1665303 - Assertion failure: !icScript_->hasInlinedChild(pcOffset), at jit/TrialInlining.cpp:326 with OOM

Status: RESOLVED FIXED

(Core :: JavaScript Engine: JIT, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 20200915-2cca9cb89b46 (debug build, run with --fuzzing-safe --ion-offthread-compile=off --fast-warmup --warp):

oomTest(() => {
    try {
        for (let i56 = 0; i56 < 100; i56++)
            throw "foo";
    } catch (e45) {
        for (var schedulegc of [{}]) {}
    }
    while (g1 * 10);
});

Backtrace:

received signal SIGSEGV, Segmentation fault.
js::jit::TrialInliner::maybeInlineCall (this=this@entry=0x7fffffffb0d0, entry=..., loc=...) at /builds/worker/checkouts/gecko/js/src/jit/TrialInlining.cpp:326
#0  js::jit::TrialInliner::maybeInlineCall (this=this@entry=0x7fffffffb0d0, entry=..., loc=...) at /builds/worker/checkouts/gecko/js/src/jit/TrialInlining.cpp:326
#1  0x00005555577b92c5 in js::jit::TrialInliner::tryInlining (this=this@entry=0x7fffffffb0d0) at /builds/worker/checkouts/gecko/js/src/jit/TrialInlining.cpp:363
#2  0x00005555577b906c in js::jit::DoTrialInlining (cx=0x7ffff6047000, frame=0x7fffffffb190) at /builds/worker/checkouts/gecko/js/src/jit/TrialInlining.cpp:51
#3  0x00002f9826466a65 in ?? ()
[...]
#14 0x0000000000000000 in ?? ()
rax	0x55555585237b	93824995369851
rbx	0x6e	110
rcx	0x5555584eb758	93825042134872
rdx	0x0	0
rsi	0x7ffff7105770	140737338431344
rdi	0x7ffff7104540	140737338426688
rbp	0x7fffffffb040	140737488334912
rsp	0x7fffffffae00	140737488334336
r8	0x7ffff7105770	140737338431344
r9	0x7ffff7f99e00	140737353719296
r10	0x58	88
r11	0x7ffff6dac7a0	140737334921120
r12	0x7ffff4a82d58	140737298050392
r13	0x7ffff60956e8	140737321195240
r14	0x7fffffffb001	140737488334849
r15	0x7fffffffb0d0	140737488335056
rip	0x5555577bb0a8 <js::jit::TrialInliner::maybeInlineCall(js::jit::ICEntry const&, js::BytecodeLocation)+1704>
=> 0x5555577bb0a8 <js::jit::TrialInliner::maybeInlineCall(js::jit::ICEntry const&, js::BytecodeLocation)+1704>:	movl   $0x146,0x0
   0x5555577bb0b3 <js::jit::TrialInliner::maybeInlineCall(js::jit::ICEntry const&, js::BytecodeLocation)+1715>:	callq  0x555556bed862 <abort()>

Comment 1

[Christian Holler (:decoder)]

Attachment: Testcase

Comment 2

[Jan de Mooij [:jandem]]

Oh I added the assertion and can take a look..

Comment 3

[Jason Kratzer [:jkratzer]]

Bugmon Analysis:
The bug appears to have been fixed in the following build range:

Start: d646a7e2621160609635b056871e2c0a6799eea7 (20200916010321)
End: 89b84ae80b98098c102af079b68e90c33f2dcb14 (20200916012607)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=d646a7e2621160609635b056871e2c0a6799eea7&tochange=89b84ae80b98098c102af079b68e90c33f2dcb14
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.

Comment 4

[Jan de Mooij [:jandem]]

Attachment: Bug 1665303 - Clean up inlined ICScript if attaching the new stub failed. r?iain!

It was hard to fix the test to reproduce on mozilla-central tip so this adds a
trialInline() testing function to trigger trial inlining of the caller's frame.

Comment 5

[Jan de Mooij [:jandem]]

https://hg.mozilla.org/integration/autoland/rev/653d91b24508b338a17a3dc165287d42914eee75

Comment 6

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

https://hg.mozilla.org/mozilla-central/rev/653d91b24508