Closed Bug 1646041 Opened 5 years ago Closed 5 years ago

[warp] Assertion failure: header->isLoopHeader(), at jit/IonAnalysis.cpp:1888

Categories

(Core :: JavaScript Engine: JIT, defect, P2)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla79
Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox-esr78 --- disabled
firefox77 --- disabled
firefox78 --- disabled
firefox79 --- fixed

People

(Reporter: decoder, Assigned: jandem)

References

(Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])

Attachments

(2 files)

Testcase
141 bytes, text/plain
Details
Bug 1646041 - Fix assertion failure for pending loop headers in OSR phi specialization code. r?iain!
47 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 20200615-f05a0084c5f2 (debug build, run with --fuzzing-safe --ion-offthread-compile=off --warp --ion-warmup-threshold=10):

function a(a, b, c, g) {
    for (;;) {
        if (32) return a;
    }
}
var d = {}
for (var i = 0; i < 1000; i++) {
    a(d, 0, 1, null);
}

Backtrace:

received signal SIGSEGV, Segmentation fault.
0x0000555556680222 in (anonymous namespace)::TypeAnalyzer::analyze() ()
#0  0x0000555556680222 in (anonymous namespace)::TypeAnalyzer::analyze() ()
#1  0x00005555566741f1 in js::jit::ApplyTypeInformation(js::jit::MIRGenerator*, js::jit::MIRGraph&) ()
#2  0x000055555666d130 in js::jit::OptimizeMIR(js::jit::MIRGenerator*) ()
#3  0x0000555556677ae9 in js::jit::CompileBackEnd(js::jit::MIRGenerator*, js::jit::WarpSnapshot*) ()
#4  0x000055555668be61 in js::jit::IonCompile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned int, unsigned char*, bool, js::jit::OptimizationLevel) ()
#5  0x0000555556678f81 in js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned int, unsigned char*, bool) ()
#6  0x00005555566797a7 in IonCompileScriptForBaseline(JSContext*, js::jit::BaselineFrame*, unsigned int, unsigned char*) ()
#7  0x0000555556679ddd in js::jit::IonCompileScriptForBaselineOSR(JSContext*, js::jit::BaselineFrame*, unsigned int, unsigned char*, js::jit::IonOsrTempData**) ()
#8  0x00000430f7d81a27 in ?? ()
#9  0x00007fffffffb648 in ?? ()
#10 0x00007fffffffb5d0 in ?? ()
#11 0x0000000000000000 in ?? ()
rax	0x5555571506b0	93825021576880
rbx	0x7ffff4e58c08	140737302072328
rcx	0x5555583de980	93825041033600
rdx	0x0	0
rsi	0x7ffff7105770	140737338431344
rdi	0x7ffff7104540	140737338426688
rbp	0x7fffffffabd0	140737488333776
rsp	0x7fffffffab10	140737488333584
r8	0x7ffff7105770	140737338431344
r9	0x7ffff7f9bd40	140737353727296
r10	0x58	88
r11	0x7ffff6dac7a0	140737334921120
r12	0x11	17
r13	0x11	17
r14	0x7ffff4e58258	140737302069848
r15	0x7fffffffabe0	140737488333792
rip	0x555556680222 <(anonymous namespace)::TypeAnalyzer::analyze()+10386>
=> 0x555556680222 <_ZN12_GLOBAL__N_112TypeAnalyzer7analyzeEv+10386>:	movl   $0x760,0x0
   0x55555668022d <_ZN12_GLOBAL__N_112TypeAnalyzer7analyzeEv+10397>:	callq  0x555555849bee <abort>
Attached file Testcase
Flags: needinfo?(jdemooij)
Severity: -- → S3
Priority: -- → P2
Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]
Bugmon Analysis: Verified bug as reproducible on mozilla-central 20200616154959-89a54069f124. The bug appears to have been introduced in the following build range: > Start: 113aa03bfd4513516e25c59f1a5772014ea9b330 (20200501104036) > End: 78291462524ea1654e3d7992639fb8b47f93c1d1 (20200501104417) > Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=113aa03bfd4513516e25c59f1a5772014ea9b330&tochange=78291462524ea1654e3d7992639fb8b47f93c1d1
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Pushed by jdemooij@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/9b8c203eeda1 Fix assertion failure for pending loop headers in OSR phi specialization code. r=iain

https://hg.mozilla.org/mozilla-central/rev/9b8c203eeda1

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla79
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Bugmon Analysis: Bug marked as FIXED but still reproduces on mozilla-central 20200618094105-f291dd9e075c.

(In reply to Jason Kratzer [:jkratzer] from comment #6)

Bugmon Analysis:
Bug marked as FIXED but still reproduces on mozilla-central
20200618094105-f291dd9e075c.

This doesn't make sense to me, I can't reproduce the assertion failure anymore and the patch actually removes the MOZ_ASSERT.

Closing, but let me know if I'm missing something..

Status: REOPENED → RESOLVED
Closed: 5 years ago5 years ago
Flags: needinfo?(jkratzer)
Resolution: --- → FIXED

(In reply to Jason Kratzer [:jkratzer] from comment #6)

Bug marked as FIXED but still reproduces on mozilla-central
20200618094105-f291dd9e075c.

I think the problem is that f291dd9e075c was the mozilla-central revision before the autoland merge that had the fix (cbec1e2c0426).

Status: RESOLVED → VERIFIED
Keywords: bugmon
Bugmon Analysis: Verified bug as fixed on rev mozilla-central 20200622093309-24787602a9f6. Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Flags: needinfo?(jkratzer)
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: