Closed
Bug 1103032
Opened 10 years ago
Closed 9 years ago
Crash [@ js::jit::LinearScanAllocator::assign] or Assertion failure: req->kind() == Requirement::NONE, at jit/LinearScan.cpp or Assertion failure: !minimalInterval(interval), at jit/BacktrackingAllocator.cpp
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
VERIFIED
FIXED
mozilla36
Tracking | Status | |
---|---|---|
firefox35 | --- | unaffected |
firefox36 | + | verified |
firefox-esr31 | --- | unaffected |
People
(Reporter: gkw, Assigned: h4writer)
References
Details
(4 keywords, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(5 files)
4.29 KB,
text/plain
|
Details | |
5.45 KB,
text/plain
|
Details | |
33.63 KB,
patch
|
Details | Diff | Splinter Review | |
19.66 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
4.88 KB,
text/plain
|
Details |
enableSPSProfiling() Set([] + undefined) asserts js debug shell on m-c changeset 7d17b594834f with --ion-eager --no-threads at Assertion failure: req->kind() == Requirement::NONE, at jit/LinearScan.cpp. Debug configure options: LD=ld CROSS_COMPILE=1 CC="clang -Qunused-arguments -msse2 -mfpmath=sse -arch i386" RANLIB=ranlib CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse -arch i386" AS=$CC AR=ar STRIP="strip -x -S" HOST_CC="clang -Qunused-arguments -msse2 -mfpmath=sse" AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 HOST_CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse" sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=i386-apple-darwin9.2.0 --enable-macos-target=10.5 --enable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/43aceb996c3b user: Hannes Verschore date: Thu Nov 20 01:48:11 2014 +0100 summary: Bug 1101576 - IonMonkey: Add fixes for LSubstr, r=efaust Hannes, is bug 1101576 a likely regressor? (Setting s-s by default because this involves SPS profiling, but leaving the sec rating to someone else)
Flags: needinfo?(hv1989)
Reporter | ||
Comment 1•10 years ago
|
||
(lldb) bt 5 * thread #1: tid = 0x27a758, 0x0034d187 js-dbg-opt-32-dm-nsprBuild-darwin-7d17b594834f`js::jit::LinearScanAllocator::allocateRegisters(this=<unavailable>) + 2311 at LinearScan.cpp:87, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0) * frame #0: 0x0034d187 js-dbg-opt-32-dm-nsprBuild-darwin-7d17b594834f`js::jit::LinearScanAllocator::allocateRegisters(this=<unavailable>) + 2311 at LinearScan.cpp:87 frame #1: 0x002e46fc js-dbg-opt-32-dm-nsprBuild-darwin-7d17b594834f`js::jit::LinearScanAllocator::go(this=0xbfffe168) + 124 at LinearScan.cpp:1295 frame #2: 0x002e447c js-dbg-opt-32-dm-nsprBuild-darwin-7d17b594834f`js::jit::GenerateLIR(mir=0x028c8af8) + 1660 at Ion.cpp:1647 frame #3: 0x002e6971 js-dbg-opt-32-dm-nsprBuild-darwin-7d17b594834f`js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned char*, bool, js::ExecutionMode, bool) [inlined] js::jit::CompileBackEnd(mir=0x028c8af8, aRhs=<unavailable>) + 59 at Ion.cpp:1735 frame #4: 0x002e6936 js-dbg-opt-32-dm-nsprBuild-darwin-7d17b594834f`js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned char*, bool, js::ExecutionMode, bool) [inlined] js::jit::IonCompile(script=<unavailable>) + 1911 at Ion.cpp:2016 (lldb)
Reporter | ||
Comment 2•10 years ago
|
||
This also crashes opt builds at js::jit::LinearScanAllocator::assign, configure parameters are: LD=ld CROSS_COMPILE=1 CC="clang -Qunused-arguments -msse2 -mfpmath=sse -arch i386" RANLIB=ranlib CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse -arch i386" AS=$CC AR=ar STRIP="strip -x -S" HOST_CC="clang -Qunused-arguments -msse2 -mfpmath=sse" AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 HOST_CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse" sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=i386-apple-darwin9.2.0 --enable-macos-target=10.5 --disable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests Note that these happen in 32-bit builds.
Crash Signature: [@ js::jit::LinearScanAllocator::assign]
status-firefox36:
--- → affected
Summary: Assertion failure: req->kind() == Requirement::NONE, at jit/LinearScan.cpp → Crash [@ js::jit::LinearScanAllocator::assign] or Assertion failure: req->kind() == Requirement::NONE, at jit/LinearScan.cpp
Reporter | ||
Comment 3•10 years ago
|
||
(lldb) bt 5 * thread #1: tid = 0x27b223, 0x00234a7a js-dbgDisabled-opt-32-dm-nsprBuild-darwin-7d17b594834f`js::jit::LinearScanAllocator::assign(js::jit::LAllocation) [inlined] js::jit::LNode::block(this=0x00000000, this=<unavailable>, this=<unavailable>) const at LIR.h:693, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x8) * frame #0: 0x00234a7a js-dbgDisabled-opt-32-dm-nsprBuild-darwin-7d17b594834f`js::jit::LinearScanAllocator::assign(js::jit::LAllocation) [inlined] js::jit::LNode::block(this=0x00000000, this=<unavailable>, this=<unavailable>) const at LIR.h:693 frame #1: 0x00234a7a js-dbgDisabled-opt-32-dm-nsprBuild-darwin-7d17b594834f`js::jit::LinearScanAllocator::assign(this=0xbfffe6c0, allocation=(bits_ = 325)) + 346 at LinearScan.cpp:798 frame #2: 0x00234bcd js-dbgDisabled-opt-32-dm-nsprBuild-darwin-7d17b594834f`js::jit::LinearScanAllocator::spill(this=<unavailable>) + 205 at LinearScan.cpp:899 frame #3: 0x00234838 js-dbgDisabled-opt-32-dm-nsprBuild-darwin-7d17b594834f`js::jit::LinearScanAllocator::allocateRegisters(this=0xbfffe6c0) + 1080 at LinearScan.cpp:149 frame #4: 0x001ed19c js-dbgDisabled-opt-32-dm-nsprBuild-darwin-7d17b594834f`js::jit::LinearScanAllocator::go(this=0xbfffe6c0) + 60 at LinearScan.cpp:1295 (lldb)
Assignee | ||
Comment 4•10 years ago
|
||
So the reason here is that on x86 we only have 6 available registers when SPS is enabled. The easiest way to fix this would have been to define "string" as useAtStart. Since temp2 and temp3 are only written too when string isn't used anymore. But LSRA doesn't allow to have different signatures for different inputs. - Another idea I had was to reuse string, so we need one temp less and pop/push it. - Or we could use useAtAstart for all inputs and having 5 temporaries, where three are copies of the inputs. This works but is totally unsatisfying. I tried into doing this only for SPS, but we only check for SPS being enabled during CodeGeneration, not in Lowering :(
Comment 5•10 years ago
|
||
This also happens in the wild, see bug 1102457. (We should also file a follow-up bug to check the number of required registers in debug builds so that we don't rely on the profiler being enabled or not.)
Comment 7•9 years ago
|
||
Aha: I do have the Gecko profiler in that profile for bug 1102457 though I wasn't doing anything with it. v 1.14.2 It appears to be defaulting to On. Stopping it causes the insta-crash when opening Loop to stop happening.
Assignee | ||
Comment 8•9 years ago
|
||
Adjust 2 things: 1) Make the need of ByteOpRegister more obvious. Instead of relying on comments. 2) Use bogusTemp for x86, to decrease to fix this issue and reuse the string register as temporary. (This causes a push/pop, but that also how it is solved elsewhere). There is a follow-up bug open (bug 1102001) to use useOrConstant for length and index if possible. If one of the two is constant we have an extra register free and don't need to push/pop. :D
Flags: needinfo?(hv1989)
Attachment #8527544 -
Flags: review?(jdemooij)
Updated•9 years ago
|
Attachment #8527544 -
Flags: review?(jdemooij) → review+
Reporter | ||
Comment 9•9 years ago
|
||
This shows up as: Assertion failure: !minimalInterval(interval), at jit/BacktrackingAllocator.cpp if run with --ion-eager --no-threads --ion-regalloc=backtracking on m-c rev b8240bb9ae4f, also 32-bit debug shell.
Reporter | ||
Updated•9 years ago
|
Summary: Crash [@ js::jit::LinearScanAllocator::assign] or Assertion failure: req->kind() == Requirement::NONE, at jit/LinearScan.cpp → Crash [@ js::jit::LinearScanAllocator::assign] or Assertion failure: req->kind() == Requirement::NONE, at jit/LinearScan.cpp or Assertion failure: !minimalInterval(interval), at jit/BacktrackingAllocator.cpp
Reporter | ||
Comment 10•9 years ago
|
||
(lldb) bt 5 * thread #1: tid = 0x3e2a54, 0x001d035d js-dbg-opt-32-dm-nsprBuild-darwin-b8240bb9ae4f`js::jit::BacktrackingAllocator::processInterval(js::jit::LiveInterval*) [inlined] js::jit::CodePosition::operator-(js::jit::CodePosition) const + 15 at RegisterAllocator.h:206, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0) * frame #0: 0x001d035d js-dbg-opt-32-dm-nsprBuild-darwin-b8240bb9ae4f`js::jit::BacktrackingAllocator::processInterval(js::jit::LiveInterval*) [inlined] js::jit::CodePosition::operator-(js::jit::CodePosition) const + 15 at RegisterAllocator.h:206 frame #1: 0x001d034e js-dbg-opt-32-dm-nsprBuild-darwin-b8240bb9ae4f`js::jit::BacktrackingAllocator::processInterval(js::jit::LiveInterval*) [inlined] js::jit::BacktrackingAllocator::computePriority(interval=<unavailable>) at BacktrackingAllocator.cpp:1348 frame #2: 0x001d034e js-dbg-opt-32-dm-nsprBuild-darwin-b8240bb9ae4f`js::jit::BacktrackingAllocator::processInterval(this=<unavailable>, interval=<unavailable>) + 766 at BacktrackingAllocator.cpp:471 frame #3: 0x001cf5c5 js-dbg-opt-32-dm-nsprBuild-darwin-b8240bb9ae4f`js::jit::BacktrackingAllocator::go(this=0xbfffe1a8) + 421 at BacktrackingAllocator.cpp:110 frame #4: 0x002edd4d js-dbg-opt-32-dm-nsprBuild-darwin-b8240bb9ae4f`js::jit::GenerateLIR(mir=0x048c04f8) + 1181 at Ion.cpp:1666 (lldb)
Updated•9 years ago
|
Assignee | ||
Comment 11•9 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/0164b161e0d8
Updated•9 years ago
|
Keywords: sec-moderate
Comment 12•9 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/0164b161e0d8
Assignee: nobody → hv1989
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox37:
affected → ---
tracking-firefox37:
+ → ---
Resolution: --- → FIXED
Target Milestone: --- → mozilla36
Updated•9 years ago
|
status-firefox-esr31:
--- → unaffected
Updated•9 years ago
|
Comment 14•9 years ago
|
||
JSBugMon: This bug has been automatically verified fixed. JSBugMon: This bug has been automatically verified fixed on Fx36
Updated•9 years ago
|
status-firefox38:
verified → ---
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•