Closed Bug 1341339 Opened 6 years ago Closed 6 years ago

Assertion failure: !hasFlags(1 << InWorklist), at js/src/jit/MIR.h:733

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla54
Tracking Flags:
Tracking Status
firefox52 --- unaffected
firefox53 --- fixed
firefox54 --- fixed

People

(Reporter: decoder, Assigned: shu)

References

Details

(4 keywords, Whiteboard: [jsbugmon:])

Attachments

(1 file)

Check for duplicates in processIterators.
1.50 KB, patch
jandem
: review+
lizzard
: approval-mozilla-aurora+
Details | Diff | Splinter Review 
The following testcase crashes on mozilla-central revision d84beb192e57 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --enable-debug --enable-optimize, run with --ion-eager):

let m = parseModule(`
function* values() {}
var iterator = values();
for (var i=0; i < 10000; ++i) {
    for (var x of iterator) {}
}
`);
m.declarationInstantiation();
m.evaluation();



Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x00000000006da820 in js::jit::MDefinition::setInWorklist (this=<optimized out>) at js/src/jit/MIR.h:733
#0  0x00000000006da820 in js::jit::MDefinition::setInWorklist (this=<optimized out>) at js/src/jit/MIR.h:733
#1  js::jit::IonBuilder::processIterators (this=this@entry=0x7ffff02a02b8) at js/src/jit/IonBuilder.cpp:893
#2  0x00000000006e605e in js::jit::IonBuilder::build (this=this@entry=0x7ffff02a02b8) at js/src/jit/IonBuilder.cpp:856
#3  0x0000000000430308 in js::jit::IonCompile (cx=cx@entry=0x7ffff6921000, script=<optimized out>, baselineFrame=baselineFrame@entry=0x7fffffffb4a8, osrPc=osrPc@entry=0x7ffff03c62e3 "\343\202Q\f\f\270", recompile=<optimized out>, optimizationLevel=<optimized out>) at js/src/jit/Ion.cpp:2267
#4  0x00000000006fa1b8 in js::jit::Compile (cx=cx@entry=0x7ffff6921000, script=script@entry=..., osrFrame=osrFrame@entry=0x7fffffffb4a8, osrPc=osrPc@entry=0x7ffff03c62e3 "\343\202Q\f\f\270", forceRecompile=<optimized out>) at js/src/jit/Ion.cpp:2525
#5  0x00000000006faafb in BaselineCanEnterAtBranch (pc=0x7ffff03c62e3 "\343\202Q\f\f\270", osrFrame=0x7fffffffb4a8, script=..., cx=0x7ffff6921000) at js/src/jit/Ion.cpp:2716
#6  js::jit::IonCompileScriptForBaseline (cx=cx@entry=0x7ffff6921000, frame=frame@entry=0x7fffffffb4a8, pc=pc@entry=0x7ffff03c62e3 "\343\202Q\f\f\270") at js/src/jit/Ion.cpp:2774
#7  0x00000000005e8086 in js::jit::DoWarmUpCounterFallbackOSR (cx=0x7ffff6921000, frame=0x7fffffffb4a8, stub=0x7ffff69e2218, infoPtr=0x7fffffffb458) at js/src/jit/BaselineIC.cpp:143
#8  0x000018425caa74de in ?? ()
[...]
#18 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x7fffffffaf50	140737488334672
rcx	0x7ffff6c28a2d	140737333332525
rdx	0x0	0
rsi	0x7ffff6ef7770	140737336276848
rdi	0x7ffff6ef6540	140737336272192
rbp	0x7fffffffaff0	140737488334832
rsp	0x7fffffffaf00	140737488334592
r8	0x7ffff6ef7770	140737336276848
r9	0x7ffff7fe4740	140737354024768
r10	0x58	88
r11	0x7ffff6b9f750	140737332770640
r12	0x1	1
r13	0x8	8
r14	0x7ffff02a02b8	140737222673080
r15	0x1	1
rip	0x6da820 <js::jit::IonBuilder::processIterators()+896>
=> 0x6da820 <js::jit::IonBuilder::processIterators()+896>:	movl   $0x0,0x0
   0x6da82b <js::jit::IonBuilder::processIterators()+907>:	ud2
Shu, NI you because you changed processIterators recently.
Flags: needinfo?(shu)
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
Whiteboard: [jsbugmon:bisect] → [jsbugmon:]

        Attachment #8839763 -
        Flags: review?(jdemooij)

    
  
Flags: needinfo?(shu)

        Attachment #8839763 -
        Flags: review?(jdemooij) → review+
Assignee: nobody → shu

    
    

    
  
Pushed by shu@rfrn.org:
https://hg.mozilla.org/integration/mozilla-inbound/rev/2bd07604e754
Check for duplicates in processIterators. (r=jandem)

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/2bd07604e754
Status: NEW → RESOLVED
Closed: 6 years ago

          status-firefox54:
          affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla54

    
    

    
  
IIUC, this was a regression from bug 1333946. Assuming that's the case, please request Aurora approval on this when you get a chance.
Blocks: 1333946

          status-firefox52:
          --- → unaffected

          status-firefox53:
          --- → affected
Flags: needinfo?(shu)
Flags: in-testsuite+

    
    

    
  
Comment on attachment 8839763 [details] [diff] [review]
Check for duplicates in processIterators.

Approval Request Comment
[Feature/Bug causing the regression]: bug 1333946
[User impact if declined]: actually, probably nothing, as this is a DEBUG-only assert
[Is this code covered by automated tests?]: yes, on central
[Has the fix been verified in Nightly?]: yes
[Needs manual test from QE? If yes, steps to reproduce]: nope
[List of other uplifts needed for the feature/fix]: nope
[Is the change risky?]: nope
[Why is the change risky/not risky?]: nope
[String changes made/needed]: none
Flags: needinfo?(shu)

        Attachment #8839763 -
        Flags: approval-mozilla-aurora?

    
    

    
  
Comment on attachment 8839763 [details] [diff] [review]
Check for duplicates in processIterators.

Adds a test, fixes an assert, let's uplift to aurora.

        Attachment #8839763 -
        Flags: approval-mozilla-aurora? → approval-mozilla-aurora+

          You need to log in
          before you can comment on or make changes to this bug.