Closed Bug 1482906 Opened 6 years ago Closed 4 years ago

Assertion failure: aIndex < mLength with optimization tracking enabled

Categories

(Core :: JavaScript Engine: JIT, defect, P2)

defect

Tracking

()

RESOLVED INVALID
Tracking Status
firefox63 --- wontfix
firefox64 --- wontfix
firefox65 --- fix-optional

People

(Reporter: anba, Unassigned)

References

Details

Test case, run with: --no-threads --ion-eager --- enableGeckoProfiling(); setJitCompilerOption("ion.forceinlineCaches", 1); setJitCompilerOption("jit.track-optimizations", 1); function f() { var xs = [null, "", 123]; var ys = [undefined, "abc", Symbol()]; var q = 0; for (var i = 0; i < 100; ++i) { if (xs[i & 1] === ys[i & 1]) q++; } assertEq(q, 0); } for (var i = 0; i < 2; ++i) f(); --- Assertion: --- Assertion failure: aIndex < mLength, at /home/andre/hg/mozilla-inbound/js/src/build-debug-obj/dist/include/mozilla/Vector.h:545 0x0000000001bf036c in mozilla::Vector<js::jit::OptimizationAttempt, 4ul, js::jit::JitAllocPolicy>::operator[] (this=0x7ffff5b8bf68, aIndex=4294967295) at /home/andre/hg/mozilla-inbound/js/src/build-debug-obj/dist/include/mozilla/Vector.h:545 545 MOZ_ASSERT(aIndex < mLength); --- Reason: IonBuilder::compareTryBinaryStub() calls trackOptimizationSuccess() without a previous call to trackOptimizationAttempt(). Stack trace: --- #0 0x0000000001bf036c in mozilla::Vector<js::jit::OptimizationAttempt, 4ul, js::jit::JitAllocPolicy>::operator[](unsigned long) (this=0x7ffff5b8bf68, aIndex=4294967295) at /home/andre/hg/mozilla-inbound/js/src/build-debug-obj/dist/include/mozilla/Vector.h:545 #1 0x0000000001bd4a17 in js::jit::TrackedOptimizations::trackSuccess() (this=0x7ffff5b8bef8) at /home/andre/hg/mozilla-inbound/js/src/jit/OptimizationTracking.cpp:61 #2 0x0000000001bd9ae1 in js::jit::IonBuilder::trackOptimizationSuccessUnchecked() (this=0x7ffff5b88270) at /home/andre/hg/mozilla-inbound/js/src/jit/OptimizationTracking.cpp:1161 #3 0x0000000001a00215 in js::jit::IonBuilder::trackOptimizationSuccess() (this=0x7ffff5b88270) at /home/andre/hg/mozilla-inbound/js/src/jit/IonBuilder.h:1126 #4 0x00000000019b462d in js::jit::IonBuilder::compareTryBinaryStub(bool*, js::jit::MDefinition*, js::jit::MDefinition*) (this=0x7ffff5b88270, emitted=0x7fffffffaf17, left= 0x7ffff5b8bdd8, right=0x7ffff5b8be68) at /home/andre/hg/mozilla-inbound/js/src/jit/IonBuilder.cpp:6049 #5 0x00000000019b376b in js::jit::IonBuilder::jsop_compare(JSOp, js::jit::MDefinition*, js::jit::MDefinition*) (this=0x7ffff5b88270, op=JSOP_LT, left=0x7ffff5b8bdd8, right=0x7ffff5b8be68) at /home/andre/hg/mozilla-inbound/js/src/jit/IonBuilder.cpp:5833 #6 0x0000000001998762 in js::jit::IonBuilder::jsop_compare(JSOp) (this=0x7ffff5b88270, op=JSOP_LT) at /home/andre/hg/mozilla-inbound/js/src/jit/IonBuilder.cpp:5812 #7 0x000000000199006d in js::jit::IonBuilder::inspectOpcode(JSOp) (this=0x7ffff5b88270, op=JSOP_LT) at /home/andre/hg/mozilla-inbound/js/src/jit/IonBuilder.cpp:1884 #8 0x000000000198f56c in js::jit::IonBuilder::visitBlock(js::jit::CFGBlock const*, js::jit::MBasicBlock*) (this=0x7ffff5b88270, cfgblock=0x7ffff572f0a0, mblock=0x7ffff5b8b7e0) at /home/andre/hg/mozilla-inbound/js/src/jit/IonBuilder.cpp:1572 #9 0x000000000198bfcc in js::jit::IonBuilder::traverseBytecode() (this=0x7ffff5b88270) at /home/andre/hg/mozilla-inbound/js/src/jit/IonBuilder.cpp:1489 #10 0x0000000001984b35 in js::jit::IonBuilder::build() (this=0x7ffff5b88270) at /home/andre/hg/mozilla-inbound/js/src/jit/IonBuilder.cpp:864 #11 0x0000000001954b54 in js::jit::IonCompile(JSContext*, JSScript*, js::jit::BaselineFrame*, unsigned char*, bool, js::jit::OptimizationLevel) (cx=0x7ffff5b17000, script=0x7ffff5a900d0, baselineFrame=0x7fffffffc288, osrPc=0x7ffff5b5e1b6 "\343\201\232", recompile=false, optimizationLevel=js::jit::OptimizationLevel::Normal) at /home/andre/hg/mozilla-inbound/js/src/jit/Ion.cpp:2077 #12 0x0000000001950ac8 in js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned char*, bool) (cx=0x7ffff5b17000, script=0x7ffff5a900d0, osrFrame=0x7fffffffc288, osrPc=0x7ffff5b5e1b6 "\343\201\232", forceRecompile=false) at /home/andre/hg/mozilla-inbound/js/src/jit/Ion.cpp:2359 #13 0x0000000001951451 in BaselineCanEnterAtBranch(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned char*) (cx=0x7ffff5b17000, script=0x7ffff5a900d0, osrFrame=0x7fffffffc288, pc=0x7ffff5b5e1b6 "\343\201\232") at /home/andre/hg/mozilla-inbound/js/src/jit/Ion.cpp:2536 #14 0x0000000001950e3a in js::jit::IonCompileScriptForBaseline(JSContext*, js::jit::BaselineFrame*, unsigned char*) (cx=0x7ffff5b17000, frame=0x7fffffffc288, pc=0x7ffff5b5e1b6 "\343\201\232") at /home/andre/hg/mozilla-inbound/js/src/jit/Ion.cpp:2594 #15 0x000000000180a867 in js::jit::DoWarmUpCounterFallbackOSR(JSContext*, js::jit::BaselineFrame*, js::jit::ICWarmUpCounter_Fallback*, js::jit::IonOsrTempData**) (cx=0x7ffff5b17000, frame=0x7fffffffc288, stub=0x7ffff5b86338, infoPtr=0x7fffffffc260) at /home/andre/hg/mozilla-inbound/js/src/jit/BaselineIC.cpp:145 .... ---
Flags: needinfo?(mgaudet)
Ok, so to be clear, it appears this predates the work I did here; while I think the code is wrong right now for the reason Andre points out, that test case has failed for a while Tested as far back as changeset: 480925:17116905bc07 fxtree: central parent: 480924:c65991f3fa10 parent: 480877:c54958b74fd2 user: Csoregi Natalia <ncsoregi@mozilla.com> date: Wed Aug 08 12:58:36 2018 +0300 summary: Merge inbound to mozilla-central. a=merge (tried esr60, but my build invocation on esr60 doesn't seem to hook up the shell functions)
Flags: needinfo?(mgaudet)
(In reply to Matthew Gaudet (he/him) [:mgaudet] from comment #1) > Ok, so to be clear, it appears this predates the work I did here; while I > think the code is wrong right now for the reason Andre points out, that test > case has failed for a while Ugh, yes I see that, too. Hmm, it looks like optimization tracking is seriously bit-rotted, because there are multiple calls to trackOptimizationAttempt without a matching call to either trackOptimizationOutcome or trackOptimizationSuccess. So I guess for now it doesn't really matter if we fix the assertion failure from this bug or we simply pretend we didn't see anything going wrong: https://www.youtube.com/watch?v=CpKmJCLSIQk
I really think if we want to keep optimization tracking we have to redo the interface to be different; maybe scope-guard style or something. Also... it needs tests.

This code is now removed via Bug 1614622

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.