Closed Bug 1770843 Opened 2 years ago Closed 2 years ago

CacheIR spewing is not completely compartment safe

Categories

(Core :: JavaScript Engine: JIT, defect, P3)

Firefox 100
defect

Tracking

()

RESOLVED FIXED
102 Branch
Tracking Status
firefox102 --- fixed

People

(Reporter: thanhenderson, Assigned: thanhenderson)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

Steps to reproduce:

Changeset

changeset: FIREFOX_RELEASE_100_BASE

Mozconfig

ac_add_options --enable-js-shell

ac_add_options --enable-optimize
ac_add_options --enable-debug
ac_add_options --enable-warnings-as-errors
ac_add_options --enable-ccache=ccache
ac_add_options --enable-tests
ac_add_options --enable-geckodriver
ac_add_options --enable-jitspew

# Dump opt builds into another dir.
mk_add_options MOZ_OBJDIR=@TOPSRCDIR@/obj-optdebug-browser-gecko-@CONFIG_GUESS@

mk_add_options AUTOCLOBBER=1

Commands

export MOZ_DISABLE_CONTENT_SANDBOX=1
SPEW=CacheIRHealthReport ./mach raptor --browsertime --page-cycles 1 --post-startup-delay 0 --verbose -t jetstream2

Actual results:

Early exiting due to assertion failure on compartments traced to a call to CacheIRHealthReport spewing in TrialInlining.cpp:

20:23:00     INFO -  raptor-browsertime Info: #01: bool js::NativeLookupOwnPropertyInline<(js::AllowGC)0, (js::LookupResolveMode)2>(JSContext*, js::MaybeRooted<js::NativeObject*, (js::AllowGC)0>::HandleType, js::MaybeRooted<JS::PropertyKey, (js::AllowGC)0>::HandleType, js::PropertyResult*)[/Users/than/Development/sm/mozilla-unified/obj-optdebug-browser-gecko-aarch64-apple-darwin21.5.0/toolkit/library/build/XUL +0x5a79758]
20:23:00     INFO -  raptor-browsertime Info: #02: js::LookupPropertyPure(JSContext*, JSObject*, JS::PropertyKey, js::NativeObject**, js::PropertyResult*)[/Users/than/Development/sm/mozilla-unified/obj-optdebug-browser-gecko-aarch64-apple-darwin21.5.0/toolkit/library/build/XUL +0x5a7920c]
20:23:00     INFO -  raptor-browsertime Info: #03: js::GetPropertyPure(JSContext*, JSObject*, JS::PropertyKey, JS::Value*)[/Users/than/Development/sm/mozilla-unified/obj-optdebug-browser-gecko-aarch64-apple-darwin21.5.0/toolkit/library/build/XUL +0x5a79858]
20:23:00     INFO -  raptor-browsertime Info: #04: js::jit::CacheIRHealth::maybeExtractBaseScript(JSContext*, js::Shape*)[/Users/than/Development/sm/mozilla-unified/obj-optdebug-browser-gecko-aarch64-apple-darwin21.5.0/toolkit/library/build/XUL +0x63dde40]
20:23:00     INFO -  raptor-browsertime Info: #05: js::jit::CacheIRHealth::spewShapeInformation(js::AutoStructuredSpewer&, JSContext*, js::jit::ICStub*)[/Users/than/Development/sm/mozilla-unified/obj-optdebug-browser-gecko-aarch64-apple-darwin21.5.0/toolkit/library/build/XUL +0x63de298]
20:23:00     INFO -  raptor-browsertime Info: #06: js::jit::CacheIRHealth::spewNonFallbackICInformation(js::AutoStructuredSpewer&, JSContext*, js::jit::ICStub*, js::jit::CacheIRHealth::Happiness*)[/Users/than/Development/sm/mozilla-unified/obj-optdebug-browser-gecko-aarch64-apple-darwin21.5.0/toolkit/library/build/XUL +0x63de7c0]
20:23:00     INFO -  raptor-browsertime Info: #07: js::jit::CacheIRHealth::spewICEntryHealth(js::AutoStructuredSpewer&, JSContext*, JS::Handle<JSScript*>, js::jit::ICEntry*, js::jit::ICFallbackStub*, unsigned char*, JSOp, js::jit::CacheIRHealth::Happiness*)[/Users/than/Development/sm/mozilla-unified/obj-optdebug-browser-gecko-aarch64-apple-darwin21.5.0/toolkit/library/build/XUL +0x63deec0]
20:23:00     INFO -  raptor-browsertime Info: #08: js::jit::CacheIRHealth::healthReportForIC(JSContext*, js::jit::ICEntry*, js::jit::ICFallbackStub*, JS::Handle<JSScript*>, js::jit::SpewContext)[/Users/than/Development/sm/mozilla-unified/obj-optdebug-browser-gecko-aarch64-apple-darwin21.5.0/toolkit/library/build/XUL +0x63df1ec]
20:23:00     INFO -  raptor-browsertime Info: #09: js::jit::DoTrialInlining(JSContext*, js::jit::BaselineFrame*)[/Users/than/Development/sm/mozilla-unified/obj-optdebug-browser-gecko-aarch64-apple-darwin21.5.0/toolkit/library/build/XUL +0x61d1130]```

https://github.com/ThanHenderson/sm/blob/master/RaptorCacheIRHealthError/RaptorSpew.log#L957-L966
Flags: needinfo?(iireland)
Blocks: sm-jits
Severity: -- → S4
Priority: -- → P3

I couldn't reproduce the problem locally. (I am travelling and don't have access to my normal build machine, so I'm limited by the speed at which my laptop builds the browser.)

Looking at the backtrace, I think adding AutoRealm ar(cx, shape); here might help. Nathan, can you try that out and see if it fixes anything?

Flags: needinfo?(iireland) → needinfo?(nathan.t.henderson)

(In reply to Iain Ireland [:iain] from comment #2)

I couldn't reproduce the problem locally. (I am travelling and don't have access to my normal build machine, so I'm limited by the speed at which my laptop builds the browser.)

Looking at the backtrace, I think adding AutoRealm ar(cx, shape); here might help. Nathan, can you try that out and see if it fixes anything?

Adding

JSObject* proto = taggedProto.toObject();
AutoRealm ar(cx, proto);

before the call to GetPropertyPure, solved the assertion fail on compartment equality.

Oddly enough there still no spew_output files being generated when running Raptor with SPEW=CacheIRHealthReport, but that seems to be a different issue.

Flags: needinfo?(nathan.t.henderson)

Worth submitting that as a patch here :)

Assignee: nobody → nathan.t.henderson
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Pushed by iireland@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/6fb8a1f65f8b
Add AutoRealm call to remove downstream compartment equality assertion error. r=iain
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → 102 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: