1273483 - Assertion failure: &inlineTypedObject->typeDescr() == descr, at js/src/jit/MCallOptimize.cpp:3417

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision a884b96685aa (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --ion-eager):

Int8x16 = SIMD.Int8x16;
var Int32x4 = SIMD.Int32x4;
function testSwizzleForType(type) type();
testSwizzleForType(Int8x16);
function testSwizzleInt32x4() testSwizzleForType(Int32x4);
testSwizzleInt32x4();



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x000000000076a04d in js::jit::IonBuilder::inlineConstructSimdObject (this=this@entry=0x7fffffffb6d0, callInfo=..., descr=0x7ffff7e95780) at js/src/jit/MCallOptimize.cpp:3417
#0  0x000000000076a04d in js::jit::IonBuilder::inlineConstructSimdObject (this=this@entry=0x7fffffffb6d0, callInfo=..., descr=0x7ffff7e95780) at js/src/jit/MCallOptimize.cpp:3417
#1  0x000000000076a208 in js::jit::IonBuilder::inlineNonFunctionCall (this=this@entry=0x7fffffffb6d0, callInfo=..., target=<optimized out>) at js/src/jit/MCallOptimize.cpp:390
#2  0x00000000006fdae5 in js::jit::IonBuilder::inlineSingleCall (this=0x7fffffffb6d0, callInfo=..., targetArg=<optimized out>) at js/src/jit/IonBuilder.cpp:5695
#3  0x00000000006ff2f9 in js::jit::IonBuilder::inlineCallsite (this=this@entry=0x7fffffffb6d0, targets=..., callInfo=...) at js/src/jit/IonBuilder.cpp:5766
#4  0x00000000006ff68d in js::jit::IonBuilder::jsop_call (this=this@entry=0x7fffffffb6d0, argc=0, constructing=<optimized out>) at js/src/jit/IonBuilder.cpp:6705
#5  0x00000000006f91be in js::jit::IonBuilder::inspectOpcode (this=this@entry=0x7fffffffb6d0, op=op@entry=JSOP_CALL) at js/src/jit/IonBuilder.cpp:1906
#6  0x00000000006f9c50 in js::jit::IonBuilder::traverseBytecode (this=this@entry=0x7fffffffb6d0) at js/src/jit/IonBuilder.cpp:1525
#7  0x00000000006fcff2 in js::jit::IonBuilder::buildInline (this=this@entry=0x7fffffffb6d0, callerBuilder=callerBuilder@entry=0x7ffff33121c0, callerResumePoint=callerResumePoint@entry=0x7ffff33136b8, callInfo=...) at js/src/jit/IonBuilder.cpp:1090
#8  0x00000000006fd576 in js::jit::IonBuilder::inlineScriptedCall (this=this@entry=0x7ffff33121c0, callInfo=..., target=<optimized out>) at js/src/jit/IonBuilder.cpp:5202
#9  0x00000000006fdb30 in js::jit::IonBuilder::inlineSingleCall (this=0x7ffff33121c0, callInfo=..., targetArg=<optimized out>) at js/src/jit/IonBuilder.cpp:5710
#10 0x00000000006ff2f9 in js::jit::IonBuilder::inlineCallsite (this=this@entry=0x7ffff33121c0, targets=..., callInfo=...) at js/src/jit/IonBuilder.cpp:5766
#11 0x00000000006ff68d in js::jit::IonBuilder::jsop_call (this=this@entry=0x7ffff33121c0, argc=1, constructing=<optimized out>) at js/src/jit/IonBuilder.cpp:6705
#12 0x00000000006f91be in js::jit::IonBuilder::inspectOpcode (this=this@entry=0x7ffff33121c0, op=op@entry=JSOP_CALL) at js/src/jit/IonBuilder.cpp:1906
#13 0x00000000006f9c50 in js::jit::IonBuilder::traverseBytecode (this=this@entry=0x7ffff33121c0) at js/src/jit/IonBuilder.cpp:1525
#14 0x00000000006fa3a5 in js::jit::IonBuilder::build (this=0x7ffff33121c0) at js/src/jit/IonBuilder.cpp:918
#15 0x0000000000706542 in js::jit::IonCompile (cx=cx@entry=0x7ffff6908c00, script=script@entry=0x7ffff7e78300, baselineFrame=baselineFrame@entry=0x0, osrPc=<optimized out>, constructing=<optimized out>, [...]
#33 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x7fffffffb6d0	140737488336592
rcx	0x7ffff6ca588d	140737333844109
rdx	0x0	0
rsi	0x7ffff6f7a9d0	140737336814032
rdi	0x7ffff6f791c0	140737336807872
rbp	0x7fffffffb1e0	140737488335328
rsp	0x7fffffffb160	140737488335200
r8	0x7ffff7fdf7c0	140737354004416
r9	0x6372732f736a2f6c	7165916604736876396
r10	0x7fffffffaf20	140737488334624
r11	0x7ffff6c27ee0	140737333329632
r12	0x7ffff7e95780	140737352652672
r13	0x7fffffffb360	140737488335712
r14	0x43	67
r15	0x43	67
rip	0x76a04d <js::jit::IonBuilder::inlineConstructSimdObject(js::jit::CallInfo&, js::SimdTypeDescr*)+1533>
=> 0x76a04d <js::jit::IonBuilder::inlineConstructSimdObject(js::jit::CallInfo&, js::SimdTypeDescr*)+1533>:	movl   $0xd59,0x0
   0x76a058 <js::jit::IonBuilder::inlineConstructSimdObject(js::jit::CallInfo&, js::SimdTypeDescr*)+1544>:	callq  0x4b2200 <abort()>

Comment 1

[Benjamin Bouvier [:bbouvier] (inactive)]

I'll try to look at this this week, but anybody, feel free to steal in the meanwhile.

Comment 2

[Benjamin Bouvier [:bbouvier] (inactive)]

In inlineConstructSimdObject, we retrieve the template object with inspector->getTemplateObjectForClassHook. The issue is that the same clasp is used for all the different SIMD types! So I guess we need to search a bit more for SIMD objects?

Comment 3

[Benjamin Bouvier [:bbouvier] (inactive)]

Attachment: simdtemplate.patch

See explanation in previous comment.

Comment 4

[Nicolas B. Pierron [:nbp]]

Comment on attachment 8754327 [details] [diff] [review]
simdtemplate.patch

Review of attachment 8754327 [details] [diff] [review]:
-----------------------------------------------------------------

Nice catch.
I guess this issue date from February 2015, but we do not have to backport it because SIMd is not enabled by default else-where than nightlies?

Comment 5

[Benjamin Bouvier [:bbouvier] (inactive)]

(In reply to Nicolas B. Pierron [:nbp] from comment #4)
> Comment on attachment 8754327 [details] [diff] [review]
> simdtemplate.patch
> 
> Review of attachment 8754327 [details] [diff] [review]:
> -----------------------------------------------------------------
> 
> Nice catch.
> I guess this issue date from February 2015, but we do not have to backport
> it because SIMd is not enabled by default else-where than nightlies?

Thank you for the review. That is correct, SIMD is still nightly only.

Comment 6

[Pulsebot]

https://hg.mozilla.org/integration/mozilla-inbound/rev/e2ec545e7976

Comment 7

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/mozilla-central/rev/e2ec545e7976