Closed Bug 1131297 Opened 5 years ago Closed 5 years ago

Assertion failure: def->type() == definiteType, at js/src/jit/IonBuilder.cpp:7133 with --unboxed-objects

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla38
Tracking Status
firefox38 --- disabled

People

(Reporter: decoder, Assigned: bhackett)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

The following testcase crashes on mozilla-central revision be65d1fde126 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2 --unboxed-objects):

DoWhile( new DoWhileObject( 1000, 1000, 0 ));
DoWhile( new DoWhileObject( (4294967296), 1001, 0 ));
function DoWhileObject( value, iterations, endvalue ) {
  this.value = value;
}
function DoWhile( object ) {
  do {
    object.value =  --object.value;
  } while( object.value );
}



Backtrace:

Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x000000000084ca5b in js::jit::IonBuilder::ensureDefiniteType (
    this=this@entry=0x2894c58, def=def@entry=0x2896ef0, 
    definiteType=<optimized out>)
    at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/jit/IonBuilder.cpp:7133
To enable execution of this file add
	add-auto-load-safe-path /home/ubuntu/mozilla-central/js/src/debug64/dist/bin/js-gdb.py
line to your configuration file "/home/ubuntu/.gdbinit".
To completely disable this security protection add
	set auto-load safe-path /
line to your configuration file "/home/ubuntu/.gdbinit".
For more information about this security protection see the
"Auto-loading safe path" section in the GDB manual.  E.g., run from the shell:
	info "(gdb)Auto-loading safe path"
#0  0x000000000084ca5b in js::jit::IonBuilder::ensureDefiniteType (this=this@entry=0x2894c58, def=def@entry=0x2896ef0, definiteType=<optimized out>) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/jit/IonBuilder.cpp:7133
#1  0x00000000008524d5 in js::jit::IonBuilder::addTypeBarrier (this=0x2894c58, def=0x2896ef0, observed=0x28954f8, kind=<optimized out>, pbarrier=0x0) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/jit/IonBuilder.cpp:7061
#2  0x000000000085259d in js::jit::IonBuilder::pushTypeBarrier (this=0x2894c58, def=0x2896ef0, observed=0x28954f8, kind=js::jit::NoBarrier) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/jit/IonBuilder.cpp:7032
#3  0x0000000000852ecd in js::jit::IonBuilder::getPropTryUnboxed (this=this@entry=0x2894c58, emitted=emitted@entry=0x7fffe1d539e0, obj=<optimized out>, obj@entry=0x2896ad8, name=name@entry=0x7f51bdc1cb08, barrier=js::jit::NoBarrier, barrier@entry=js::jit::TypeTagOnly, types=types@entry=0x28954f8) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/jit/IonBuilder.cpp:10167
#4  0x00000000008af560 in js::jit::IonBuilder::jsop_getprop (this=this@entry=0x2894c58, name=0x7f51bdc1cb08) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/jit/IonBuilder.cpp:9757
#5  0x00000000008a78b3 in js::jit::IonBuilder::inspectOpcode (this=this@entry=0x2894c58, op=op@entry=JSOP_GETPROP) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/jit/IonBuilder.cpp:1866
#6  0x00000000008a8590 in js::jit::IonBuilder::traverseBytecode (this=this@entry=0x2894c58) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/jit/IonBuilder.cpp:1432
#7  0x00000000008a8ded in js::jit::IonBuilder::build (this=0x2894c58) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/jit/IonBuilder.cpp:849
#8  0x00000000008b7910 in js::jit::IonCompile (cx=cx@entry=0x26cf490, script=<optimized out>, baselineFrame=baselineFrame@entry=0x7fffe1d53fa8, osrPc=<optimized out>, constructing=<optimized out>, recompile=<optimized out>, optimizationLevel=js::jit::Optimization_Normal) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/jit/Ion.cpp:1902
#9  0x00000000008b82c4 in js::jit::Compile (cx=cx@entry=0x26cf490, script=..., script@entry=..., osrFrame=osrFrame@entry=0x7fffe1d53fa8, osrPc=osrPc@entry=0x0, constructing=<optimized out>, forceRecompile=forceRecompile@entry=false) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/jit/Ion.cpp:2112
#10 0x00000000008b89d0 in js::jit::CompileFunctionForBaseline (cx=cx@entry=0x26cf490, script=script@entry=..., frame=frame@entry=0x7fffe1d53fa8) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/jit/Ion.cpp:2277
#11 0x00000000007a90e2 in EnsureCanEnterIon (stub=<optimized out>, jitcodePtr=<synthetic pointer>, pc=0x2831819 ">W", script=..., frame=0x7fffe1d53fa8, cx=0x26cf490) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/jit/BaselineIC.cpp:784
#12 js::jit::DoWarmUpCounterFallback (cx=0x26cf490, stub=<optimized out>, frame=0x7fffe1d53fa8, infoPtr=0x7fffe1d53f78) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/jit/BaselineIC.cpp:945
[...]
#16 0x00000000019a2760 in js::jit::DoTypeMonitorFallbackInfo ()
[...]
#23 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x2894c58	42552408
rcx	0xffffffffffffffff	-1
rdx	0x0	0
rsi	0x7f51bf4ba9d0	139989078485456
rdi	0x7f51bf4b91c0	139989078479296
rbp	0x7fffe1d538d0	140736982235344
rsp	0x7fffe1d538b0	140736982235312
r8	0x7f51c052a780	139989095720832
r9	0x6372732f736a2f6c	7165916604736876396
r10	0x7f51bf4b6be0	139989078469600
r11	0x0	0
r12	0x2894c58	42552408
r13	0x0	0
r14	0x28954f8	42554616
r15	0x2896ef0	42561264
rip	0x84ca5b <js::jit::IonBuilder::ensureDefiniteType(js::jit::MDefinition*, js::jit::MIRType)+203>
=> 0x84ca5b <js::jit::IonBuilder::ensureDefiniteType(js::jit::MDefinition*, js::jit::MIRType)+203>:	movl   $0x1bdd,0x0
   0x84ca66 <js::jit::IonBuilder::ensureDefiniteType(js::jit::MDefinition*, js::jit::MIRType)+214>:	callq  0x4046a0 <abort@plt>
NI from bhackett due to --unboxed-objects.
Flags: needinfo?(bhackett1024)
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/c3714f520752
user:        Brian Hackett
date:        Mon Feb 02 09:27:59 2015 -0700
summary:     Bug 1127987 - Fix transposed parent/metadata arguments in EmptyShape::getInitialShape, r=jandem.

This iteration took 346.102 seconds to run.
Attached patch patchSplinter Review
getPropTryUnboxed has a spot where it just removes a type barrier, which messed up this assertion.  There shouldn't be any problem with doing this, since the instruction generated by loadUnboxedProperty will have the correct type, but I don't think this code is really helping anything either so this patch just removes it.
Assignee: nobody → bhackett1024
Flags: needinfo?(bhackett1024)
Attachment #8562329 - Flags: review?(jdemooij)
Attachment #8562329 - Flags: review?(jdemooij) → review+
https://hg.mozilla.org/mozilla-central/rev/8e4b8596954f
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla38
You need to log in before you can comment on or make changes to this bug.