Crash [@ js::jit::LiveInterval::addRangeAtHead] or Assertion failure: !iter->hasLiveDefUses(), at jit/IonAnalysis.cpp

RESOLVED FIXED in Firefox 39

Status

()

defect
--
critical
RESOLVED FIXED
5 years ago
4 years ago

People

(Reporter: gkw, Assigned: nbp)

Tracking

(Blocks 1 bug, 4 keywords)

Trunk
mozilla39
x86_64
macOS
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox39 fixed)

Details

(crash signature)

Attachments

(3 attachments)

m = (function(stdlib, n, heap) {
    "use asm"
    var Float64ArrayView = new stdlib.Float64Array(heap)
    var Int16ArrayView = new stdlib.Int16Array(heap)
    function f(i0) {
        i0 = i0 | 0
        i0 = i0 | 0
        Int16ArrayView[0] = (i0 << 0) + i0
        Float64ArrayView[0]
    }
    return f
})(this, {}, Array)
for (var j = 0; j < 9; j++) {
    m()
}

asserts js debug shell on m-c changeset 2795a48dfebe with --fuzzing-safe --no-threads --ion-eager at Assertion failure: !iter->hasLiveDefUses(), at jit/IonAnalysis.cpp and crashes js opt shell at js::jit::LiveInterval::addRangeAtHead.

Configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u ~/fuzzing/js/compileShell.py -b "--enable-debug --enable-more-deterministic --enable-nspr-build" -r 2795a48dfebe

=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20150312105732" and the hash "25b9c28d877e".
The "bad" changeset has the timestamp "20150312110326" and the hash "7529425ef21f".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=25b9c28d877e&tochange=7529425ef21f

Nicolas, is bug 1105574 a likely regressor?
Flags: needinfo?(nicolas.b.pierron)
Posted file debug stack
(lldb) bt 5
* thread #1: tid = 0xd9c05, 0x00000001004f5f86 js-dbg-64-dm-nsprBuild-darwin-2795a48dfebe`js::jit::AssertBasicGraphCoherency(graph=<unavailable>) + 6150 at IonAnalysis.cpp:1950, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x00000001004f5f86 js-dbg-64-dm-nsprBuild-darwin-2795a48dfebe`js::jit::AssertBasicGraphCoherency(graph=<unavailable>) + 6150 at IonAnalysis.cpp:1950
    frame #1: 0x00000001004f6afa js-dbg-64-dm-nsprBuild-darwin-2795a48dfebe`js::jit::AssertGraphCoherency(graph=0x0000000105807840) + 42 at IonAnalysis.cpp:2055
    frame #2: 0x00000001004f7bbd js-dbg-64-dm-nsprBuild-darwin-2795a48dfebe`js::jit::AssertExtendedGraphCoherency(graph=0x0000000105807840) + 45 at IonAnalysis.cpp:2142
    frame #3: 0x00000001004f3bcb js-dbg-64-dm-nsprBuild-darwin-2795a48dfebe`js::jit::OptimizeMIR(mir=0x00000001058079a8) + 4011 at Ion.cpp:1424
    frame #4: 0x00000001005009f6 js-dbg-64-dm-nsprBuild-darwin-2795a48dfebe`js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned char*, bool, bool) [inlined] js::jit::CompileBackEnd(mir=0x00000001058079a8, aRhs=<unavailable>) + 42 at Ion.cpp:1619
(lldb)
Posted file stack of opt crash
(lldb) bt 5
* thread #1: tid = 0xdcbc8, 0x00000001003481c0 js-64-dm-nsprBuild-darwin-2795a48dfebe`js::jit::LiveInterval::addRangeAtHead(js::jit::CodePosition, js::jit::CodePosition) [inlined] mozilla::VectorBase<js::jit::LiveInterval::Range, 1ul, js::jit::JitAllocPolicy, js::Vector<js::jit::LiveInterval::Range, 1ul, js::jit::JitAllocPolicy> >::empty(this=0x0000000000000010) const at Vector.h:407, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x20)
  * frame #0: 0x00000001003481c0 js-64-dm-nsprBuild-darwin-2795a48dfebe`js::jit::LiveInterval::addRangeAtHead(js::jit::CodePosition, js::jit::CodePosition) [inlined] mozilla::VectorBase<js::jit::LiveInterval::Range, 1ul, js::jit::JitAllocPolicy, js::Vector<js::jit::LiveInterval::Range, 1ul, js::jit::JitAllocPolicy> >::empty(this=0x0000000000000010) const at Vector.h:407
    frame #1: 0x00000001003481c0 js-64-dm-nsprBuild-darwin-2795a48dfebe`js::jit::LiveInterval::addRangeAtHead(this=0x0000000000000000, from=<unavailable>, to=<unavailable>) + 16 at LiveRangeAllocator.cpp:157
    frame #2: 0x00000001003ce9ea js-64-dm-nsprBuild-darwin-2795a48dfebe`js::jit::LiveRangeAllocator<js::jit::BacktrackingVirtualRegister, false>::buildLivenessInfo(this=0x00007fff5fbfcf68) + 3114 at LiveRangeAllocator.cpp:859
    frame #3: 0x000000010022e7c5 js-64-dm-nsprBuild-darwin-2795a48dfebe`js::jit::BacktrackingAllocator::go(this=0x00007fff5fbfcf68) + 21 at BacktrackingAllocator.cpp:83
    frame #4: 0x00000001002ebc1c js-64-dm-nsprBuild-darwin-2795a48dfebe`js::jit::GenerateLIR(mir=0x00000001040ad788) + 1932 at Ion.cpp:1553
(lldb)
Assignee: nobody → nicolas.b.pierron
Status: NEW → ASSIGNED
Flags: needinfo?(nicolas.b.pierron)
This patch ignores any optimization attempt if one of the operands is
recovered on bailout.
Attachment #8583816 - Flags: review?(luke)
Comment on attachment 8583816 [details] [diff] [review]
Do not optimize instruction recovered on bailout with effective addresses.

Why would IR nodes be "recoevered on bailout" during asm.js compilation?  There are necessarily zero bailouts.  Anyhow, forwarding review to sunfish.
Attachment #8583816 - Flags: review?(luke) → review?(sunfish)
(In reply to Luke Wagner [:luke] from comment #4)
> Comment on attachment 8583816 [details] [diff] [review]
> Do not optimize instruction recovered on bailout with effective addresses.
> 
> Why would IR nodes be "recoevered on bailout" during asm.js compilation? 
> There are necessarily zero bailouts.  Anyhow, forwarding review to sunfish.

There's a link failure error, because we pass Array as the heap argument, so we switch to interpreted JS, and Ion steps in quickly because --ion-eager.
Ah, I see; and we run EAA not only when compilingAsmJS.
Comment on attachment 8583816 [details] [diff] [review]
Do not optimize instruction recovered on bailout with effective addresses.

Review of attachment 8583816 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/jit-test/tests/ion/bug1143216.js
@@ +1,2 @@
> +m = (function(stdlib, n, heap) {
> +    "use asm"

> There's a link failure error, because we pass Array as the heap argument, so
> we switch to interpreted JS, and Ion steps in quickly because --ion-eager.

This is pretty subtle. A brief comment in this test mentioning that it's expected to get a link failure would help save some confusion in the future :).

::: js/src/jit/EffectiveAddressAnalysis.cpp
@@ +61,5 @@
>          last = add;
>      }
>  
> +    if (last->isRecoveredOnBailout())
> +        return;

We already checked last when it was lsh above, so these lines can be moved up into the if body above.
Attachment #8583816 - Flags: review?(sunfish) → review+
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #0)
> Nicolas, is bug 1105574 a likely regressor?

Yes, it is.
https://hg.mozilla.org/mozilla-central/rev/04f99f21d1f2
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla39
You need to log in before you can comment on or make changes to this bug.