1655906 - Assertion failure: cur.payloadType() == dest.payloadType(), at jit/CacheIRCompiler.cpp:962

Status: VERIFIED FIXED

(Core :: JavaScript Engine: JIT, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 20200727-932240e49142 (debug build, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off --baseline-eager --ion-full-warmup-threshold=10 --warp):

var xs = [
  new new TypedObject.StructType({foo: TypedObject.bigint64}),
];
function loadInlineDigitsTwoDigits() {
  var value = 0 == this; 
  xs[0].foo = value;
}
for (var i62 = 0; i62 < 10; i62++) {
  loadInlineDigitsTwoDigits();
}

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x0000555556593392 in js::jit::CacheRegisterAllocator::restoreInputState(js::jit::MacroAssembler&, bool) ()
#1  0x0000555556719745 in js::jit::IonCacheIRCompiler::emitReturnFromIC() ()
#2  0x0000555556708c22 in js::jit::IonCacheIRCompiler::compile() ()
#3  0x000055555671aea1 in js::jit::IonIC::attachCacheIRStub(JSContext*, js::jit::CacheIRWriter const&, js::jit::CacheKind, js::jit::IonScript*, bool*, js::jit::PropertyTypeCheckInfo const*) ()
#4  0x00005555567202e0 in js::jit::IonSetPropertyIC::update(JSContext*, JS::Handle<JSScript*>, js::jit::IonSetPropertyIC*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) ()
#5  0x0000237674be9e65 in ?? ()
#6  0xffffffffff000000 in ?? ()
#7  0x00007fffffffb998 in ?? ()
#8  0x0000000000000000 in ?? ()
rax	0x55555713e6c3	93825021503171
rbx	0x10	16
rcx	0x5555583e3840	93825041053760
rdx	0x0	0
rsi	0x7ffff7105770	140737338431344
rdi	0x7ffff7104540	140737338426688
rbp	0x7fffffffa460	140737488331872
rsp	0x7fffffffa3a0	140737488331680
r8	0x7ffff7105770	140737338431344
r9	0x7ffff7f9bd40	140737353727296
r10	0x58	88
r11	0x7ffff6dac7a0	140737334921120
r12	0x7fffffffb0c0	140737488335040
r13	0x7fffffffb158	140737488335192
r14	0x2	2
r15	0x7fffffffb0f0	140737488335088
rip	0x555556593392 <js::jit::CacheRegisterAllocator::restoreInputState(js::jit::MacroAssembler&, bool)+2434>
=> 0x555556593392 <_ZN2js3jit22CacheRegisterAllocator17restoreInputStateERNS0_14MacroAssemblerEb+2434>:	movl   $0x3c2,0x0
   0x55555659339d <_ZN2js3jit22CacheRegisterAllocator17restoreInputStateERNS0_14MacroAssemblerEb+2445>:	callq  0x55555584d42e <abort>

Comment 1

[Christian Holler (:decoder)]

Attachment: Testcase

Comment 2

[Jan de Mooij [:jandem]]

Actually not Warp specific.

Comment 3

[Jan de Mooij [:jandem]]

I think this is harmless: we have a GuardToBigInt and BigIntOperandId use, but the actual type is always a boolean so the IC stub will fail before we get to the failure path code. Also, TypedObjects are disabled on non-Nightly.

Comment 4

[Jan de Mooij [:jandem]]

Attachment: Bug 1655906 - Check value type for TypedObject scalar fields before attaching a stub. r?anba!

Comment 5

[Pulsebot]

Pushed by jdemooij@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/47f9f26fc951
Check value type for TypedObject scalar fields before attaching a stub. r=anba

Comment 6

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

https://hg.mozilla.org/mozilla-central/rev/47f9f26fc951

Comment 7

[Jason Kratzer [:jkratzer]]

Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20200729155631-3b87c49182a4.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.