Closed Bug 1661530 Opened 3 months ago Closed 3 months ago

[warp] Assertion failure: data->callFlags.getArgFormat() == CallFlags::FunCall, at jit/TrialInlining.cpp:301

Categories

(Core :: JavaScript Engine: JIT, defect, P2)

x86_64
Linux
defect

Tracking

()

VERIFIED FIXED
82 Branch
Tracking Status
firefox-esr68 --- unaffected
firefox-esr78 --- unaffected
firefox79 --- unaffected
firefox80 --- unaffected
firefox81 --- unaffected
firefox82 --- fixed

People

(Reporter: decoder, Assigned: iain)

References

(Blocks 2 open bugs, Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])

Attachments

(2 files)

The following testcase crashes on mozilla-central revision 20200826-61ed3192760a (debug build, run with --fuzzing-safe --ion-offthread-compile=off --warp):

Function.prototype.call = function() {};
function f10() {
    g20(arguments, 1);
}
function g20(a20, b44) {
    var s42 = Array.prototype.slice.call(a20, b44);
}
for (var i25 = 0; i25 < 1000; ++i25)
    f10(1, 2, 3, 4);

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  js::jit::TrialInliner::maybeInlineCall (this=0x7fffffffb510, entry=..., loc=...) at js/src/jit/TrialInlining.cpp:300
#1  0x00005555577e35c5 in js::jit::TrialInliner::tryInlining (this=0x7fffffffb510) at js/src/jit/TrialInlining.cpp:336
#2  0x00005555577e330a in js::jit::DoTrialInlining (cx=0x7ffff6027000, frame=0x7fffffffb5d0) at js/src/jit/TrialInlining.cpp:51
#3  0x00003d216db758e5 in ?? ()
[...]
#53 0x0000000000000000 in ?? ()
rax	0x555555876faa	93824995520426
rbx	0x7ffff60fe160	140737321623904
rcx	0x555558520aa8	93825042352808
rdx	0x0	0
rsi	0x7ffff7105770	140737338431344
rdi	0x7ffff7104540	140737338426688
rbp	0x7fffffffb490	140737488336016
rsp	0x7fffffffb280	140737488335488
r8	0x7ffff7105770	140737338431344
r9	0x7ffff7f9de00	140737353735680
r10	0x58	88
r11	0x7ffff6dac7a0	140737334921120
r12	0x1	1
r13	0x2b8f3129f100	47894005149952
r14	0x7ffff6088400	140737321141248
r15	0x7ffff4a4879d	140737297811357
rip	0x5555577e4fe5 <js::jit::TrialInliner::maybeInlineCall(js::jit::ICEntry const&, js::BytecodeLocation)+949>
=> 0x5555577e4fe5 <js::jit::TrialInliner::maybeInlineCall(js::jit::ICEntry const&, js::BytecodeLocation)+949>:	movl   $0x12d,0x0
   0x5555577e4ff0 <js::jit::TrialInliner::maybeInlineCall(js::jit::ICEntry const&, js::BytecodeLocation)+960>:	callq  0x555556bd985e <abort()>
Attached file Testcase
Blocks: WarpBuilder
Severity: -- → S4
Priority: -- → P2

I ran into this problem locally and already have a patch to fix it.

Assignee: nobody → iireland

Despite looking directly at this code while adding the assertion in bug 1660553, I somehow missed that scripted calls were being attached too early. It's not a problem for Ion, because we only inline FunCall/FunApply if we're calling the jsnative, but it matters for Warp.

Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200827212940-109f3a4de567.
The bug appears to have been introduced in the following build range:
> Start: 26c5be98ea21c8c331cefe9649e3eb53197cd821 (20200825173421)
> End: 6ada5dbc83d1c4a51724a67642fe41fbc52d2561 (20200825174133)
> Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=26c5be98ea21c8c331cefe9649e3eb53197cd821&tochange=6ada5dbc83d1c4a51724a67642fe41fbc52d2561
Pushed by iireland@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/3d4cde896b06
Attach FunApply and FunCall before scripted calls r=jandem
Status: NEW → RESOLVED
Closed: 3 months ago
Resolution: --- → FIXED
Target Milestone: --- → 82 Branch
Status: RESOLVED → VERIFIED
Keywords: bugmon
Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20200829091226-fdf95334aded.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
You need to log in before you can comment on or make changes to this bug.