Closed
Bug 1314172
Opened 8 years ago
Closed 8 years ago
Assertion failure: usesBalance <= 0 (More use checks than operand checks), at js/src/jit/IonAnalysis.cpp:2755
Categories
(Core :: JavaScript Engine: JIT, defect, P1)
Tracking
()
RESOLVED
FIXED
mozilla53
| Tracking | Status | |
|---|---|---|
| firefox51 | --- | unaffected |
| firefox52 | --- | fixed |
| firefox53 | --- | fixed |
People
(Reporter: gkw, Unassigned)
References
Details
(Keywords: assertion, bugmon, testcase, Whiteboard: [jsbugmon:update])
Attachments
(4 files, 1 obsolete file)
|
31.50 KB,
text/plain
|
Details | |
|
10.57 KB,
text/plain
|
Details | |
|
5.71 KB,
patch
|
Details | Diff | Splinter Review | |
|
4.56 KB,
patch
|
h4writer
:
review+
jcristau
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 37ab1d54a08e (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --ion-eager):
oomTest(function() {
Array(1[new Uint8Array()])
})
Backtrace:
0 js-dbg-64-dm-clang-darwin-37ab1d54a08e 0x000000010df664a6 js::jit::AssertBasicGraphCoherency(js::jit::MIRGraph&) + 5510 (IonAnalysis.cpp:2755)
1 js-dbg-64-dm-clang-darwin-37ab1d54a08e 0x000000010df61de6 js::jit::OptimizeMIR(js::jit::MIRGenerator*) + 230 (Ion.cpp:1513)
2 js-dbg-64-dm-clang-darwin-37ab1d54a08e 0x000000010df6ee3a js::jit::CompileBackEnd(js::jit::MIRGenerator*) + 74 (Ion.cpp:2021)
3 js-dbg-64-dm-clang-darwin-37ab1d54a08e 0x000000010df70c9a js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned char*, bool) + 3834 (Ion.cpp:2302)
/snip
For detailed crash information, see attachment.
|
Reporter | |
Comment 1•8 years ago
|
||
|
|
Reporter | |
Comment 2•8 years ago
|
||
| Comment hidden (obsolete) |
|
|
Reporter | |
Comment 4•8 years ago
|
||
=== Treeherder Build Bisection Results by autoBisect ===
The "good" changeset has the timestamp "20161028054458" and the hash "36deeea122f9f5898cfb8360cd7012e3d4a3fe03".
The "bad" changeset has the timestamp "20161028054558" and the hash "726ec9c83018397c0617eb25f71dde6e383b5ec3".
Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=36deeea122f9f5898cfb8360cd7012e3d4a3fe03&tochange=726ec9c83018397c0617eb25f71dde6e383b5ec3
Oops, probably the wrong bug for comment 3.
Nicolas, is bug 1303399 a likely regressor?
|
|
Reporter | |
Comment 5•8 years ago
|
||
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/47e4fb57325d
user: Nicolas B. Pierron
date: Fri Oct 28 12:45:31 2016 +0000
summary: Bug 1303399 part 2 - IonMonkey: Fallback when we fail to inline an uninlinable function. r=h4writer
|
||
Comment 6•8 years ago
|
||
Yes, this error was never seen before and sounds like something that could have been introduced by an incomplete clean-up. I will look at it tomorrow.
|
|
||
Comment 7•8 years ago
|
||
This issue arise because IonBuilder fails to properly reports AbortReason_Alloc, and by default reports them as AbortReason_NoAbort. This should be fixed by Bug 1286505, as mentioned in Bug 1303399 comment 9.
|
||
Comment 8•8 years ago
|
||
Merge has happened. Moving the bugs from P2 to P1. Bug 1286505 is also P1.
Priority: P2 → P1
|
|
||
Comment 9•8 years ago
|
||
This patch fixes the first issue, but apparently, this just push the issue
to another allocation nearby, which causes the same failure.
|
|
||
Comment 10•8 years ago
|
||
Fixes both issues, all of the same kind which is that we are trying to
recover from an allocation failure, which leave dangling uses.
|
|
||
Updated•8 years ago
|
Attachment #8812824 -
Attachment is obsolete: true
|
|
||
Comment 11•8 years ago
|
||
This re-add the AbortReason_Inlining previously removed by Bug 1303399, and
add a JitOption flag to toggle the backupPoint.restore().
This patch disables it by default in order to prevent fuzzers/users from
hitting this issue while Bug 1286505 is not fixed.
Attachment #8813715 -
Flags: review?(hv1989)
|
|
||
Updated•8 years ago
|
status-firefox51:
--- → unaffected
status-firefox53:
--- → affected
Flags: needinfo?(nicolas.b.pierron)
|
|
||
Comment 12•8 years ago
|
||
Comment on attachment 8813715 [details] [diff] [review]
Add an option to toggle backtracking on inlining failures.
Review of attachment 8813715 [details] [diff] [review]:
-----------------------------------------------------------------
Better approach than just backing out! Thanks!
::: js/src/jit/IonBuilder.cpp
@@ +5267,2 @@
> current = backup.restore();
> return InliningStatus_NotInlined;
Might be easier to reverse it. That way you don't have to put "return InliningStatus_Error";
if (!JitOptions.disableInlineBacktracking) {
current = backup.restore();
return InliningStatus_NotInlined;
}
abortReason_ = AbortReason_Inlining;
Attachment #8813715 -
Flags: review?(hv1989) → review+
|
||
Comment 13•8 years ago
|
||
Pushed by npierron@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/08cbfe9c9060
Add an option to toggle backtracking on inlining failures. r=h4writer
|
||
Comment 14•8 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla53
|
|
Reporter | |
Comment 15•8 years ago
|
||
Nicolas, it would be nice to backport this for 52 please (future ESR).
|
|
Reporter | |
Comment 16•8 years ago
|
||
Also it is showing quite a bit on 52 as current Aurora branch.
|
|
||
Updated•8 years ago
|
Flags: needinfo?(nicolas.b.pierron)
|
|
||
Comment 17•8 years ago
|
||
Comment on attachment 8813715 [details] [diff] [review]
Add an option to toggle backtracking on inlining failures.
Approval Request Comment
[Feature/Bug causing the regression]: Bug 1303399 (not safe until Bug 1286505 is resolved)
[User impact if declined]: Bad reporting of OOM => bad crash addresses.
[Is this code covered by automated tests?]: Yes.
[Has the fix been verified in Nightly?]: Yes.
[Needs manual test from QE? If yes, steps to reproduce]: No.
[List of other uplifts needed for the feature/fix]: No.
[Is the change risky?]: No.
[Why is the change risky/not risky?]: This patch add a flag to disable the feature added in Bug 1303399.
[String changes made/needed]: N/A
Flags: needinfo?(nicolas.b.pierron)
Attachment #8813715 -
Flags: approval-mozilla-aurora?
|
||
Comment 18•8 years ago
|
||
Comment on attachment 8813715 [details] [diff] [review]
Add an option to toggle backtracking on inlining failures.
JS jit fix for aurora52
Attachment #8813715 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
|
||
Comment 20•8 years ago
|
||
| bugherder uplift | ||
|
||
Comment 21•8 years ago
|
||
Nicolas, is there anything blocking us still from enabling this option? I noticed some Inlining aborts on Speedometer.
Flags: needinfo?(nicolas.b.pierron)
|
|
||
Comment 22•8 years ago
|
||
(In reply to Jan de Mooij [:jandem] from comment #21)
> Nicolas, is there anything blocking us still from enabling this option? I
> noticed some Inlining aborts on Speedometer.
No, all should have been fixed by Bug 1286505.
We should no longer have any blocker, I will keep this needinfo to recall to enable & test it later this week.
|
|
||
Comment 23•6 years ago
|
||
(In reply to Jan de Mooij [:jandem] from comment #21)
> Nicolas, is there anything blocking us still from enabling this option? I
> noticed some Inlining aborts on Speedometer.
This got enabled by default in Bug 1373323.
Flags: needinfo?(nicolas.b.pierron)
You need to log in
before you can comment on or make changes to this bug.
Description
•