1205842 - Assertion failure: !iter->hasLiveDefUses(), at jit/IonAnalysis.cpp

Status: RESOLVED FIXED

(Core :: JavaScript Engine: JIT, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

function f(x) {
    (function() {
        x = 0;
    })();
}
for (var k = 0; k < 9; k++) {
    f(Math.fround(1));
}

asserts js debug shell on m-c changeset de0e763b5210 with --fuzzing-safe --no-threads --ion-eager --ion-check-range-analysis at Assertion failure: !iter->hasLiveDefUses(), at jit/IonAnalysis.cpp

Configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u ~/funfuzz/js/compileShell.py -b "--enable-debug --enable-more-deterministic --enable-nspr-build" -r de0e763b5210

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/fb1f0c400ec0
user:        Benjamin Bouvier
date:        Thu Sep 10 11:58:44 2015 +0200
summary:     Bug 1107011: Propagate recovered on bailout flags when converting float32 to doubles; r=nbp

Benjamin, is bug 1107011 a likely regressor?

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: stack

(lldb) bt 5
* thread #1: tid = 0x6d94ca, 0x00000001005c0293 js-dbg-64-dm-nsprBuild-darwin-de0e763b5210`js::jit::AssertBasicGraphCoherency(graph=<unavailable>) + 4003 at IonAnalysis.cpp:1954, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x00000001005c0293 js-dbg-64-dm-nsprBuild-darwin-de0e763b5210`js::jit::AssertBasicGraphCoherency(graph=<unavailable>) + 4003 at IonAnalysis.cpp:1954
    frame #1: 0x00000001005c153a js-dbg-64-dm-nsprBuild-darwin-de0e763b5210`js::jit::AssertGraphCoherency(graph=0x00000001028c7040) + 42 at IonAnalysis.cpp:2059
    frame #2: 0x00000001005c257d js-dbg-64-dm-nsprBuild-darwin-de0e763b5210`js::jit::AssertExtendedGraphCoherency(graph=0x00000001028c7040) + 45 at IonAnalysis.cpp:2147
    frame #3: 0x00000001005bd9b8 js-dbg-64-dm-nsprBuild-darwin-de0e763b5210`js::jit::OptimizeMIR(mir=0x00000001028c7258) + 3672 at Ion.cpp:1695
    frame #4: 0x00000001005c7d9f js-dbg-64-dm-nsprBuild-darwin-de0e763b5210`js::jit::CompileBackEnd(mir=0x00000001028c7258) + 63 at Ion.cpp:1967
(lldb)

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Setting s-s because potential regressor bug 1107011 is s-s.

Comment 3

[Benjamin Bouvier [:bbouvier] (inactive)]

Attachment: fix.patch

Range assertions shouldn't be added to instructions that are recovered on bailouts.

I think the issue is just a bad assertion and this bug isn't s-s, but considering the previous fiasco on the original bug, I'll let nbp decide.

Comment 4

[Nicolas B. Pierron [:nbp]]

Comment on attachment 8662782 [details] [diff] [review]
fix.patch

Review of attachment 8662782 [details] [diff] [review]:
-----------------------------------------------------------------

> I think the issue is just a bad assertion and this bug isn't s-s, but considering the previous fiasco on the original bug, I'll let nbp decide.

I agree with benjamin, this issue is not security-sensitive, as the MAssertRange MIR node can only be generated by [1] the use of --ion-check-range-analysis in the shell, or in Firefox with the environment variable JIT_OPTION_checkRangeAnalysis.

[1] https://dxr.mozilla.org/mozilla-central/search?q=%2Bvar-ref%3Ajs%3A%3Ajit%3A%3AJitOptions%3A%3AcheckRangeAnalysis

Comment 5

[Benjamin Bouvier [:bbouvier] (inactive)]

https://hg.mozilla.org/integration/mozilla-inbound/rev/90ff8cf0e927

Comment 6

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

This previously landed:

http://hg.mozilla.org/mozilla-central/rev/90ff8cf0e927