1416727 - Assertion failure: numOptimizedStubs_ < 16, at js/src/jit/ICState.h:108 with Debugger

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect, P1)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision fc194660762d+ (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe):

g = newGlobal()
g.parent = this
g.eval("new Debugger(parent).onExceptionUnwind = function () {}")
test();
function test() {
    function f(n) {
        if (n != 0) {
            f(n - 1);
        }
        try {
            test();
        } finally {}
    }
    f(100);
}


Backtrace:

received signal SIGSEGV, Segmentation fault.
0x000000000063c060 in js::jit::ICState::trackAttached (this=<optimized out>) at js/src/jit/ICState.h:108
#0  0x000000000063c060 in js::jit::ICState::trackAttached (this=<optimized out>) at js/src/jit/ICState.h:108
#1  js::jit::ICFallbackStub::addNewStub (this=this@entry=0x7ffff5f99120, stub=<optimized out>) at js/src/jit/SharedIC.h:804
#2  0x0000000000edc40b in CloneOldBaselineStub (entryIndex=11313, entries=..., cx=0x7ffff5f16000) at js/src/jit/BaselineDebugModeOSR.cpp:790
#3  js::jit::RecompileOnStackBaselineScriptsForDebugMode (cx=cx@entry=0x7ffff5f16000, obs=..., observing=observing@entry=js::Debugger::Observing) at js/src/jit/BaselineDebugModeOSR.cpp:889
#4  0x0000000000b2060c in js::Debugger::updateExecutionObservabilityOfFrames (cx=cx@entry=0x7ffff5f16000, obs=..., observing=js::Debugger::Observing) at js/src/vm/Debugger.cpp:2522
#5  0x0000000000b208b6 in js::Debugger::ensureExecutionObservabilityOfFrame (cx=0x7ffff5f16000, frame=...) at js/src/vm/Debugger.cpp:2749
#6  0x0000000000b5f276 in js::Debugger::getScriptFrameWithIter (this=this@entry=0x7ffff5f3f800, cx=cx@entry=0x7ffff5f16000, referent=..., maybeIter=maybeIter@entry=0x7fffffe00e10, result=..., result@entry=...) at js/src/vm/Debugger.cpp:815
#7  0x0000000000b5f4c8 in js::Debugger::getScriptFrameWithIter (this=this@entry=0x7ffff5f3f800, cx=cx@entry=0x7ffff5f16000, referent=..., maybeIter=maybeIter@entry=0x7fffffe00e10, vp=..., vp@entry=...) at js/src/vm/Debugger.cpp:786
#8  0x0000000000b61a28 in js::Debugger::getScriptFrame (vp=..., iter=..., cx=0x7ffff5f16000, this=0x7ffff5f3f800) at js/src/vm/Debugger.h:1050
#9  js::Debugger::fireExceptionUnwind (this=this@entry=0x7ffff5f3f800, cx=cx@entry=0x7ffff5f16000, vp=..., vp@entry=...) at js/src/vm/Debugger.cpp:1797
#10 0x0000000000b62423 in js::Debugger::<lambda(js::Debugger*)>::operator() (dbg=0x7ffff5f3f800, __closure=<synthetic pointer>) at js/src/vm/Debugger.cpp:1075
#11 js::Debugger::dispatchHook<js::Debugger::slowPathOnExceptionUnwind(JSContext*, js::AbstractFramePtr)::<lambda(js::Debugger*)>, js::Debugger::slowPathOnExceptionUnwind(JSContext*, js::AbstractFramePtr)::<lambda(js::Debugger*)> > (fireHook=..., cx=0x7ffff5f16000, hookIsEnabled=...) at js/src/vm/Debugger.cpp:1915
#12 js::Debugger::slowPathOnExceptionUnwind (cx=0x7ffff5f16000, frame=...) at js/src/vm/Debugger.cpp:1076
#13 0x0000000000777568 in js::Debugger::onExceptionUnwind (frame=..., cx=<optimized out>) at js/src/vm/Debugger-inl.h:66
#14 js::jit::HandleExceptionBaseline (pc=0x7ffff4135413 "u", rfe=<optimized out>, frame=..., cx=0x7ffff5f16000) at js/src/jit/JitFrames.cpp:500
#15 js::jit::HandleException (rfe=<optimized out>) at js/src/jit/JitFrames.cpp:713
#16 0x000020e147cfb676 in ?? ()
[...]
#30 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x7ffff3f84930	140737286523184
rcx	0x7ffff6c282ad	140737333330605
rdx	0x0	0
rsi	0x7ffff6ef7770	140737336276848
rdi	0x7ffff6ef6540	140737336272192
rbp	0x7fffffdfffe0	140737486258144
rsp	0x7fffffdfffe0	140737486258144
r8	0x7ffff6ef7770	140737336276848
r9	0x7ffff7fe4740	140737354024768
r10	0x58	88
r11	0x7ffff6b9e7a0	140737332766624
r12	0x2c31	11313
r13	0x7ffff44921f0	140737291821552
r14	0x7ffff5f8f350	140737320121168
r15	0x7ffff5f16000	140737319624704
rip	0x63c060 <js::jit::ICFallbackStub::addNewStub(js::jit::ICStub*)+224>
=> 0x63c060 <js::jit::ICFallbackStub::addNewStub(js::jit::ICStub*)+224>:	movl   $0x0,0x0
   0x63c06b <js::jit::ICFallbackStub::addNewStub(js::jit::ICStub*)+235>:	ud2

Comment 1

[Fuzzing Team]

JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/5bb170d70875
user:        Kannan Vijayan
date:        Tue Jul 25 11:28:38 2017 -0400
summary:     Bug 1366375 - Add CacheIR stub for optimizing calls to array_push.  r=jandem

This iteration took 272.667 seconds to run.

Comment 2

[Jan de Mooij [:jandem]]

Attachment: Patch

There are some problems with Baeline's Call IC since we now have both CacheIR and non-CacheIR call stubs.

For instance we would discard stubs when we had 6 of them and make the IC megamorphic, before we had a chance to generalize call stubs (when we have 7 of them).

We really need to port the other stubs to CacheIR but this should do for now.

Comment 3

[Kannan Vijayan [:djvj]]

Comment on attachment 8927856 [details] [diff] [review]
Patch

Review of attachment 8927856 [details] [diff] [review]:
-----------------------------------------------------------------

Looks good.

Comment 4

[Pulsebot]

Pushed by jandemooij@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/fe2899c8ac32
Fix some problems with Baseline's Call IC. r=djvj

Comment 5

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

Backed out for frequently failing asan's bug1416727.js:

https://hg.mozilla.org/integration/mozilla-inbound/rev/8083a15a4b90297391a4aad6f3c97951909605aa

A push with retriggers and failures: https://treeherder.mozilla.org/#/jobs?repo=mozilla-inbound&revision=e49d8769f50a0c6bfa0f42fdf4fcc2a1da1edbd6&filter-resultStatus=testfailed&filter-resultStatus=busted&filter-resultStatus=exception&filter-resultStatus=retry&filter-resultStatus=usercancel&filter-resultStatus=runnable&selectedJob=150234565
Failure log: https://treeherder.mozilla.org/logviewer.html#?job_id=150234565&repo=mozilla-inbound

[task 2017-12-06T17:22:36.695Z] TIMEOUT - baseline/bug1416727.js
[task 2017-12-06T17:22:36.695Z] TEST-UNEXPECTED-FAIL | js/src/jit-test/tests/baseline/bug1416727.js | Timeout (code -9, args "--no-baseline --no-ion") [150.0 s]

Comment 6

[Pulsebot]

Pushed by jandemooij@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/f55bb83ded1b
Fix some problems with Baseline's Call IC. r=djvj

Comment 7

[Jan de Mooij [:jandem]]

Pushed this with a slightly simpler test.

Comment 8

[Pulsebot]

Pushed by jandemooij@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/80bd0089e77f
followup - Add try-catch to ignore overrecursion exceptions. r=red

Comment 9

[Dorel Luca [:dluca]]

https://hg.mozilla.org/mozilla-central/rev/f55bb83ded1b
https://hg.mozilla.org/mozilla-central/rev/80bd0089e77f

Comment 10

[Gerry Chang [:gchang]]

Too late for Beta58. Mark 58 won't fix.