Assertion failure: cx_->hadNondeterministicException(), at jit/WarpOracle.cpp:188
Categories
(Core :: JavaScript Engine: JIT, defect, P1)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr78 | --- | unaffected |
firefox84 | --- | unaffected |
firefox85 | --- | unaffected |
firefox86 | --- | verified |
People
(Reporter: decoder, Assigned: iain)
References
(Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])
Attachments
(2 files)
The following testcase crashes on mozilla-central revision 20210119-0478698744b1 (--enable-debug build, run with --fuzzing-safe --differential-testing --no-threads --baseline-warmup-threshold=1 --ion-warmup-threshold=0):
function testMathyFunction (f, inputs) {
var results = [];
for (var j = 0; j < inputs.length; ++j)
for (var k = 0; k < inputs.length; ++k)
results.push(f(inputs[j], inputs[k]));
}
mathy4=(function(y){
(function sum_indexing(x,i) {
return x.length==i ? 0 : x[i] + sum_indexing(x,i+1)
})(
[Number,Number.MIN_VALUE,Number,[],Number.M
,Number.M,Number.M,Number.M,Number.M,Number.M
,Number.M,Number.M,Number.M,[],Number,function(){}
,Number.M]
,0)
});
testMathyFunction(mathy4,[Math.P, 2])
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 0x00005555579307fb in js::jit::WarpOracle::createSnapshot() ()
#1 0x00005555578cfa76 in js::jit::CreateWarpSnapshot(JSContext*, js::jit::MIRGenerator*, JS::Handle<JSScript*>) ()
#2 0x00005555578afa38 in js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned char*) ()
#3 0x00005555578b0899 in IonCompileScriptForBaseline(JSContext*, js::jit::BaselineFrame*, unsigned char*) ()
#4 0x00003d84dc925e75 in ?? ()
#5 0x0000000000000000 in ?? ()
rax 0x55555572beb8 93824994164408
rbx 0x7ffff6024000 140737320730624
rcx 0x555557fdf0c8 93825036841160
rdx 0x0 0
rsi 0x7ffff7105770 140737338431344
rdi 0x7ffff7104540 140737338426688
rbp 0x7fffffff9300 140737488327424
rsp 0x7fffffff9260 140737488327264
r8 0x7ffff7105770 140737338431344
r9 0x7ffff7f998c0 140737353717952
r10 0x58 88
r11 0x7ffff6dac7a0 140737334921120
r12 0x7ffff5a55ba0 140737314642848
r13 0x7fffffff9320 140737488327456
r14 0x7ffff5e22490 140737318626448
r15 0x5ac8eb42 1523116866
rip 0x5555579307fb <js::jit::WarpOracle::createSnapshot()+1627>
=> 0x5555579307fb <_ZN2js3jit10WarpOracle14createSnapshotEv+1627>: movl $0xbc,0x0
0x555557930806 <_ZN2js3jit10WarpOracle14createSnapshotEv+1638>: callq 0x555556a90360 <abort>
Reporter | ||
Comment 1•4 years ago
|
||
Comment 2•4 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210120095121-a3cd8f83fefa.
The bug appears to have been introduced in the following build range:
Start: f4af0087a1b49c221f54143a10b7bebca35db49c (20210111195436)
End: febd0fad07331284c49334bab4d9c653f2c80275 (20210111195806)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=f4af0087a1b49c221f54143a10b7bebca35db49c&tochange=febd0fad07331284c49334bab4d9c653f2c80275
Assignee | ||
Comment 3•4 years ago
|
||
This is caused by FoldLoadsWithUnbox, which can effectively hoist an unbox past other instructions. In this case, it hoists a failing unbox past a recursive call. When we bail out, we hit the recursive call and recompile before we hit the guard that was transpiled to create the unbox, so the CacheIR does not change.
I think the fix here is to treat this like LICM / HoistBoundsCheck / etc, and give these folded instructions a new bailout kind that disables FoldLoadsWithUnbox if they fail.
Assignee | ||
Comment 4•4 years ago
|
||
This uses a similar approach to LICM / BoundsCheckHoisting / etc.
Note that if we would have hit the unbox anyway, then we'll hit it after bailing out and update the CacheIR, so this won't cause us to recompile additional times. This means that we could end up turning off FoldLoadsWithUnbox in cases where it's not the problem, but unlike LICM it's not making a big enough difference to justify special treatment.
Updated•4 years ago
|
Updated•4 years ago
|
Updated•4 years ago
|
Pushed by iireland@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/2a97db6aa2eb Add BailoutKind::UnboxFolding r=jandem
Comment 6•4 years ago
|
||
bugherder |
Comment 7•4 years ago
|
||
Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20210121213347-e5e734f4fc19.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
Comment 8•4 years ago
|
||
Set release status flags based on info from the regressing bug 1673497
Description
•