Closed Bug 1349298 Opened 3 years ago Closed 3 years ago

Assertion failure: numOptimizedStubs_ < 16, at js/src/jit/ICState.h:104

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla55
Tracking Status
firefox52 --- wontfix
firefox-esr52 --- wontfix
firefox53 --- fixed
firefox54 --- fixed
firefox55 --- fixed

People

(Reporter: gkw, Assigned: jandem)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, jsbugmon, testcase, Whiteboard: [jsbugmon:update])

Attachments

(2 files)

The following testcase crashes on mozilla-central revision 9fb5e850ab7a (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --baseline-eager --no-ion):

for (var d of [0, objectEmulatingUndefined(), objectEmulatingUndefined(),
                  objectEmulatingUndefined(), objectEmulatingUndefined(),
                  objectEmulatingUndefined(), objectEmulatingUndefined(),
                  objectEmulatingUndefined(), objectEmulatingUndefined(),
                  objectEmulatingUndefined(), objectEmulatingUndefined(),
                  objectEmulatingUndefined(), objectEmulatingUndefined(),
                  objectEmulatingUndefined(), objectEmulatingUndefined(),
                  objectEmulatingUndefined(), objectEmulatingUndefined()
]) {
    ''.search(d);
}


Backtrace:

#0  js::jit::ICState::trackAttached (this=<optimized out>) at js/src/jit/ICState.h:104
#1  js::jit::ICFallbackStub::addNewStub (this=this@entry=0x7f731efb4170, stub=<optimized out>) at js/src/jit/SharedIC.h:804
#2  0x00000000005efe24 in js::jit::DoTypeOfFallback (cx=0x7f731ef71000, frame=<optimized out>, stub=0x7f731efb4170, val=..., res=...) at js/src/jit/BaselineIC.cpp:4339
/snip

For detailed crash information, see attachment.
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/f98a326bcf8d
user:        Jan de Mooij
date:        Mon Mar 20 14:00:33 2017 +0100
summary:     Bug 1328140 - Improve handling of IC failures, add megamorphic IC stubs. r=h4writer

Jan, is bug 1328140 a likely regressor?
Blocks: 1328140
Flags: needinfo?(jdemooij)
Hmm it looks like Baseline's TypeOf IC can attach an unlimited number of stubs :( Bug 1328140 just happens to add stronger asserts to catch these issues. I'll fix it this week.
Attached patch PatchSplinter Review
Simple fix, just check the number of stubs.
Assignee: nobody → jdemooij
Flags: needinfo?(jdemooij)
Attachment #8850898 - Flags: review?(hv1989)
Attachment #8850898 - Flags: review?(hv1989) → review+
Pushed by jandemooij@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/8a543634c620
Add a stub limit to Baseline's TypeOf IC. r=h4writer
https://hg.mozilla.org/mozilla-central/rev/8a543634c620
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
Comment on attachment 8850898 [details] [diff] [review]
Patch

I guess it can't hurt to backport this and it might make a difference somewhere.

Approval Request Comment
[Feature/Bug causing the regression]: Old bug.
[User impact if declined]: Worse performance and memory usage in some cases.
[Is this code covered by automated tests?]: Yes.
[Has the fix been verified in Nightly?]: Yes.
[Needs manual test from QE? If yes, steps to reproduce]: No.
[List of other uplifts needed for the feature/fix]: None.
[Is the change risky?]: No.
[Why is the change risky/not risky?]: It just limits the number of stubs we attach, like we do elsewhere.
[String changes made/needed]: None.
Attachment #8850898 - Flags: approval-mozilla-beta?
Attachment #8850898 - Flags: approval-mozilla-aurora?
Comment on attachment 8850898 [details] [diff] [review]
Patch

Fix an assertion failure. Aurora54+ & Beta53+.
Attachment #8850898 - Flags: approval-mozilla-beta?
Attachment #8850898 - Flags: approval-mozilla-beta+
Attachment #8850898 - Flags: approval-mozilla-aurora?
Attachment #8850898 - Flags: approval-mozilla-aurora+
You need to log in before you can comment on or make changes to this bug.