Closed Bug 1246154 Opened 8 years ago Closed 8 years ago

Assertion failure: start < end, at js/src/jit/OptimizationTracking.h:426

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla47
Tracking Flags:
Tracking Status
firefox47 --- fixed

People

(Reporter: gkw, Assigned: h4writer)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [fuzzblocker] [jsbugmon:update])

Attachments

(1 file)

bug1246154-optimizationinfo
1.75 KB, patch
shu
: review+
Details | Diff | Splinter Review 
The following testcase crashes on mozilla-central revision 1dbe350b57b1 (build with --enable-debug --enable-more-deterministic, run with --no-threads --ion-eager --ion-shared-stubs=on):

setJitCompilerOption('ion.forceinlineCaches', 1);
enableSPSProfiling();
(function() {
    -[];
})();

Backtrace:

0   js-dbg-64-dm-clang-darwin-1dbe350b57b1	0x000000010002d208 js::jit::IonTrackedOptimizationsOffsetsTable<js::jit::IonTrackedOptimizationsAttempts>::entry(unsigned int) const + 200 (OptimizationTracking.h:426)
1   js-dbg-64-dm-clang-darwin-1dbe350b57b1	0x000000010042e414 js::jit::CodeGeneratorShared::verifyCompactTrackedOptimizationsMap(js::jit::JitCode*, unsigned int, js::jit::UniqueTrackedOptimizations const&, mozilla::Vector<js::jit::IonTrackedTypeWithAddendum, 1ul, js::SystemAllocPolicy> const*) + 964 (CodeGenerator-shared.cpp:1044)
2   js-dbg-64-dm-clang-darwin-1dbe350b57b1	0x000000010042dc77 js::jit::CodeGeneratorShared::generateCompactTrackedOptimizationsMap(JSContext*, js::jit::JitCode*, mozilla::Vector<js::jit::IonTrackedTypeWithAddendum, 1ul, js::SystemAllocPolicy>*) + 791 (CodeGenerator-shared.cpp:907)
3   js-dbg-64-dm-clang-darwin-1dbe350b57b1	0x000000010020afb1 js::jit::CodeGenerator::link(JSContext*, js::CompilerConstraintList*) + 1505 (CodeGenerator.cpp:8489)
4   js-dbg-64-dm-clang-darwin-1dbe350b57b1	0x0000000100242525 LinkCodeGen(JSContext*, js::jit::IonBuilder*, js::jit::CodeGenerator*, JS::MutableHandle<js::GCVector<JSScript*, 0ul, js::TempAllocPolicy> >, OnIonCompilationInfo*) + 293 (Ion.cpp:586)
5   js-dbg-64-dm-clang-darwin-1dbe350b57b1	0x000000010023e3df js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned char*, bool, bool) + 4527 (Ion.cpp:2296)
6   js-dbg-64-dm-clang-darwin-1dbe350b57b1	0x000000010023ce71 js::jit::CanEnter(JSContext*, js::RunState&) + 369 (Ion.cpp:2550)
7   js-dbg-64-dm-clang-darwin-1dbe350b57b1	0x00000001007561a1 js::RunScript(JSContext*, js::RunState&) + 289 (Interpreter.cpp:402)
8   js-dbg-64-dm-clang-darwin-1dbe350b57b1	0x000000010076ccf9 js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) + 841 (Interpreter.cpp:493)
9   js-dbg-64-dm-clang-darwin-1dbe350b57b1	0x000000010076d3db js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) + 555 (Interpreter.cpp:527)
10  js-dbg-64-dm-clang-darwin-1dbe350b57b1	0x00000001001a4861 js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) + 3105 (BaselineIC.cpp:6136)
11  ???                           	0x0000000101ee445b 0 + 4327359579
12  ???                           	0x000000010402e9e0 0 + 4362267104

I'm inclined to say this just borderline made it to [fuzzblocker] status.
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   283055:53630278e423
user:        Hannes Verschore
date:        Thu Feb 04 06:56:46 2016 -0500
summary:     Bug 1242578 - Annotate binary arith for jit coach, r=shu

Hannes, is bug 1242578 a likely regressor?
Blocks: 1242578
Flags: needinfo?(hv1989)
Whiteboard: [fuzzblocker][jsbugmon:update] → [fuzzblocker] [jsbugmon:]
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
(In reply to Fuzzing Team from comment #2)
> JSBugMon: Cannot process bug: Unable to automatically reproduce, please
> track manually.

Probably due to the --ion-shared-stubs=on flag.
JSOP_NEG also takes the binary arith path. As a result we need to track the optimization. Now this doesn't give issues in release yet. "shared stubs" is not enabled by default yet.
Assignee: nobody → hv1989
Flags: needinfo?(hv1989)
Attachment #8716325 - Flags: review?(shu)
Comment on attachment 8716325 [details] [diff] [review]
bug1246154-optimizationinfo

Review of attachment 8716325 [details] [diff] [review]:
-----------------------------------------------------------------

Be sure, along with bug 1242578, that this path also has a trackOptimizationSuccess at the end. Thanks!
Attachment #8716325 - Flags: review?(shu) → review+
Whiteboard: [fuzzblocker] [jsbugmon:] → [fuzzblocker] [jsbugmon:update]
https://hg.mozilla.org/mozilla-central/rev/402d8fc72ed3
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox47: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla47
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: