Closed Bug 1687672 Opened 3 years ago Closed 3 years ago

Assertion failure: cx_->hadNondeterministicException(), at jit/WarpOracle.cpp:188

Categories

(Core :: JavaScript Engine: JIT, defect, P1)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
86 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- unaffected
firefox84 --- unaffected
firefox85 --- unaffected
firefox86 --- verified

People

(Reporter: decoder, Assigned: iain)

References

(Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])

Attachments

(2 files)

Testcase
510 bytes, text/plain
Details
Bug 1687672: Add BailoutKind::UnboxFolding r=jandem
48 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 20210119-0478698744b1 (--enable-debug build, run with --fuzzing-safe --differential-testing --no-threads --baseline-warmup-threshold=1 --ion-warmup-threshold=0):

function testMathyFunction (f, inputs) {
  var results = [];
    for (var j = 0; j < inputs.length; ++j) 
      for (var k = 0; k < inputs.length; ++k) 
          results.push(f(inputs[j], inputs[k]));
}
mathy4=(function(y){
(function sum_indexing(x,i) {
  return x.length==i ? 0 : x[i] + sum_indexing(x,i+1)
})(
[Number,Number.MIN_VALUE,Number,[],Number.M
,Number.M,Number.M,Number.M,Number.M,Number.M
,Number.M,Number.M,Number.M,[],Number,function(){}
,Number.M]
,0)
});
testMathyFunction(mathy4,[Math.P, 2])

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x00005555579307fb in js::jit::WarpOracle::createSnapshot() ()
#1  0x00005555578cfa76 in js::jit::CreateWarpSnapshot(JSContext*, js::jit::MIRGenerator*, JS::Handle<JSScript*>) ()
#2  0x00005555578afa38 in js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned char*) ()
#3  0x00005555578b0899 in IonCompileScriptForBaseline(JSContext*, js::jit::BaselineFrame*, unsigned char*) ()
#4  0x00003d84dc925e75 in ?? ()
#5  0x0000000000000000 in ?? ()
rax	0x55555572beb8	93824994164408
rbx	0x7ffff6024000	140737320730624
rcx	0x555557fdf0c8	93825036841160
rdx	0x0	0
rsi	0x7ffff7105770	140737338431344
rdi	0x7ffff7104540	140737338426688
rbp	0x7fffffff9300	140737488327424
rsp	0x7fffffff9260	140737488327264
r8	0x7ffff7105770	140737338431344
r9	0x7ffff7f998c0	140737353717952
r10	0x58	88
r11	0x7ffff6dac7a0	140737334921120
r12	0x7ffff5a55ba0	140737314642848
r13	0x7fffffff9320	140737488327456
r14	0x7ffff5e22490	140737318626448
r15	0x5ac8eb42	1523116866
rip	0x5555579307fb <js::jit::WarpOracle::createSnapshot()+1627>
=> 0x5555579307fb <_ZN2js3jit10WarpOracle14createSnapshotEv+1627>:	movl   $0xbc,0x0
   0x555557930806 <_ZN2js3jit10WarpOracle14createSnapshotEv+1638>:	callq  0x555556a90360 <abort>
Attached file Testcase 

    
    

    
  
Bugmon Analysis:

Verified bug as reproducible on mozilla-central 20210120095121-a3cd8f83fefa.

The bug appears to have been introduced in the following build range:




Start: f4af0087a1b49c221f54143a10b7bebca35db49c (20210111195436)

End: febd0fad07331284c49334bab4d9c653f2c80275 (20210111195806)

Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=f4af0087a1b49c221f54143a10b7bebca35db49c&tochange=febd0fad07331284c49334bab4d9c653f2c80275




Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]

    
    

    
  
This is caused by FoldLoadsWithUnbox, which can effectively hoist an unbox past other instructions. In this case, it hoists a failing unbox past a recursive call. When we bail out, we hit the recursive call and recompile before we hit the guard that was transpiled to create the unbox, so the CacheIR does not change.


I think the fix here is to treat this like LICM / HoistBoundsCheck / etc, and give these folded instructions a new bailout kind that disables FoldLoadsWithUnbox if they fail.



    
    

    
  


  
This uses a similar approach to LICM / BoundsCheckHoisting / etc.


Note that if we would have hit the unbox anyway, then we'll hit it after bailing out and update the CacheIR, so this won't cause us to recompile additional times. This means that we could end up turning off FoldLoadsWithUnbox in cases where it's not the problem, but unlike LICM it's not making a big enough difference to justify special treatment.


Assignee: nobody → iireland
Status: NEW → ASSIGNED
Severity: -- → S4
Priority: -- → P1
Regressed by: 1673497

    
  
Has Regression Range: --- → yes

    
    

    
  
Pushed by iireland@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/2a97db6aa2eb
Add BailoutKind::UnboxFolding r=jandem

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/2a97db6aa2eb


Status: ASSIGNED → RESOLVED
Closed: 3 years ago

          status-firefox86:
          affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 86 Branch

    
    

    
  
Bugmon Analysis:

Verified bug as fixed on rev mozilla-central 20210121213347-e5e734f4fc19.

Removing bugmon keyword as no further action possible.

Please review the bug and re-add the keyword for further analysis.


Status: RESOLVED → VERIFIED

          status-firefox86:
          fixedverified
Keywords: bugmon

    
    

    
  
Set release status flags based on info from the regressing bug 1673497



          status-firefox84:
          --- → unaffected

          status-firefox85:
          --- → unaffected

          status-firefox-esr78:
          --- → unaffected

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: