1291887 - Crash [@ js::jit::MBasicBlock::end] or Assertion failure: !inDeadCode(), at js/src/asmjs/WasmIonCompile.cpp:938

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

The following testcase crashes on mozilla-central revision 331c4166a3a2 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-baseline --no-ion):

(function(stdlib) {
        "use asm"
        var log = stdlib.Math.log

        function f(x) {
            x = +x
            var y = 3.
            return 0, y
            return +log(x) + y
        }
})()


Backtrace:

0   js-dbg-64-dm-clang-darwin-331c4166a3a2	0x000000010d014876 (anonymous namespace)::FunctionCompiler::callPrivate(js::jit::MAsmJSCall::Callee, js::jit::MAsmJSCall::PreservesTlsReg, (anonymous namespace)::FunctionCompiler::CallArgs const&, js::wasm::ExprType, js::jit::MDefinition**) + 310 (WasmIonCompile.cpp:938)
1   js-dbg-64-dm-clang-darwin-331c4166a3a2	0x000000010d00e06a EmitUnaryMathBuiltinCall((anonymous namespace)::FunctionCompiler&, unsigned int, js::wasm::SymbolicAddress, js::wasm::ValType) + 474 (WasmIonCompile.cpp:2293)
2   js-dbg-64-dm-clang-darwin-331c4166a3a2	0x000000010cff4c20 EmitExpr((anonymous namespace)::FunctionCompiler&) + 17904 (WasmIonCompile.cpp:3141)
3   js-dbg-64-dm-clang-darwin-331c4166a3a2	0x000000010cfefb43 js::wasm::IonCompileFunction(js::wasm::IonCompileTask*) + 3571 (WasmIonCompile.cpp:3512)
4   js-dbg-64-dm-clang-darwin-331c4166a3a2	0x000000010cff902f js::wasm::CompileFunction(js::wasm::IonCompileTask*) + 111 (WasmIonCompile.cpp:3557)
5   js-dbg-64-dm-clang-darwin-331c4166a3a2	0x000000010ccb13da js::wasm::ModuleGenerator::finishFuncDef(unsigned int, js::wasm::FunctionGenerator*) + 330 (WasmGenerator.cpp:864)
6   js-dbg-64-dm-clang-darwin-331c4166a3a2	0x000000010cc3a757 CheckFunction(ModuleValidator&) + 6359 (AsmJS.cpp:7026)
/snip

For detailed crash information, see attachment.

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: Detailed Crash Information

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

This also crashes opt builds [@ js::jit::MBasicBlock::end].

Comment 3

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/c5bb9552230c
user:        Luke Wagner
date:        Tue Aug 02 10:14:30 2016 -0500
summary:     Bug 1288944 - Baldr: move the Instance* into TlsData (r=jolesen)

Luke, is bug 1288944 a likely regressor?

Comment 4

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Setting [fuzzblocker] because this seems to be happening very often. Also adding jsbugmon keyword.

Comment 5

[Fuzzing Team]

JSBugMon: Cannot process bug: Error: Failed to isolate test from comment

Comment 6

[Luke Wagner [:luke]]

Attachment: bug-fix

D'oh!  I didn't look far down enough to see the fourth call of callPrivate().

Comment 7

[Pulsebot]

Pushed by lwagner@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/d3b50142a70c
Odin: don't forget to check for dead code in builtin call (r=jolesen)

Comment 8

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/mozilla-central/rev/d3b50142a70c