Closed Bug 1103032 Opened 5 years ago Closed 5 years ago

Crash [@ js::jit::LinearScanAllocator::assign] or Assertion failure: req->kind() == Requirement::NONE, at jit/LinearScan.cpp or Assertion failure: !minimalInterval(interval), at jit/BacktrackingAllocator.cpp

Categories

(Core :: JavaScript Engine: JIT, defect, critical)

x86
macOS
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla36
Tracking Status
firefox35 --- unaffected
firefox36 + verified
firefox-esr31 --- unaffected

People

(Reporter: gkw, Assigned: h4writer)

References

(Blocks 2 open bugs)

Details

(4 keywords, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(5 files)

enableSPSProfiling()
Set([] + undefined)

asserts js debug shell on m-c changeset 7d17b594834f with --ion-eager --no-threads at Assertion failure: req->kind() == Requirement::NONE, at jit/LinearScan.cpp.

Debug configure options:

LD=ld CROSS_COMPILE=1 CC="clang -Qunused-arguments -msse2 -mfpmath=sse -arch i386" RANLIB=ranlib CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse -arch i386" AS=$CC AR=ar STRIP="strip -x -S" HOST_CC="clang -Qunused-arguments -msse2 -mfpmath=sse" AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 HOST_CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse" sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=i386-apple-darwin9.2.0 --enable-macos-target=10.5 --enable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/43aceb996c3b
user:        Hannes Verschore
date:        Thu Nov 20 01:48:11 2014 +0100
summary:     Bug 1101576 - IonMonkey: Add fixes for LSubstr, r=efaust

Hannes, is bug 1101576 a likely regressor?

(Setting s-s by default because this involves SPS profiling, but leaving the sec rating to someone else)
Flags: needinfo?(hv1989)
Attached file stack
(lldb) bt 5
* thread #1: tid = 0x27a758, 0x0034d187 js-dbg-opt-32-dm-nsprBuild-darwin-7d17b594834f`js::jit::LinearScanAllocator::allocateRegisters(this=<unavailable>) + 2311 at LinearScan.cpp:87, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x0034d187 js-dbg-opt-32-dm-nsprBuild-darwin-7d17b594834f`js::jit::LinearScanAllocator::allocateRegisters(this=<unavailable>) + 2311 at LinearScan.cpp:87
    frame #1: 0x002e46fc js-dbg-opt-32-dm-nsprBuild-darwin-7d17b594834f`js::jit::LinearScanAllocator::go(this=0xbfffe168) + 124 at LinearScan.cpp:1295
    frame #2: 0x002e447c js-dbg-opt-32-dm-nsprBuild-darwin-7d17b594834f`js::jit::GenerateLIR(mir=0x028c8af8) + 1660 at Ion.cpp:1647
    frame #3: 0x002e6971 js-dbg-opt-32-dm-nsprBuild-darwin-7d17b594834f`js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned char*, bool, js::ExecutionMode, bool) [inlined] js::jit::CompileBackEnd(mir=0x028c8af8, aRhs=<unavailable>) + 59 at Ion.cpp:1735
    frame #4: 0x002e6936 js-dbg-opt-32-dm-nsprBuild-darwin-7d17b594834f`js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned char*, bool, js::ExecutionMode, bool) [inlined] js::jit::IonCompile(script=<unavailable>) + 1911 at Ion.cpp:2016
(lldb)
This also crashes opt builds at js::jit::LinearScanAllocator::assign, configure parameters are:

LD=ld CROSS_COMPILE=1 CC="clang -Qunused-arguments -msse2 -mfpmath=sse -arch i386" RANLIB=ranlib CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse -arch i386" AS=$CC AR=ar STRIP="strip -x -S" HOST_CC="clang -Qunused-arguments -msse2 -mfpmath=sse" AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 HOST_CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse" sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=i386-apple-darwin9.2.0 --enable-macos-target=10.5 --disable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

Note that these happen in 32-bit builds.
Crash Signature: [@ js::jit::LinearScanAllocator::assign]
Summary: Assertion failure: req->kind() == Requirement::NONE, at jit/LinearScan.cpp → Crash [@ js::jit::LinearScanAllocator::assign] or Assertion failure: req->kind() == Requirement::NONE, at jit/LinearScan.cpp
Attached file stack for opt crash
(lldb) bt 5
* thread #1: tid = 0x27b223, 0x00234a7a js-dbgDisabled-opt-32-dm-nsprBuild-darwin-7d17b594834f`js::jit::LinearScanAllocator::assign(js::jit::LAllocation) [inlined] js::jit::LNode::block(this=0x00000000, this=<unavailable>, this=<unavailable>) const at LIR.h:693, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x8)
  * frame #0: 0x00234a7a js-dbgDisabled-opt-32-dm-nsprBuild-darwin-7d17b594834f`js::jit::LinearScanAllocator::assign(js::jit::LAllocation) [inlined] js::jit::LNode::block(this=0x00000000, this=<unavailable>, this=<unavailable>) const at LIR.h:693
    frame #1: 0x00234a7a js-dbgDisabled-opt-32-dm-nsprBuild-darwin-7d17b594834f`js::jit::LinearScanAllocator::assign(this=0xbfffe6c0, allocation=(bits_ = 325)) + 346 at LinearScan.cpp:798
    frame #2: 0x00234bcd js-dbgDisabled-opt-32-dm-nsprBuild-darwin-7d17b594834f`js::jit::LinearScanAllocator::spill(this=<unavailable>) + 205 at LinearScan.cpp:899
    frame #3: 0x00234838 js-dbgDisabled-opt-32-dm-nsprBuild-darwin-7d17b594834f`js::jit::LinearScanAllocator::allocateRegisters(this=0xbfffe6c0) + 1080 at LinearScan.cpp:149
    frame #4: 0x001ed19c js-dbgDisabled-opt-32-dm-nsprBuild-darwin-7d17b594834f`js::jit::LinearScanAllocator::go(this=0xbfffe6c0) + 60 at LinearScan.cpp:1295
(lldb)
Attached patch IdeasSplinter Review
So the reason here is that on x86 we only have 6 available registers when SPS is enabled.

The easiest way to fix this would have been to define "string" as useAtStart. Since temp2 and temp3 are only written too when string isn't used anymore. But LSRA doesn't allow to have different signatures for different inputs.

- Another idea I had was to reuse string, so we need one temp less and pop/push it.
- Or we could use useAtAstart for all inputs and having 5 temporaries, where three are copies of the inputs. 

This works but is totally unsatisfying. I tried into doing this only for SPS, but we only check for SPS being enabled during CodeGeneration, not in Lowering :(
This also happens in the wild, see bug 1102457.

(We should also file a follow-up bug to check the number of required registers in debug builds so that we don't rely on the profiler being enabled or not.)
[Tracking Requested - why for this release]:
Aha: I do have the Gecko profiler in that profile for bug 1102457 though I wasn't doing anything with it.
v 1.14.2
It appears to be defaulting to On.  Stopping it causes the insta-crash when opening Loop to stop happening.
Adjust 2 things:

1) Make the need of ByteOpRegister more obvious. Instead of relying on comments.

2) Use bogusTemp for x86, to decrease to fix this issue and reuse the string register as temporary. (This causes a push/pop, but that also how it is solved elsewhere). 

There is a follow-up bug open (bug 1102001) to use useOrConstant for length and index if possible. If one of the two is constant we have an extra register free and don't need to push/pop. :D
Flags: needinfo?(hv1989)
Attachment #8527544 - Flags: review?(jdemooij)
Attachment #8527544 - Flags: review?(jdemooij) → review+
This shows up as:

Assertion failure: !minimalInterval(interval), at jit/BacktrackingAllocator.cpp

if run with --ion-eager --no-threads --ion-regalloc=backtracking on m-c rev b8240bb9ae4f, also 32-bit debug shell.
Summary: Crash [@ js::jit::LinearScanAllocator::assign] or Assertion failure: req->kind() == Requirement::NONE, at jit/LinearScan.cpp → Crash [@ js::jit::LinearScanAllocator::assign] or Assertion failure: req->kind() == Requirement::NONE, at jit/LinearScan.cpp or Assertion failure: !minimalInterval(interval), at jit/BacktrackingAllocator.cpp
Attached file stack for other assert
(lldb) bt 5
* thread #1: tid = 0x3e2a54, 0x001d035d js-dbg-opt-32-dm-nsprBuild-darwin-b8240bb9ae4f`js::jit::BacktrackingAllocator::processInterval(js::jit::LiveInterval*) [inlined] js::jit::CodePosition::operator-(js::jit::CodePosition) const + 15 at RegisterAllocator.h:206, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x001d035d js-dbg-opt-32-dm-nsprBuild-darwin-b8240bb9ae4f`js::jit::BacktrackingAllocator::processInterval(js::jit::LiveInterval*) [inlined] js::jit::CodePosition::operator-(js::jit::CodePosition) const + 15 at RegisterAllocator.h:206
    frame #1: 0x001d034e js-dbg-opt-32-dm-nsprBuild-darwin-b8240bb9ae4f`js::jit::BacktrackingAllocator::processInterval(js::jit::LiveInterval*) [inlined] js::jit::BacktrackingAllocator::computePriority(interval=<unavailable>) at BacktrackingAllocator.cpp:1348
    frame #2: 0x001d034e js-dbg-opt-32-dm-nsprBuild-darwin-b8240bb9ae4f`js::jit::BacktrackingAllocator::processInterval(this=<unavailable>, interval=<unavailable>) + 766 at BacktrackingAllocator.cpp:471
    frame #3: 0x001cf5c5 js-dbg-opt-32-dm-nsprBuild-darwin-b8240bb9ae4f`js::jit::BacktrackingAllocator::go(this=0xbfffe1a8) + 421 at BacktrackingAllocator.cpp:110
    frame #4: 0x002edd4d js-dbg-opt-32-dm-nsprBuild-darwin-b8240bb9ae4f`js::jit::GenerateLIR(mir=0x048c04f8) + 1181 at Ion.cpp:1666
(lldb)
Blocks: 1102457
https://hg.mozilla.org/mozilla-central/rev/0164b161e0d8
Assignee: nobody → hv1989
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla36
Duplicate of this bug: 1105112
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
JSBugMon: This bug has been automatically verified fixed on Fx36
Group: core-security
You need to log in before you can comment on or make changes to this bug.