AsmJSValidate.cpp:7118 (lldb)
![]() |
Reporter | |
Comment 3•9 years ago
|
||
Unclear if this is sec-critical, leaving someone else to set the rating.
Keywords: sec-critical
Updated•9 years ago
|
status-firefox-esr31:
--- → unaffected
Updated•9 years ago
|
status-firefox35:
--- → disabled
Comment 4•9 years ago
|
||
Another LSRA-SIMD bug (that can't show up in the wild for now). This one involves an assertion I don't even understand. Any idea, Dan?
Flags: needinfo?(sunfish)
Assignee | ||
Comment 5•9 years ago
|
||
Simplifying regalloc constraints is a workaround, but LSRA keeps exhibiting frustrating off-by-one liveness bugs, and this seems the safest fix for now. This bug simplifies the Select regalloc constraints to avoid all the problems.
Assignee: nobody → sunfish
Flags: needinfo?(sunfish)
Flags: needinfo?(benj)
Attachment #8535812 -
Flags: review?(benj)
Comment 7•9 years ago
|
||
Comment on attachment 8535812 [details] [diff] [review] select-reuse.patch Review of attachment 8535812 [details] [diff] [review]: ----------------------------------------------------------------- Thanks!
Attachment #8535812 -
Flags: review?(benj) → review+
Comment 8•9 years ago
|
||
(Once again, please make sure to add a TODO and open a follow up bug for when we'll have BT enabled by default)
Comment 9•9 years ago
|
||
Hmm, actually I've just hit this with BT as well when implementing other tests for select/bitselect in bug 1110164 (so my comment about a TODO and follow-up doesn't apply clearly :/), so I'll mark this one as blocking.
Blocks: 1110164
Assignee | ||
Comment 10•9 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/3b3479d7b0b7
Comment 11•9 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/3b3479d7b0b7
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox37:
--- → fixed
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla37
Updated•9 years ago
|
Group: javascript-core-security
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•