1236484 - Assertion failure: !IsCompilingAsmJS() (asm.js should always create an AutoFlushICache), at js/src/jit/Ion.cpp:3293

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision d7a0ad85d9fb (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --disable-tests --enable-simulator=arm --enable-debug, run with --ion-offthread-compile=off --ion-eager --fuzzing-safe):

var lfcode = new Array();
lfcode.push("gczeal(2, 1);");
lfcode.push("");
lfcode.push(`
function test(stdlib, foreign) {
    "use asm"
    function f(y) {
`);
for (var i = 0; i < 100; ++i) {
    var file = lfcode.shift();
    loadFile(file)
}
function loadFile(lfVarx) {
  evaluate(lfVarx);
}



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x082c3031 in js::jit::AutoFlushICache::flush (start=start@entry=4156996876, len=len@entry=4) at js/src/jit/Ion.cpp:3293
#0  0x082c3031 in js::jit::AutoFlushICache::flush (start=start@entry=4156996876, len=len@entry=4) at js/src/jit/Ion.cpp:3293
#1  0x08446fbb in js::jit::Assembler::RetargetNearBranch (i=i@entry=0xf7c6bd0c, offset=offset@entry=4592, cond=cond@entry=js::jit::Assembler::Always, final=final@entry=true) at js/src/jit/arm/Assembler-arm.cpp:2964
#2  0x0844722e in js::jit::PatchJump (jump_=..., label=..., reprotect=reprotect@entry=js::jit::DontReprotect) at js/src/jit/arm/Assembler-arm.cpp:613
#3  0x08327d6e in js::jit::IonCache::reset (this=0xf7a650c0, reprotect=js::jit::DontReprotect) at js/src/jit/IonCaches.cpp:2333
#4  0x082bca4f in js::jit::IonScript::purgeCaches (this=0xf7a65000) at js/src/jit/Ion.cpp:1370
#5  0x082c332e in purgeCaches (this=<optimized out>) at js/src/jit/Ion.cpp:3385
#6  js::jit::PurgeCaches (script=0xf43520d0) at js/src/jit/Ion.cpp:3384
#7  0x0854b508 in js::PurgeJITCaches (zone=zone@entry=0xf7a64800) at js/src/jsgc.cpp:7061
#8  0x0886e570 in JS::Zone::discardJitCode (this=0xf7a64800, fop=fop@entry=0xffff9240) at js/src/gc/Zone.cpp:220
#9  0x08563cdc in js::gc::GCRuntime::beginSweepingZoneGroup (this=this@entry=0xf7a3c218) at js/src/jsgc.cpp:5185
#10 0x0856962c in js::gc::GCRuntime::beginSweepPhase (this=this@entry=0xf7a3c218, destroyingRuntime=destroyingRuntime@entry=false) at js/src/jsgc.cpp:5344
#11 0x0856ac43 in js::gc::GCRuntime::incrementalCollectSlice (this=this@entry=0xf7a3c218, budget=..., reason=reason@entry=JS::gcreason::DEBUG_GC) at js/src/jsgc.cpp:6104
#12 0x0856ba11 in js::gc::GCRuntime::gcCycle (this=this@entry=0xf7a3c218, nonincrementalByAPI=nonincrementalByAPI@entry=true, budget=..., reason=reason@entry=JS::gcreason::DEBUG_GC) at js/src/jsgc.cpp:6310
#13 0x0856bf69 in js::gc::GCRuntime::collect (this=this@entry=0xf7a3c218, nonincrementalByAPI=nonincrementalByAPI@entry=true, budget=..., reason=reason@entry=JS::gcreason::DEBUG_GC) at js/src/jsgc.cpp:6416
#14 0x0856c1d2 in js::gc::GCRuntime::gc (this=0xf7a3c218, gckind=GC_NORMAL, reason=JS::gcreason::DEBUG_GC) at js/src/jsgc.cpp:6474
#15 0x0856d985 in js::gc::GCRuntime::runDebugGC (this=this@entry=0xf7a3c218) at js/src/jsgc.cpp:6961
#16 0x0882ce0b in js::gc::GCRuntime::gcIfNeededPerAllocation (this=0xf7a3c218, cx=cx@entry=0xf7a84020) at js/src/gc/Allocator.cpp:28
#17 0x08835f36 in js::gc::GCRuntime::checkAllocatorState<(js::AllowGC)1> (this=0xf7a3c218, cx=0xf7a84020, kind=js::gc::FIRST) at js/src/gc/Allocator.cpp:55
#18 0x0883b482 in js::Allocate<JSObject, (js::AllowGC)1> (cx=cx@entry=0xf7a84020, kind=kind@entry=js::gc::FIRST, nDynamicSlots=0, heap=heap@entry=js::gc::TenuredHeap, clasp=clasp@entry=0x98349a0 <JSFunction::class_>) at js/src/gc/Allocator.cpp:121
#19 0x085bfe37 in JSObject::create (cx=0xf7a84020, kind=js::gc::FIRST, heap=js::gc::TenuredHeap, shape=..., group=...) at js/src/jsobjinlines.h:331
#20 0x085a6775 in NewObject (cx=0xf7a84020, group=..., kind=js::gc::FIRST, newKind=js::TenuredObject, initialShapeFlags=0) at js/src/jsobj.cpp:668
#21 0x085a755b in js::NewObjectWithClassProtoCommon (cxArg=cxArg@entry=0xf7a84020, clasp=clasp@entry=0x98349a0 <JSFunction::class_>, protoArg=protoArg@entry=..., allocKind=allocKind@entry=js::gc::FIRST, newKind=newKind@entry=js::TenuredObject) at js/src/jsobj.cpp:796
#22 0x0856e39c in NewObjectWithClassProto (newKind=js::TenuredObject, allocKind=js::gc::FIRST, proto=..., clasp=0x98349a0 <JSFunction::class_>, cx=0xf7a84020) at js/src/jsobjinlines.h:679
#23 js::NewFunctionWithProto (cx=cx@entry=0xf7a84020, native=native@entry=0x0, nargs=nargs@entry=0, flags=flags@entry=JSFunction::INTERPRETED, enclosingDynamicScope=enclosingDynamicScope@entry=..., atom=atom@entry=..., proto=proto@entry=..., allocKind=allocKind@entry=js::gc::FIRST, newKind=newKind@entry=js::TenuredObject, protoHandling=js::NewFunctionClassProto) at js/src/jsfun.cpp:2057
#24 0x0856e6e1 in js::NewScriptedFunction (cx=0xf7a84020, nargs=nargs@entry=0, flags=flags@entry=JSFunction::INTERPRETED, atom=atom@entry=..., allocKind=allocKind@entry=js::gc::FIRST, newKind=newKind@entry=js::TenuredObject, enclosingDynamicScopeArg=...) at js/src/jsfun.cpp:2019
#25 0x081ecb2a in ParseFunction (column=0xffff99f0, line=0xffff99e0, fnOut=<synthetic pointer>, m=...) at js/src/asmjs/AsmJS.cpp:6899
#26 CheckFunction (m=...) at js/src/asmjs/AsmJS.cpp:6942
#27 CheckFunctions (m=...) at js/src/asmjs/AsmJS.cpp:7020
#28 CheckModule (cx=cx@entry=0xf7a84020, parser=..., stmtList=stmtList@entry=0xf7a92140, obj=obj@entry=..., time=time@entry=0xffffa780, slowFuncs=slowFuncs@entry=0xffffa7d0) at js/src/asmjs/AsmJS.cpp:7231
#29 0x081ee0cc in js::CompileAsmJS (cx=0xf7a84020, parser=..., stmtList=stmtList@entry=0xf7a92140, validated=validated@entry=0xffffa910) at js/src/asmjs/AsmJS.cpp:8581
[...]
#64 main (argc=5, argv=0xffffce14, envp=0xffffce2c) at js/src/shell/js.cpp:6885
eax	0x0	0
ebx	0x980343c	159396924
ecx	0xf7e3b88c	-136071028
edx	0x0	0
esi	0xf7c6bd0c	-137970420
edi	0x4	4
ebp	0xffff8e48	4294938184
esp	0xffff8e20	4294938144
eip	0x82c3031 <js::jit::AutoFlushICache::flush(unsigned int, unsigned int)+369>
=> 0x82c3031 <js::jit::AutoFlushICache::flush(unsigned int, unsigned int)+369>:	movl   $0xcdd,0x0
   0x82c303b <js::jit::AutoFlushICache::flush(unsigned int, unsigned int)+379>:	call   0x80f92f0 <abort()>


Marked s-s because the test involves GC. Also setting fuzzblocker because this happens fairly often.

Comment 1

[Benjamin Bouvier [:bbouvier] (inactive)]

Regressed by the first big patch in bug 1229642, which introduced this assertion. I am not sure how to fix it. Luke, any idea? Maybe the assertion is bogus here, as we're compiling asm.js but the GC which is happening shouldn't affect code generated by asm.js...

Comment 2

[Luke Wagner [:luke]]

Not s-s: this assert was added to assert asm.js didn't hit the "slow" case in icache flushing (when there is no AutoFlushICache on the stack.  We don't actually hit this assert for asm.js code, it just so happens we have a GC that patches some Ion code during asm.js compilation.  A better assert would try to rule out this case but the assert itself isn't super-valuable, I mostly just wanted to make sure this didn't happen in the normal/hot case which is evidently true.  So I'll just remove the assert.

Comment 3

[Luke Wagner [:luke]]

Attachment: rm-bad-assert

Comment 4

[Benjamin Bouvier [:bbouvier] (inactive)]

Comment on attachment 8703728 [details] [diff] [review]
rm-bad-assert

Review of attachment 8703728 [details] [diff] [review]:
-----------------------------------------------------------------

Thank you!

Comment 5

[Fuzzing Team]

JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.

Comment 6

[Pulsebot]

https://hg.mozilla.org/integration/mozilla-inbound/rev/0b857cae9b21

Comment 7

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/mozilla-central/rev/0b857cae9b21