1313792 - Assertion failure: v.isDouble(), at js/src/jit/Recover.cpp:1074

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

The following testcase crashes on mozilla-central revision 1561c917ee27 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --ion-eager):

function f(x, y) {
    return (+Math.pow(0, 0 !== y === (y >>> 0 || 0) | 0));
}
inputs = [4294967295];
for (var j = 0; j < 2; ++j) {
    for (var k = 0; k < 2; ++k) {
        [].push(f(inputs[j], inputs[k]));
    }
}


Backtrace:

0   js-dbg-64-dm-clang-darwin-1561c917ee27	0x000000010a6425f8 js::jit::RNaNToZero::recover(JSContext*, js::jit::SnapshotIterator&) const + 504 (Recover.cpp:1074)
1   js-dbg-64-dm-clang-darwin-1561c917ee27	0x000000010a566103 js::jit::SnapshotIterator::computeInstructionResults(JSContext*, js::jit::RInstructionResults*) const + 307 (JitFrames.cpp:2123)
2   js-dbg-64-dm-clang-darwin-1561c917ee27	0x000000010a565757 js::jit::SnapshotIterator::initInstructionResults(js::jit::MaybeReadFallback&) + 391 (JitFrames.cpp:2076)
3   js-dbg-64-dm-clang-darwin-1561c917ee27	0x000000010a3eedb5 js::jit::BailoutIonToBaseline(JSContext*, js::jit::JitActivation*, js::jit::JitFrameIterator&, bool, js::jit::BaselineBailoutInfo**, js::jit::ExceptionBailoutInfo const*) + 693 (BaselineBailouts.cpp:448)
4   js-dbg-64-dm-clang-darwin-1561c917ee27	0x000000010a3ee88c js::jit::Bailout(js::jit::BailoutStack*, js::jit::BaselineBailoutInfo**) + 316 (Bailouts.cpp:55)
/snip

For detailed crash information, see attachment.

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: Detailed Crash Information

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/01d621c2dbe3
user:        Johannes Schulte
date:        Fri Jun 24 19:02:23 2016 +0200
summary:     Bug 1176230 - Try to fold ternary's with double-argument to NaNToZero. r=nbp

Johannes, is bug 1176230 a likely regressor? I checked that this issue still occurs in mozilla-inbound rev tip 72764ba31b81, which contains the patch in bug 1312620.

Comment 3

[Johannes Schulte [:jschulte]]

Attachment: fix_recover.patch

Comment 4

[Nicolas B. Pierron [:nbp]]

Comment on attachment 8805936 [details] [diff] [review]
fix_recover.patch

Review of attachment 8805936 [details] [diff] [review]:
-----------------------------------------------------------------

Thanks :)

Comment 5

[Hannes Verschore [:h4writer]]

Comment on attachment 8805936 [details] [diff] [review]
fix_recover.patch

Review of attachment 8805936 [details] [diff] [review]:
-----------------------------------------------------------------

Drive-by nit

::: js/src/jit/Recover.cpp
@@ +1073,5 @@
>  
> +    if (ToBoolean(v))
> +        result = v;
> +    else
> +        result.setDouble(0.0);

We should probably still assert this is a number?
I.e. assert this is isDouble or isInt32

Next I was a bit confused about the logic here.
Can you add the following comment above the condition:
// x ? x : 0.0

Comment 6

[Johannes Schulte [:jschulte]]

Attachment: fix_recover_v2.patch

https://treeherder.mozilla.org/#/jobs?repo=try&revision=b602a9704d2b

Comment 7

[Pulsebot]

Pushed by ryanvm@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/82d1209499f2
Handle Int32-Values in RNaNToZero. r=nbp

Comment 8

[Phil Ringnalda (:philor)]

https://hg.mozilla.org/mozilla-central/rev/82d1209499f2