Assertion failure: false, at js/src/vm/SelfHosting.cpp:300 (ComputeIterationSpace called on non-array-type)

RESOLVED FIXED in Firefox 48

Status

()

--
critical
RESOLVED FIXED
3 years ago
3 years ago

People

(Reporter: decoder, Assigned: bbouvier)

Tracking

(Blocks: 1 bug, {assertion, regression, testcase})

Trunk
mozilla48
x86_64
Linux
assertion, regression, testcase
Points:
---

Firefox Tracking Flags

(firefox47 unaffected, firefox48 fixed)

Details

(Whiteboard: [jsbugmon:update])

Attachments

(1 attachment)

(Reporter)

Description

3 years ago
The following testcase crashes on mozilla-central revision e1cf617a1f28 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --no-threads --disable-oom-functions --baseline-eager --ion-eager):

var i1 = SIMD.Int32x4();
var uint32 = TypedObject.uint32;
function fromOneDimArrayOfUint8ToUint32s() {
  var type = uint32.array(4);
  var r1 = type.from(i1, j => j*2);
}
fromOneDimArrayOfUint8ToUint32s();



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x0000000000b064f1 in intrinsic_AssertionFailed (cx=<optimized out>, argc=<optimized out>, vp=<optimized out>) at js/src/vm/SelfHosting.cpp:300
#0  0x0000000000b064f1 in intrinsic_AssertionFailed (cx=<optimized out>, argc=<optimized out>, vp=<optimized out>) at js/src/vm/SelfHosting.cpp:300
#1  0x0000000000abf772 in js::CallJSNative (cx=0x7ffff6907800, native=0xb06450 <intrinsic_AssertionFailed(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#2  0x0000000000ab8ac1 in js::Invoke (cx=cx@entry=0x7ffff6907800, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:478
#3  0x0000000000ab95ec in js::Invoke (cx=cx@entry=0x7ffff6907800, thisv=..., fval=..., argc=argc@entry=1, argv=argv@entry=0x7fffffff9820, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:530
#4  0x0000000000614656 in js::jit::DoCallFallback (cx=0x7ffff6907800, frame=0x7fffffff9888, stub_=<optimized out>, argc=<optimized out>, vp=0x7fffffff9810, res=...) at js/src/jit/BaselineIC.cpp:6136
#5  0x00007ffff7ff1abf in ?? ()
[...]
#33 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x7ffff6f79868	140737336809576
rcx	0x7ffff6ca5870	140737333844080
rdx	0x0	0
rsi	0x7ffff6f7a9d0	140737336814032
rdi	0x7ffff6f791c0	140737336807872
rbp	0x7fffffff9160	140737488327008
rsp	0x7fffffff9130	140737488326960
r8	0x7ffff7fe07c0	140737354008512
r9	0x240800000000	39616778338304
r10	0x7fffffff8ef0	140737488326384
r11	0x7ffff6c27ee0	140737333329632
r12	0x7ffff7e43250	140737352315472
r13	0x0	0
r14	0x7fffffff9190	140737488327056
r15	0xb06450	11560016
rip	0xb064f1 <intrinsic_AssertionFailed(JSContext*, unsigned int, JS::Value*)+161>
=> 0xb064f1 <intrinsic_AssertionFailed(JSContext*, unsigned int, JS::Value*)+161>:	movl   $0x12c,0x0
   0xb064fc <intrinsic_AssertionFailed(JSContext*, unsigned int, JS::Value*)+172>:	callq  0x4a60b0 <abort()>

Additional assertion info:

Self-hosted JavaScript assertion info: "js/src/builtin/TypedObject.js:1104: ComputeIterationSpace called on non-array-type"
(Assignee)

Updated

3 years ago
Flags: needinfo?(nmatsakis)

Updated

3 years ago
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]

Comment 1

3 years ago
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/3e2ee1ed422e
user:        Benjamin Bouvier
date:        Thu Jul 09 19:15:24 2015 +0200
summary:     Bug 1173722: Part 1 - Capitalize all the SIMD types names; r=nbp

This iteration took 217.746 seconds to run.
Benjamin, you needinfo'ed Niko here, but autoBisect points at your patch from bug 1173722 here, so not setting needinfo? from you... yet. :)
Blocks: 1173722
(Assignee)

Comment 3

3 years ago
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #2)
> Benjamin, you needinfo'ed Niko here, but autoBisect points at your patch
> from bug 1173722 here, so not setting needinfo? from you... yet. :)

It makes sense that autobisect stopped at this revision: before this revision one had to use SIMD.int32x4 in place of SIMD.Int32x4, so the test case should be varying on the revision. After 3e2ee1ed422e, SIMD.Int32x4; before 3e2ee1ed422e included, SIMD.int32x4. I am not sure whether autobisect can do this :-)
(Assignee)

Comment 4

3 years ago
As a matter of fact, it isn't blocking this particular bug.
No longer blocks: 1173722
(Assignee)

Comment 5

3 years ago
Gary, can you relaunch autobisect with the following test case, which should resist the renaming (and another change that made SIMD ctor parameters facultative):

var i1 = (SIMD.int32x4 || SIMD.Int32x4)(0,0,0,0);
var uint32 = TypedObject.uint32;
function fromOneDimArrayOfUint8ToUint32s() {
  var type = uint32.array(4);
  var r1 = type.from(i1, j => j*2);
}
fromOneDimArrayOfUint8ToUint32s();
Flags: needinfo?(gary)
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/29e5dcfb97f7
user:        Tom Schuster
date:        Tue Oct 06 17:04:09 2015 +0100
summary:     Bug 1211832 - Disable functions that can easily cause artificial OOMs. r=jonco

I got this result. Benjamin/Tom, is bug 1211832 a likely regressor?
Flags: needinfo?(gary)
Flags: needinfo?(evilpies)
Flags: needinfo?(bbouvier)
(Assignee)

Comment 7

3 years ago
I guess you're still running with --disable-oom-functions, as specified in comment 0. This revision is the one that implements it :-) Getting rid of the flag should lead us even deeper...
Flags: needinfo?(gary)
Flags: needinfo?(evilpies)
Flags: needinfo?(bbouvier)
In that case, I don't have something conclusive.

It seems to still reproduce in November 2014, m-c rev 54be5416ae5d, which is one of the furthest back we can easily go.
Flags: needinfo?(gary) → needinfo?(bbouvier)
(Assignee)

Comment 9

3 years ago
That confirms what I suspected: it's been there for a while... Let's see what nmatsakis or pnkfelix have to say about this (they wrote this code, it seems).
Flags: needinfo?(bbouvier)
(Assignee)

Comment 10

3 years ago
Created attachment 8727371 [details] [diff] [review]
typedobject.from.patch

The patch is actually trivial.
Assignee: nobody → bbouvier
Status: NEW → ASSIGNED
Flags: needinfo?(nmatsakis)
Attachment #8727371 - Flags: review?(nmatsakis)
Comment on attachment 8727371 [details] [diff] [review]
typedobject.from.patch

Review of attachment 8727371 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/builtin/TypedObject.js
@@ -959,5 @@
>  
>    if (!IsObject(this) || !ObjectIsTypeDescr(this))
>      ThrowTypeError(JSMSG_TYPEDOBJECT_BAD_ARGS);
>  
> -  var untypedInput = !IsObject(a) || !ObjectIsTypedObject(a);

just to be clear: the only change to behavior (and thus the actual bug fix) is solely the change to this one line, right?

I.e. the other stuff below is just changes you've made to improve readability (or perhaps expected-performance)?
(Assignee)

Comment 12

3 years ago
That's right: I've just removed a few else-after-return and obviously equivalent control flows.
Okay. (My personal style is to leave code alone unless there's an obvious readability or performance win associated with the change, but I don't want to block this changeset based on that personal preference.)
Attachment #8727371 - Flags: review?(nmatsakis) → review+

Comment 15

3 years ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/c9bc41c32205
Status: ASSIGNED → RESOLVED
Last Resolved: 3 years ago
status-firefox48: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
(Assignee)

Comment 16

3 years ago
TypedObject still nightly-only.
status-firefox47: affected → unaffected
You need to log in before you can comment on or make changes to this bug.