CacheIR spewing is not completely compartment safe
Categories
(Core :: JavaScript Engine: JIT, defect, P3)
Tracking
()
Tracking | Status | |
---|---|---|
firefox102 | --- | fixed |
People
(Reporter: thanhenderson, Assigned: thanhenderson)
References
(Blocks 1 open bug)
Details
Attachments
(1 file)
Steps to reproduce:
Changeset
changeset: FIREFOX_RELEASE_100_BASE
Mozconfig
ac_add_options --enable-js-shell
ac_add_options --enable-optimize
ac_add_options --enable-debug
ac_add_options --enable-warnings-as-errors
ac_add_options --enable-ccache=ccache
ac_add_options --enable-tests
ac_add_options --enable-geckodriver
ac_add_options --enable-jitspew
# Dump opt builds into another dir.
mk_add_options MOZ_OBJDIR=@TOPSRCDIR@/obj-optdebug-browser-gecko-@CONFIG_GUESS@
mk_add_options AUTOCLOBBER=1
Commands
export MOZ_DISABLE_CONTENT_SANDBOX=1
SPEW=CacheIRHealthReport ./mach raptor --browsertime --page-cycles 1 --post-startup-delay 0 --verbose -t jetstream2
Actual results:
Early exiting due to assertion failure on compartments traced to a call to CacheIRHealthReport spewing in TrialInlining.cpp:
20:23:00 INFO - raptor-browsertime Info: #01: bool js::NativeLookupOwnPropertyInline<(js::AllowGC)0, (js::LookupResolveMode)2>(JSContext*, js::MaybeRooted<js::NativeObject*, (js::AllowGC)0>::HandleType, js::MaybeRooted<JS::PropertyKey, (js::AllowGC)0>::HandleType, js::PropertyResult*)[/Users/than/Development/sm/mozilla-unified/obj-optdebug-browser-gecko-aarch64-apple-darwin21.5.0/toolkit/library/build/XUL +0x5a79758]
20:23:00 INFO - raptor-browsertime Info: #02: js::LookupPropertyPure(JSContext*, JSObject*, JS::PropertyKey, js::NativeObject**, js::PropertyResult*)[/Users/than/Development/sm/mozilla-unified/obj-optdebug-browser-gecko-aarch64-apple-darwin21.5.0/toolkit/library/build/XUL +0x5a7920c]
20:23:00 INFO - raptor-browsertime Info: #03: js::GetPropertyPure(JSContext*, JSObject*, JS::PropertyKey, JS::Value*)[/Users/than/Development/sm/mozilla-unified/obj-optdebug-browser-gecko-aarch64-apple-darwin21.5.0/toolkit/library/build/XUL +0x5a79858]
20:23:00 INFO - raptor-browsertime Info: #04: js::jit::CacheIRHealth::maybeExtractBaseScript(JSContext*, js::Shape*)[/Users/than/Development/sm/mozilla-unified/obj-optdebug-browser-gecko-aarch64-apple-darwin21.5.0/toolkit/library/build/XUL +0x63dde40]
20:23:00 INFO - raptor-browsertime Info: #05: js::jit::CacheIRHealth::spewShapeInformation(js::AutoStructuredSpewer&, JSContext*, js::jit::ICStub*)[/Users/than/Development/sm/mozilla-unified/obj-optdebug-browser-gecko-aarch64-apple-darwin21.5.0/toolkit/library/build/XUL +0x63de298]
20:23:00 INFO - raptor-browsertime Info: #06: js::jit::CacheIRHealth::spewNonFallbackICInformation(js::AutoStructuredSpewer&, JSContext*, js::jit::ICStub*, js::jit::CacheIRHealth::Happiness*)[/Users/than/Development/sm/mozilla-unified/obj-optdebug-browser-gecko-aarch64-apple-darwin21.5.0/toolkit/library/build/XUL +0x63de7c0]
20:23:00 INFO - raptor-browsertime Info: #07: js::jit::CacheIRHealth::spewICEntryHealth(js::AutoStructuredSpewer&, JSContext*, JS::Handle<JSScript*>, js::jit::ICEntry*, js::jit::ICFallbackStub*, unsigned char*, JSOp, js::jit::CacheIRHealth::Happiness*)[/Users/than/Development/sm/mozilla-unified/obj-optdebug-browser-gecko-aarch64-apple-darwin21.5.0/toolkit/library/build/XUL +0x63deec0]
20:23:00 INFO - raptor-browsertime Info: #08: js::jit::CacheIRHealth::healthReportForIC(JSContext*, js::jit::ICEntry*, js::jit::ICFallbackStub*, JS::Handle<JSScript*>, js::jit::SpewContext)[/Users/than/Development/sm/mozilla-unified/obj-optdebug-browser-gecko-aarch64-apple-darwin21.5.0/toolkit/library/build/XUL +0x63df1ec]
20:23:00 INFO - raptor-browsertime Info: #09: js::jit::DoTrialInlining(JSContext*, js::jit::BaselineFrame*)[/Users/than/Development/sm/mozilla-unified/obj-optdebug-browser-gecko-aarch64-apple-darwin21.5.0/toolkit/library/build/XUL +0x61d1130]```
https://github.com/ThanHenderson/sm/blob/master/RaptorCacheIRHealthError/RaptorSpew.log#L957-L966
Assignee | ||
Updated•2 years ago
|
Updated•2 years ago
|
Comment 2•2 years ago
|
||
I couldn't reproduce the problem locally. (I am travelling and don't have access to my normal build machine, so I'm limited by the speed at which my laptop builds the browser.)
Looking at the backtrace, I think adding AutoRealm ar(cx, shape);
here might help. Nathan, can you try that out and see if it fixes anything?
Assignee | ||
Comment 3•2 years ago
|
||
(In reply to Iain Ireland [:iain] from comment #2)
I couldn't reproduce the problem locally. (I am travelling and don't have access to my normal build machine, so I'm limited by the speed at which my laptop builds the browser.)
Looking at the backtrace, I think adding
AutoRealm ar(cx, shape);
here might help. Nathan, can you try that out and see if it fixes anything?
Adding
JSObject* proto = taggedProto.toObject();
AutoRealm ar(cx, proto);
before the call to GetPropertyPure, solved the assertion fail on compartment equality.
Oddly enough there still no spew_output files being generated when running Raptor with SPEW=CacheIRHealthReport, but that seems to be a different issue.
Comment 4•2 years ago
|
||
Worth submitting that as a patch here :)
Assignee | ||
Comment 5•2 years ago
|
||
Updated•2 years ago
|
Pushed by iireland@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/6fb8a1f65f8b Add AutoRealm call to remove downstream compartment equality assertion error. r=iain
Comment 7•2 years ago
|
||
bugherder |
Description
•