Assertion failure: cx_->hadNondeterministicException(), at js/src/jit/WarpOracle.cpp:193
Categories
(Core :: JavaScript Engine: JIT, defect, P2)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr78 | --- | unaffected |
| firefox-esr91 | --- | wontfix |
| firefox90 | --- | wontfix |
| firefox91 | --- | wontfix |
| firefox92 | --- | verified |
People
(Reporter: decoder, Assigned: iain)
References
(Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])
Attachments
(3 files)
The following testcase crashes on mozilla-central revision 20210803-524aef2e3307 (--enable-debug build, run with --fuzzing-safe --ion-offthread-compile=off --ion-warmup-threshold=10 --baseline-eager):
oomTest(() => {
try {
for (let a = 0; a < 100; a++ == wrapWithProto + 0);
} catch {}
});
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 0x0000555557a23504 in js::jit::WarpOracle::createSnapshot() ()
#1 0x00005555579bc846 in js::jit::CreateWarpSnapshot(JSContext*, js::jit::MIRGenerator*, JS::Handle<JSScript*>) ()
#2 0x000055555799d2f4 in js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned char*) ()
#3 0x000055555799dff9 in IonCompileScriptForBaseline(JSContext*, js::jit::BaselineFrame*, unsigned char*) ()
#4 0x000032a859622705 in ?? ()
[...]
#13 0x0000000000000000 in ?? ()
rax 0x555555734d32 93824994200882
rbx 0x7ffff6019000 140737320685568
rcx 0x555558120a70 93825038158448
rdx 0x0 0
rsi 0x7ffff7105770 140737338431344
rdi 0x7ffff7104540 140737338426688
rbp 0x7fffffffaff0 140737488334832
rsp 0x7fffffffaf50 140737488334672
r8 0x7ffff7105770 140737338431344
r9 0x7ffff7f99840 140737353717824
r10 0x0 0
r11 0x0 0
r12 0x7ffff6018ba0 140737320684448
r13 0x7fffffffb010 140737488334864
r14 0x7ffff60f5458 140737321587800
r15 0x70997300 1889104640
rip 0x555557a23504 <js::jit::WarpOracle::createSnapshot()+1492>
=> 0x555557a23504 <_ZN2js3jit10WarpOracle14createSnapshotEv+1492>: movl $0xc1,0x0
0x555557a2350f <_ZN2js3jit10WarpOracle14createSnapshotEv+1503>: callq 0x555556b0473a <abort>
|
Reporter | |
Comment 1•4 years ago
|
||
|
|
Reporter | |
Comment 2•4 years ago
|
||
|
Assignee | |
Comment 3•4 years ago
|
||
This is just an awkward interaction between oomTest and the bailout loop detection code. We already disable the bailout loop assertion if we have seen a stack overflow or an OOM. However, oomTest clears the hadOutOfMemory flag after each iteration. MGuardStringToDouble (used in the comparison a++ == wrapWithProto + 0) swallows the exception and then bails out on OOM. We end up in a situation where we bailed out due to OOM (saving the failed IC hash), cleared the outOfMemory flag, and then didn't trigger another OOM before taking a snapshot in WarpOracle.
This isn't a real performance issue. The simplest fix is to check in hadNonDeterministicException to see whether we're currently simulating OOM.
|
|
Assignee | |
Comment 4•4 years ago
|
||
The testcase for this is slow and fragile, and I don't think it adds any value.
|
||
Comment 5•4 years ago
|
||
Bugmon Analysis
Verified bug as reproducible on mozilla-central 20210805092724-d66e0aca4012.
The bug appears to have been introduced in the following build range:
Start: 1add9a1bbfacd4ff1bee961fa8886b8cd0566d23 (20210227094458)
End: 80f5cb43d64e45bad9247216faa6553d836e53fe (20210227004609)
Pushlog: https://hg.mozilla.org/mozilla-unified/pushloghtml?fromchange=1add9a1bbfacd4ff1bee961fa8886b8cd0566d23&tochange=80f5cb43d64e45bad9247216faa6553d836e53fe
|
||
Comment 7•4 years ago
|
||
| bugherder | ||
|
|
||
Comment 8•4 years ago
|
||
Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20210806033613-c8c5ee96321f.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
|
||
Comment 9•4 years ago
|
||
:iain, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.
|
||
Updated•4 years ago
|
Description
•