Closed Bug 1247915 Opened 8 years ago Closed 8 years ago

Assertion failure: opd->type() == phi->type(), at js/src/jit/Lowering.cpp:4621 or Crash [@ js::jit::VirtualRegister::addInitialRange] or Crash [@ js::jit::AssemblerX86Shared::leal] with PGO

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla48
Tracking Status
firefox48 --- fixed

People

(Reporter: decoder, Unassigned)

Details

(4 keywords, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(1 file)

The following testcase crashes on mozilla-central revision 576a6dcde5b6 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --ion-offthread-compile=off --ion-pgo=on):

evaluate(`
  i = 0;
  while (1) a = [] ? i: () => 5;
`)



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x0000000000771905 in js::jit::LIRGenerator::visitBlock (this=this@entry=0x7fffffffa420, block=block@entry=0x7ffff69a89e8) at js/src/jit/Lowering.cpp:4621
#0  0x0000000000771905 in js::jit::LIRGenerator::visitBlock (this=this@entry=0x7fffffffa420, block=block@entry=0x7ffff69a89e8) at js/src/jit/Lowering.cpp:4621
#1  0x0000000000771a53 in js::jit::LIRGenerator::generate (this=this@entry=0x7fffffffa420) at js/src/jit/Lowering.cpp:4677
#2  0x000000000068b1b2 in js::jit::GenerateLIR (mir=mir@entry=0x7ffff69a5270) at js/src/jit/Ion.cpp:1901
#3  0x000000000068b8c3 in js::jit::CompileBackEnd (mir=mir@entry=0x7ffff69a5270) at js/src/jit/Ion.cpp:1996
#4  0x000000000068ef06 in js::jit::IonCompile (cx=cx@entry=0x7ffff6907800, script=script@entry=0x7ffff7e71230, baselineFrame=baselineFrame@entry=0x7fffffffb868, osrPc=<optimized out>, constructing=<optimized out>, recompile=<optimized out>, optimizationLevel=optimizationLevel@entry=js::jit::Normal) at js/src/jit/Ion.cpp:2264
#5  0x000000000068f7b0 in js::jit::Compile (cx=0x7ffff6907800, script=..., script@entry=..., osrFrame=osrFrame@entry=0x7fffffffb868, osrPc=osrPc@entry=0x7ffff31516c3 "\343\201C\b\377\377\377י\220\210\002̐\210\002(.\215\n\313\030\nۈ\377\377\377\375Ȉ\027", constructing=<optimized out>, forceRecompile=forceRecompile@entry=false) at js/src/jit/Ion.cpp:2434
#6  0x00000000006901ea in BaselineCanEnterAtBranch (pc=0x7ffff31516c3 "\343\201C\b\377\377\377י\220\210\002̐\210\002(.\215\n\313\030\nۈ\377\377\377\375Ȉ\027", osrFrame=0x7fffffffb868, script=..., cx=0x7ffff6907800) at js/src/jit/Ion.cpp:2621
#7  js::jit::IonCompileScriptForBaseline (cx=cx@entry=0x7ffff6907800, frame=frame@entry=0x7fffffffb868, pc=pc@entry=0x7ffff31516c3 "\343\201C\b\377\377\377י\220\210\002̐\210\002(.\215\n\313\030\nۈ\377\377\377\375Ȉ\027") at js/src/jit/Ion.cpp:2679
#8  0x0000000000604977 in js::jit::DoWarmUpCounterFallbackOSR (cx=0x7ffff6907800, frame=0x7fffffffb868, stub=0x7ffff69991c0, infoPtr=0x7fffffffb840) at js/src/jit/BaselineIC.cpp:141
#9  0x00007ffff7ff2679 in ?? ()
[...]
#20 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x1	1
rcx	0x7ffff6ca53cd	140737333842893
rdx	0x0	0
rsi	0x7ffff6f7a9d0	140737336814032
rdi	0x7ffff6f791c0	140737336807872
rbp	0x7fffffffa390	140737488331664
rsp	0x7fffffffa330	140737488331568
r8	0x7ffff7fe07c0	140737354008512
r9	0x6372732f736a2f6c	7165916604736876396
r10	0x7fffffffa0f0	140737488330992
r11	0x7ffff6c27960	140737333328224
r12	0x7fffffffa420	140737488331808
r13	0x1	1
r14	0x7ffff69a7450	140737330705488
r15	0x7ffff69a7120	140737330704672
rip	0x771905 <js::jit::LIRGenerator::visitBlock(js::jit::MBasicBlock*)+693>
=> 0x771905 <js::jit::LIRGenerator::visitBlock(js::jit::MBasicBlock*)+693>:	movl   $0x120d,0x0
   0x771910 <js::jit::LIRGenerator::visitBlock(js::jit::MBasicBlock*)+704>:	callq  0x4a4f50 <abort()>
Needinfo from :nbp due to --ion-pgo.
Flags: needinfo?(nicolas.b.pierron)
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20151120232833" and the hash "c3aa84cd334c17606ff33284a058064eafd67d28".
The "bad" changeset has the timestamp "20151121053534" and the hash "52d7c9292ecfc23a52835c49189dabd561b18675".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=c3aa84cd334c17606ff33284a058064eafd67d28&tochange=52d7c9292ecfc23a52835c49189dabd561b18675
Some --ion-pgo=on issues can be existing bugs which are slightly harder to trigger, flag as sec-want until we figure this out.
Group: javascript-core-security
Keywords: sec-want
Crash Signature: [@ js::jit::VirtualRegister::addInitialRange]
Keywords: crash
Summary: Assertion failure: opd->type() == phi->type(), at js/src/jit/Lowering.cpp:4621 with PGO → Assertion failure: opd->type() == phi->type(), at js/src/jit/Lowering.cpp:4621 or Crash [@ js::jit::VirtualRegister::addInitialRange] with PGO
Removing the status flag until we find the source of the issue, as the current test case depends on a feature which is not landed yet.
Crash Signature: [@ js::jit::VirtualRegister::addInitialRange] → [@ js::jit::VirtualRegister::addInitialRange] [@ js::jit::AssemblerX86Shared::leal]
Summary: Assertion failure: opd->type() == phi->type(), at js/src/jit/Lowering.cpp:4621 or Crash [@ js::jit::VirtualRegister::addInitialRange] with PGO → Assertion failure: opd->type() == phi->type(), at js/src/jit/Lowering.cpp:4621 or Crash [@ js::jit::VirtualRegister::addInitialRange] or Crash [@ js::jit::AssemblerX86Shared::leal] with PGO
While running IonBuilder, we insert an unbox instruction on top of a Phi,
which is the merge point of a Function, and an constant integer.  With
branch pruning enabled.

We remove one of the Phi operands, and then replace the phi with its only
operands, which leaves us with an unbox instruction around a constant
integer.

These code-path are only reachable iff branch pruning is enabled, as no
other system allow us to remove such Phi nodes, as we do not remove their
oeprands, nor generate phi nodes with a single operand.
Attachment #8733387 - Flags: review?(hv1989)
Attachment #8733387 - Flags: review?(hv1989) → review+
Do we need to keep this closed, since this is pgo only?
https://hg.mozilla.org/integration/mozilla-inbound/rev/6e0b1e57c8e8
Group: javascript-core-security
Flags: needinfo?(nicolas.b.pierron)
Keywords: sec-want
https://hg.mozilla.org/mozilla-central/rev/6e0b1e57c8e8
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
You need to log in before you can comment on or make changes to this bug.