Assertion failure: mir->resumePoint(), at js/src/jit/CodeGenerator.cpp:296
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr68 | --- | unaffected |
| firefox70 | --- | unaffected |
| firefox71 | --- | unaffected |
| firefox72 | --- | fixed |
People
(Reporter: gkw, Assigned: jandem)
References
(Regression)
Details
(5 keywords, Whiteboard: [jsbugmon:update][post-critsmash-triage])
Attachments
(3 files)
|
31.87 KB,
text/plain
|
Details | |
|
7.62 MB,
text/plain
|
Details | |
|
Bug 1592524 - Use a bool class field instead of MToString::conversionMightHaveSideEffects(). r?anba!
47 bytes,
text/x-phabricator-request
|
Details | Review |
The following testcase crashes on mozilla-central revision 53ebedebdb63 (build with --enable-debug --disable-optimize, run with --fuzzing-safe --ion-eager):
See attachment.
Backtrace:
#0 0x0000555558353f00 in js::jit::CodeGenerator::callVMInternal (this=0x7fffef3d8000, id=js::jit::VMFunctionId::ToStringSlow, ins=0x7fffebf64ab8, dynStack=0x0) at js/src/jit/CodeGenerator.cpp:296
#1 0x00005555583f8fb6 in js::jit::CodeGenerator::callVM<JSString* (*)(JSContext*, JS::Handle<JS::Value>), &js::ToStringSlow<(js::AllowGC)1> > (this=0x7fffef3d8000, ins=0x7fffebf64ab8, dynStack=0x0) at js/src/jit/CodeGenerator.cpp:346
#2 0x00005555583f8e63 in js::jit::CodeGenerator::visitOutOfLineCallVM<JSString* (*)(JSContext*, JS::Handle<JS::Value>), &js::ToStringSlow<(js::AllowGC)1>, js::jit::ArgSeq<js::jit::ValueOperand&>, js::jit::StoreRegisterTo> (this=0x7fffef3d8000, ool=0x7fffea55c7a8) at js/src/jit/CodeGenerator.cpp:525
#3 0x00005555583f8ddd in js::jit::OutOfLineCallVM<JSString* (*)(JSContext*, JS::Handle<JS::Value>), &js::ToStringSlow<(js::AllowGC)1>, js::jit::ArgSeq<js::jit::ValueOperand&>, js::jit::StoreRegisterTo>::accept (this=0x7fffea55c7a8, codegen=0x7fffef3d8000) at js/src/jit/CodeGenerator.cpp:490
#4 0x00005555583e2189 in js::jit::OutOfLineCodeBase<js::jit::CodeGenerator>::generate (this=0x7fffea55c7a8, codegen=0x7fffef3d8000) at js/src/jit/shared/CodeGenerator-shared.h:529
#5 0x0000555558211737 in js::jit::CodeGeneratorShared::generateOutOfLineCode (this=0x7fffef3d8000) at js/src/jit/shared/CodeGenerator-shared.cpp:191
#6 0x00005555582723b9 in js::jit::CodeGeneratorX86Shared::generateOutOfLineCode (this=0x7fffef3d8000) at js/src/jit/x86-shared/CodeGenerator-x86-shared.cpp:535
/snip
For detailed crash information, see attachment.
Setting s-s as a start because MIR seems to be involved. The testcase seems to be increasingly intermittent as more reduction happens.
|
Reporter | |
Comment 1•6 years ago
|
||
|
|
Reporter | |
Comment 2•6 years ago
|
||
|
|
Reporter | |
Comment 3•6 years ago
|
||
autobisectjs shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/45d661faa404
user: Jan de Mooij
date: Mon Oct 28 13:20:25 2019 +0000
summary: Bug 1590120 - Avoid repeated bailouts when MToString is used for jsop_tostring or the ToString intrinsic. r=anba
Jan, is bug 1590120 a likely regressor?
|
|
Reporter | |
Comment 4•6 years ago
|
||
Pernosco link:
https://pernos.co/debug/ymvfPhSPzx0bfUxMtKyf0w/index.html
(Hopefully this time, it will be super useful again for such an intermittent bug!)
|
Assignee | |
Comment 5•6 years ago
|
||
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #4)
https://pernos.co/debug/ymvfPhSPzx0bfUxMtKyf0w/index.html
(Hopefully this time, it will be super useful again for such an intermittent bug!)
I knew what the bug was from the assertion failure, but it was still useful to confirm :)
|
|
Assignee | |
Comment 6•6 years ago
|
||
The input operand could change in some cases, resulting in inconsistent return
values from isEffectful and getAliasSet.
|
||
Updated•6 years ago
|
|
|
Assignee | |
Updated•6 years ago
|
|
|
Reporter | |
Updated•6 years ago
|
|
|
Assignee | |
Comment 7•6 years ago
|
||
|
||
Comment 9•6 years ago
|
||
|
||
Updated•6 years ago
|
|
||
Updated•5 years ago
|
Description
•