Closed Bug 1603886 Opened 1 year ago Closed 1 year ago

Assertion failure: in->canProduceFloat32() || (in->resultTypeSet() && in->resultTypeSet()->empty()), at js/src/jit/IonAnalysis.cpp:1833

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla73
Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox71 --- unaffected
firefox72 --- wontfix
firefox73 --- fixed

People

(Reporter: gkw, Assigned: jandem)

Details

(4 keywords, Whiteboard: [jsbugmon:update])

Attachments

(2 files)

Detailed Crash Information
23.65 KB, text/plain
Details
Bug 1603886 - Remove an assertion that doesn't always hold. r?bbouvier!
47 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision f09f24f2b545 (build with --enable-debug --disable-optimize, run with --fuzzing-safe --ion-eager):

function g(x, y) {
    y ? 1 : 1;
}
function h(x) {
    g(1 ? 1 : d(t | undefined), Math.round() ? x : Math.fround(Math.hypot(undefined | Math.round)));
}
let z = [[], false];
for (var j = 0; j < 4; ++j) {
    for (var k = 0; k < 99; ++k) {
        h(z[j]);
    }
}

Backtrace:

#0  0x0000561910bbc896 in (anonymous namespace)::TypeAnalyzer::adjustPhiInputs (this=0x7f0267301da0, phi=0x7f0267be1268) at js/src/jit/IonAnalysis.cpp:1832
#1  0x0000561910bba5ce in (anonymous namespace)::TypeAnalyzer::insertConversions (this=0x7f0267301da0) at js/src/jit/IonAnalysis.cpp:1967
#2  0x0000561910b460cd in (anonymous namespace)::TypeAnalyzer::analyze (this=0x7f0267301da0) at js/src/jit/IonAnalysis.cpp:2255
#3  0x0000561910b3e489 in js::jit::ApplyTypeInformation (mir=0x7f0267bdb300, graph=...) at js/src/jit/IonAnalysis.cpp:2267
#4  0x0000561910b377e5 in js::jit::OptimizeMIR (mir=0x7f0267bdb300) at js/src/jit/Ion.cpp:1198
#5  0x0000561910b40821 in js::jit::CompileBackEnd (mir=0x7f0267bdb300) at js/src/jit/Ion.cpp:1630
#6  0x0000561910b5909b in js::jit::IonBuilder::runTask (this=0x7f0267bdb2f8) at js/src/jit/IonBuilder.cpp:1181
#7  0x000056190fce6535 in js::HelperThread::handleIonWorkload (this=0x7f0267b08d20, locked=...) at js/src/vm/HelperThreads.cpp:2278
/snip

For detailed crash information, see attachment.

Setting s-s as a start as MIR is on the stack. Note that this is fairly intermittent.

Pernosco link:

https://pernos.co/debug/4jzAfEJa3VoGEIeK75qCGQ/index.html

Oh, and the testcase is a little intermittent but fairly reproducible.

autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/7e8fdfa9aa32
user: Jan de Mooij
date: Wed Dec 11 07:58:30 2019 +0000
summary: Bug 1602190 - Fix bug in float32 specialization of phis. r=bbouvier

Jan, bug 1602190 probably added the assertion that caused this issue, so which bug would be the real regressor?

Flags: needinfo?(jdemooij)

The assertion I added isn't sound in some cases, it can fail after conversion instructions have been inserted. Not sure how to fix it - I think I'll have to remove the assertion for now.

Group: javascript-core-security
Flags: needinfo?(jdemooij)

I added this assertion, but it can fail after conversion/box instructions have
been added.

Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Pushed by jdemooij@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/0bfce120565d
Remove an assertion that doesn't always hold. r=bbouvier

https://hg.mozilla.org/mozilla-central/rev/0bfce120565d

Status: ASSIGNED → RESOLVED
Closed: 1 year ago
status-firefox73: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla73
You need to log in before you can comment on or make changes to this bug.