1593175 - Crash [@ js::jit::CodeGeneratorShared::encode] or Assertion failure: lir->mir()->needsSnapshot(), at js/src/jit/CodeGenerator.cpp:1725

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect, P1)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

The following testcase crashes on mozilla-central revision 0e1726e95801 (build with --enable-debug --disable-optimize --32, run with --fuzzing-safe --no-threads --baseline-warmup-threshold=1 --ion-warmup-threshold=0):

function f() {
    f;
}
f();
f();
function g() {
    typeof(f = []) + f > 2;
}
g();
g();

Opt backtrace:

#0  js::jit::CodeGeneratorShared::encode (this=0xf67e4000, snapshot=0x0) at /home/ubuntu/trees/mozilla-central/js/src/jit/shared/CodeGenerator-shared.cpp:599
#1  0x57d8602e in js::jit::CodeGeneratorX86Shared::bailout<js::jit::BailoutLabel> (this=0xf67e4000, binder=..., snapshot=0x0)
    at /home/ubuntu/trees/mozilla-central/js/src/jit/x86-shared/CodeGenerator-x86-shared.cpp:585
#2  0x57d6ce28 in js::jit::CodeGeneratorX86Shared::bailoutFrom (this=0xf67e4000, label=0xffffa988, snapshot=0x0)
    at /home/ubuntu/trees/mozilla-central/js/src/jit/x86-shared/CodeGenerator-x86-shared.cpp:632
#3  0x57e1f377 in js::jit::CodeGenerator::visitValueToString (this=0xf67e4000, lir=0xf67d5a30) at /home/ubuntu/trees/mozilla-central/js/src/jit/CodeGenerator.cpp:1728
#4  0x57e34ae5 in js::jit::CodeGenerator::generateBody (this=0xf67e4000) at /home/ubuntu/trees/mozilla-central/js/src/jit/CodeGenerator.cpp:6351
#5  0x57e52e62 in js::jit::CodeGenerator::generate (this=0xf67e4000) at /home/ubuntu/trees/mozilla-central/js/src/jit/CodeGenerator.cpp:10743

/snip

Debug backtrace:

#0  0x594dbdae in js::jit::CodeGenerator::visitValueToString (this=0xedad6000, lir=0xedae44a0) at js/src/jit/CodeGenerator.cpp:1725
#1  0x594f9fb8 in js::jit::CodeGenerator::generateBody (this=0xedad6000) at js/src/jit/CodeGenerator.cpp:6351
#2  0x5952bcd6 in js::jit::CodeGenerator::generate (this=0xedad6000) at js/src/jit/CodeGenerator.cpp:10743
#3  0x595d34eb in js::jit::GenerateCode (mir=0xedae216c, lir=0xedae39c8) at js/src/jit/Ion.cpp:1616
#4  0x595d3664 in js::jit::CompileBackEnd (mir=0xedae216c) at js/src/jit/Ion.cpp:1637
#5  0x596562d3 in js::jit::IonCompile (cx=0xf6b18800, script=0xedd78540, baselineFrame=0x0, baselineFrameSize=0, osrPc=0x0, recompile=false, optimizationLevel=js::jit::OptimizationLevel::Normal) at js/src/jit/Ion.cpp:1918
/snip

For detailed crash information, see attachment.

Setting s-s as a start because this is related to the MIR.

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: Detailed Crash Information

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/861a114eb85f
user: Jan de Mooij
date: Wed Oct 30 18:12:50 2019 +0000
summary: Bug 1592524 - Use a bool class field instead of MToString::conversionMightHaveSideEffects(). r=anba

Jan, is bug 1592524 a likely regressor?

Comment 3

[Jan de Mooij [:jandem]]

Just a bogus assert or null-ptr crash.

Comment 4

[Jan de Mooij [:jandem]]

Attachment: Bug 1593175 - Check mightHaveSideEffects in CodeGenerator::visitValueToString too. r?anba!

Comment 5

[Pulsebot]

Pushed by jdemooij@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/ec146b869147
Check mightHaveSideEffects in CodeGenerator::visitValueToString too. r=anba

Comment 6

[Razvan Maries]

https://hg.mozilla.org/mozilla-central/rev/ec146b869147