Closed Bug 1441012 Opened 2 years ago Closed 2 years ago

Hit MOZ_CRASH(unknown goto case) at js/src/jit/IonControlFlow.cpp:299

Categories

(Core :: JavaScript Engine: JIT, defect, P1, critical)

x86_64
Linux
defect

Tracking

()

RESOLVED FIXED
mozilla60
Tracking Status
firefox-esr52 --- wontfix
firefox58 --- wontfix
firefox59 --- wontfix
firefox60 --- fixed

People

(Reporter: decoder, Assigned: jandem)

References

(Blocks 1 open bug)

Details

(5 keywords, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(1 file)

The following testcase crashes on mozilla-central revision bfe62272d2a2 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe):

setJitCompilerOption("ion.warmup.trigger", 30);
var gclef = "x";
Array.from(gclef);
Array.from(gclef + " G");
String.prototype[Symbol.iterator] = function* () { 
  return "pass"; 
  (yield* gclef); 
};
Array.from("anything");
Array.from(gclef);
Array.from(gclef);
Array.from(gclef);
Array.from(gclef);
Array.from(gclef + " G");
Array.from(gclef);
Array.from(gclef);
Array.from(gclef);
Array.from(gclef);
Array.from(gclef);
Array.from(gclef + " G");


Backtrace:

received signal SIGSEGV, Segmentation fault.
0x000000000074ca90 in js::jit::ControlFlowGenerator::snoopControlFlow (this=0x7fffffffa270, op=JSOP_GOTO) at js/src/jit/IonControlFlow.cpp:299
#0  0x000000000074ca90 in js::jit::ControlFlowGenerator::snoopControlFlow (this=0x7fffffffa270, op=JSOP_GOTO) at js/src/jit/IonControlFlow.cpp:299
#1  0x000000000074cc5e in js::jit::ControlFlowGenerator::traverseBytecode (this=0x7fffffffa270) at js/src/jit/IonControlFlow.cpp:243
#2  0x000000000074d078 in GetOrCreateControlFlowGraph (tempAlloc=..., script=0x7ffff4c934c0, cfgOut=cfgOut@entry=0x7fffffffacc0) at js/src/jit/IonBuilder.cpp:1401
#3  0x000000000074d98b in js::jit::IonBuilder::traverseBytecode (this=this@entry=0x7fffffffaa70) at js/src/jit/IonBuilder.cpp:1458
#4  0x000000000074f0b2 in js::jit::IonBuilder::buildInline (this=this@entry=0x7fffffffaa70, callerBuilder=callerBuilder@entry=0x7fffffffb540, callerResumePoint=callerResumePoint@entry=0x7ffff5fadce0, callInfo=...) at js/src/jit/IonBuilder.cpp:1027
#5  0x000000000074f6a5 in js::jit::IonBuilder::inlineScriptedCall (this=this@entry=0x7fffffffb540, callInfo=..., target=<optimized out>) at js/src/jit/IonBuilder.cpp:3802
#6  0x000000000074fdb7 in js::jit::IonBuilder::inlineSingleCall (this=this@entry=0x7fffffffb540, callInfo=..., targetArg=targetArg@entry=0x7ffff4cabb00) at js/src/jit/IonBuilder.cpp:4330
#7  0x00000000007516e5 in js::jit::IonBuilder::inlineCallsite (this=this@entry=0x7fffffffb540, targets=..., callInfo=...) at js/src/jit/IonBuilder.cpp:4384
#8  0x0000000000751a94 in js::jit::IonBuilder::jsop_call (this=this@entry=0x7fffffffb540, argc=0, constructing=<optimized out>, ignoresReturnValue=<optimized out>) at js/src/jit/IonBuilder.cpp:5412
#9  0x00000000007570f9 in js::jit::IonBuilder::inspectOpcode (this=this@entry=0x7fffffffb540, op=op@entry=JSOP_CALL) at js/src/jit/IonBuilder.cpp:2062
#10 0x0000000000758e7b in js::jit::IonBuilder::visitBlock (this=this@entry=0x7fffffffb540, cfgblock=cfgblock@entry=0x7ffff5f95310, mblock=<optimized out>) at js/src/jit/IonBuilder.cpp:1563
#11 0x000000000074db86 in js::jit::IonBuilder::traverseBytecode (this=this@entry=0x7fffffffb540) at js/src/jit/IonBuilder.cpp:1480
#12 0x000000000074f0b2 in js::jit::IonBuilder::buildInline (this=this@entry=0x7fffffffb540, callerBuilder=callerBuilder@entry=0x7ffff5f8d2f0, callerResumePoint=callerResumePoint@entry=0x7ffff5fad0e8, callInfo=...) at js/src/jit/IonBuilder.cpp:1027
#13 0x000000000074f6a5 in js::jit::IonBuilder::inlineScriptedCall (this=this@entry=0x7ffff5f8d2f0, callInfo=..., target=<optimized out>) at js/src/jit/IonBuilder.cpp:3802
#14 0x000000000074fdb7 in js::jit::IonBuilder::inlineSingleCall (this=this@entry=0x7ffff5f8d2f0, callInfo=..., targetArg=targetArg@entry=0x7ffff4cb4790) at js/src/jit/IonBuilder.cpp:4330
#15 0x00000000007516e5 in js::jit::IonBuilder::inlineCallsite (this=this@entry=0x7ffff5f8d2f0, targets=..., callInfo=...) at js/src/jit/IonBuilder.cpp:4384
#16 0x0000000000751a94 in js::jit::IonBuilder::jsop_call (this=this@entry=0x7ffff5f8d2f0, argc=0, constructing=<optimized out>, ignoresReturnValue=<optimized out>) at js/src/jit/IonBuilder.cpp:5412
#17 0x00000000007570f9 in js::jit::IonBuilder::inspectOpcode (this=this@entry=0x7ffff5f8d2f0, op=op@entry=JSOP_CALLITER) at js/src/jit/IonBuilder.cpp:2062
#18 0x0000000000758e7b in js::jit::IonBuilder::visitBlock (this=this@entry=0x7ffff5f8d2f0, cfgblock=cfgblock@entry=0x7ffff49533f0, mblock=<optimized out>) at js/src/jit/IonBuilder.cpp:1563
#19 0x000000000074db86 in js::jit::IonBuilder::traverseBytecode (this=this@entry=0x7ffff5f8d2f0) at js/src/jit/IonBuilder.cpp:1480
#20 0x000000000074e8f2 in js::jit::IonBuilder::build (this=this@entry=0x7ffff5f8d2f0) at js/src/jit/IonBuilder.cpp:863
#21 0x0000000000434198 in js::jit::IonCompile (cx=cx@entry=0x7ffff5f16000, script=<optimized out>, baselineFrame=baselineFrame@entry=0x7fffffffc2c8, osrPc=osrPc@entry=0x0, recompile=<optimized out>, optimizationLevel=<optimized out>) at js/src/jit/Ion.cpp:2199
#22 0x000000000075fa08 in js::jit::Compile (cx=cx@entry=0x7ffff5f16000, script=script@entry=..., osrFrame=osrFrame@entry=0x7fffffffc2c8, osrPc=osrPc@entry=0x0, forceRecompile=forceRecompile@entry=false) at js/src/jit/Ion.cpp:2463
#23 0x00000000007602d6 in BaselineCanEnterAtEntry (frame=0x7fffffffc2c8, script=..., cx=0x7ffff5f16000) at js/src/jit/Ion.cpp:2579
#24 js::jit::IonCompileScriptForBaseline (cx=0x7ffff5f16000, frame=0x7fffffffc2c8, pc=<optimized out>) at js/src/jit/Ion.cpp:2701
#25 0x00000781a2d7d995 in ?? ()
[...]
#78 0x00007fffffffc8e0 in ?? ()
#79 0x000000000078b451 in EnterJit (cx=0x7fffffffbe50, state=..., code=0x0) at js/src/jit/Jit.cpp:101
rax	0x0	0
rbx	0x6	6
rcx	0x7ffff6c282ad	140737333330605
rdx	0x0	0
rsi	0x7ffff6ef7770	140737336276848
rdi	0x7ffff6ef6540	140737336272192
rbp	0x7fffffffa1b0	140737488331184
rsp	0x7fffffffa1a0	140737488331168
r8	0x7ffff6ef7770	140737336276848
r9	0x7ffff7fe4780	140737354024832
r10	0x58	88
r11	0x7ffff6b9e7a0	140737332766624
r12	0x7fffffffa270	140737488331376
r13	0x1	1
r14	0x7fffffffa338	140737488331576
r15	0x7fffffffa910	140737488333072
rip	0x74ca90 <js::jit::ControlFlowGenerator::snoopControlFlow(JSOp)+576>
=> 0x74ca90 <js::jit::ControlFlowGenerator::snoopControlFlow(JSOp)+576>:	movl   $0x0,0x0
   0x74ca9b <js::jit::ControlFlowGenerator::snoopControlFlow(JSOp)+587>:	ud2
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/9dd114fb1542
user:        André Bargull
date:        Fri May 19 12:46:43 2017 -0700
summary:     Bug 1366372 - Remove performance pitfalls in Array.from method. r=evilpie

This iteration took 254.580 seconds to run.
Array.from wasn't compiled in Ion before bug 1366372, that's why autoBisect showed bug 1366372 as the regressor. But the actual issue isn't related to Array.from, see this minimised test case:

---
setJitCompilerOption("ion.warmup.trigger", 30);

function Iterate(items) {
    for (var value of items) {}
}
var iterable = {
    *[Symbol.iterator]() {
        return "pass";
        (yield* iterable);
    }
};
for (var i = 0; i < 20; ++i) {
    Iterate(iterable);
}
---
Christian, re-bisect using the test in comment 2?
Component: JavaScript Engine → JavaScript Engine: JIT
Flags: needinfo?(choller)
Priority: -- → P1
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/b1204c61ba56
parent:      386237:4ab539ae8b5b
user:        Jan de Mooij
date:        Sat Oct 14 12:45:54 2017 +0200
summary:     Bug 1407607 - Use a single entry point for C++ -> JIT calls. r=nbp

Jan, is bug 1407607 a likely regressor?
Blocks: 1407607
Flags: needinfo?(choller) → needinfo?(jdemooij)
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #4)
> Jan, is bug 1407607 a likely regressor?

No it's unrelated. I'll post a patch soon.
No longer blocks: 1407607
Attached patch PatchSplinter Review
We're trying to inline a generator function.

We check for generators when we're not inlining: https://searchfox.org/mozilla-central/rev/14d933246211b02f5be21d2e730a57cf087c6606/js/src/jit/Ion.cpp#2324

This patch just refactors the code so we do these checks also when we're inlining.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Attachment #8954731 - Flags: review?(nicolas.b.pierron)
Comment on attachment 8954731 [details] [diff] [review]
Patch

Review of attachment 8954731 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/jit/Ion.cpp
@@ +2417,5 @@
> +
> +    const char* reason = nullptr;
> +    if (!CanIonCompileOrInlineScript(script, &reason))
> +        return false;
> +    JitSpew(JitSpew_Inlining, "Cannot Ion compile script (%s)", reason);

nit: move this before the return false and add braces.
Attachment #8954731 - Flags: review?(nicolas.b.pierron) → review+
(In reply to Nicolas B. Pierron [:nbp] {backlog: ~36} from comment #7)
> nit: move this before the return false and add braces.

Oops, good catch, that was dumb.
Pushed by jandemooij@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/3ac5bb463708
Don't attempt to inline scripts we know Ion cannot compile. r=nbp
https://hg.mozilla.org/mozilla-central/rev/3ac5bb463708
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla60
You need to log in before you can comment on or make changes to this bug.