Assertion failure: cx_->hadResourceExhaustion(), at jit/WarpOracle.cpp:206
Categories
(Core :: JavaScript Engine: JIT, defect, P2)
Tracking
()
People
(Reporter: gkw, Assigned: iain)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: regression, testcase)
Attachments
(2 files)
See attached testcase.
205 MOZ_ASSERT_IF(hash == oldHash && !js::SupportDifferentialTesting(),
(gdb) bt
#0 js::jit::WarpOracle::createSnapshot (this=0xffffbdec) at /home/gen16gx500/trees/mozilla-central/js/src/jit/WarpOracle.cpp:205
#1 0x58f8acf4 in js::jit::CreateWarpSnapshot (cx=0xf7614100, mirGen=0xf63d8100, script=...) at /home/gen16gx500/trees/mozilla-central/js/src/jit/Ion.cpp:1597
#2 0x58f8759e in js::jit::IonCompile (cx=0xf7614100, script=..., osrPc=<optimized out>) at /home/gen16gx500/trees/mozilla-central/js/src/jit/Ion.cpp:1667
#3 js::jit::Compile (cx=0xf7614100, script=..., osrFrame=<optimized out>, osrPc=0x0) at /home/gen16gx500/trees/mozilla-central/js/src/jit/Ion.cpp:1860
#4 0x58f8841d in BaselineCanEnterAtEntry (cx=0xf7614100, frame=0xf67ffe98, script=...) at /home/gen16gx500/trees/mozilla-central/js/src/jit/Ion.cpp:1992
#5 IonCompileScriptForBaseline (cx=0xf7614100, frame=0xf67ffe98, pc=0xf7602241 "\266\001") at /home/gen16gx500/trees/mozilla-central/js/src/jit/Ion.cpp:2117
#6 0x58f87e80 in js::jit::IonCompileScriptForBaselineAtEntry (cx=0xf7614100, frame=0xf67ffe98) at /home/gen16gx500/trees/mozilla-central/js/src/jit/Ion.cpp:2144
#7 0x58d41909 in js::jit::Simulator::softwareInterrupt (this=0xf761c800, instr=0xf632e7e4) at /home/gen16gx500/trees/mozilla-central/js/src/jit/arm/Simulator-arm.cpp:2392
#8 0x58d3e867 in js::jit::Simulator::decodeType7 (this=0xf761c800, instr=0xf632e7e4) at /home/gen16gx500/trees/mozilla-central/js/src/jit/arm/Simulator-arm.cpp:3401
#9 js::jit::Simulator::instructionDecode (this=0xf761c800, instr=0xf632e7e4) at /home/gen16gx500/trees/mozilla-central/js/src/jit/arm/Simulator-arm.cpp:4431
#10 0x58d471bb in js::jit::Simulator::execute<false> (this=0xf761c800) at /home/gen16gx500/trees/mozilla-central/js/src/jit/arm/Simulator-arm.cpp:4487
#11 js::jit::Simulator::callInternal (this=0xf761c800, entry=0x2787b508 "\360O-\351\004\320M\342\020\212-\355h\220\235\345\r\260\240\341t\240\235", <incomplete sequence \345>)
at /home/gen16gx500/trees/mozilla-central/js/src/jit/arm/Simulator-arm.cpp:4565
#12 0x58d47780 in js::jit::Simulator::call (this=0xf761c800, entry=0x2787b508 "\360O-\351\004\320M\342\020\212-\355h\220\235\345\r\260\240\341t\240\235", <incomplete sequence \345>,
argument_count=8) at /home/gen16gx500/trees/mozilla-central/js/src/jit/arm/Simulator-arm.cpp:4653
#13 0x59085011 in EnterJit (code=<optimized out>, cx=<optimized out>, state=...) at /home/gen16gx500/trees/mozilla-central/js/src/jit/Jit.cpp:115
#14 js::jit::MaybeEnterJit (cx=0xf7614100, state=...) at /home/gen16gx500/trees/mozilla-central/js/src/jit/Jit.cpp:261
#15 0x580395cc in js::RunScript (cx=0xf7614100, state=...) at /home/gen16gx500/trees/mozilla-central/js/src/vm/Interpreter.cpp:441
#16 0x5803c87c in js::ExecuteKernel (cx=0xf7614100, script=..., envChainArg=..., evalInFrame=..., result=...) at /home/gen16gx500/trees/mozilla-central/js/src/vm/Interpreter.cpp:838
#17 0x5803ccea in js::Execute (cx=0xf7614100, script=..., envChain=..., rval=...) at /home/gen16gx500/trees/mozilla-central/js/src/vm/Interpreter.cpp:870
#18 0x581c2c38 in ExecuteScript (cx=0xf7614100, envChain=..., script=..., rval=...) at /home/gen16gx500/trees/mozilla-central/js/src/vm/CompilationAndEvaluation.cpp:494
#19 0x581c2e18 in JS_ExecuteScript (cx=0xf7614100, scriptArg=...) at /home/gen16gx500/trees/mozilla-central/js/src/vm/CompilationAndEvaluation.cpp:518
#20 0x57f79647 in RunFile (cx=<optimized out>, filename=<optimized out>, file=0xf77208d0, compileMethod=CompileUtf8::DontInflate, compileOnly=<optimized out>, fullParse=<optimized out>)
at /home/gen16gx500/trees/mozilla-central/js/src/shell/js.cpp:1219
#21 0x57f78737 in Process (cx=<optimized out>, filename=<optimized out>, forceTTY=<optimized out>, kind=FileScript) at /home/gen16gx500/trees/mozilla-central/js/src/shell/js.cpp:1799
#22 0x57f386c8 in ProcessArgs (cx=0xf7614100, op=0xffffca18) at /home/gen16gx500/trees/mozilla-central/js/src/shell/js.cpp:10874
#23 Shell (cx=<optimized out>, op=<optimized out>, op@entry=0xffffca18) at /home/gen16gx500/trees/mozilla-central/js/src/shell/js.cpp:11136
#24 0x57f325e6 in main (argc=6, argv=0xffffcb84) at /home/gen16gx500/trees/mozilla-central/js/src/shell/js.cpp:11540
(gdb)
Run with --fuzzing-safe --no-threads --ion-eager --arm-hwcap=vfp
, compile with 'CXX="clang++ -msse2 -mfpmath=sse"' 'CC="clang -msse2 -mfpmath=sse"' AR=ar PKG_CONFIG_PATH=/usr/lib/x86_64-linux-gnu/pkgconfig sh ../configure --host=x86_64-pc-linux-gnu --target=i686-pc-linux --enable-simulator=arm --enable-debug --with-ccache --enable-debug-symbols --enable-gczeal --enable-rust-simd --disable-tests
, tested on m-c rev 382081ff53ef.
Iain, setting needinfo? to you since you seem to have fixed similar issues recently.
![]() |
Reporter | |
Comment 1•1 year ago
|
||
$ ~/shell-cache/js-dbg-32-armsim32-linux-x86_64-382081ff53ef/js-dbg-32-armsim32-linux-x86_64-382081ff53ef --fuzzing-safe --no-threads --ion-eager --arm-hwcap=vfp testcase.js
Assertion failure: cx_->hadResourceExhaustion(), at /home/gen16gx500/trees/mozilla-central/js/src/jit/WarpOracle.cpp:206
#01: ???[/home/gen16gx500/shell-cache/js-dbg-32-armsim32-linux-x86_64-382081ff53ef/js-dbg-32-armsim32-linux-x86_64-382081ff53ef +0x2aafb21]
#02: ???[/home/gen16gx500/shell-cache/js-dbg-32-armsim32-linux-x86_64-382081ff53ef/js-dbg-32-armsim32-linux-x86_64-382081ff53ef +0x2a35cf4]
#03: ???[/home/gen16gx500/shell-cache/js-dbg-32-armsim32-linux-x86_64-382081ff53ef/js-dbg-32-armsim32-linux-x86_64-382081ff53ef +0x2a3259e]
#04: ???[/home/gen16gx500/shell-cache/js-dbg-32-armsim32-linux-x86_64-382081ff53ef/js-dbg-32-armsim32-linux-x86_64-382081ff53ef +0x2a3341d]
#05: ???[/home/gen16gx500/shell-cache/js-dbg-32-armsim32-linux-x86_64-382081ff53ef/js-dbg-32-armsim32-linux-x86_64-382081ff53ef +0x2a32e80]
#06: ???[/home/gen16gx500/shell-cache/js-dbg-32-armsim32-linux-x86_64-382081ff53ef/js-dbg-32-armsim32-linux-x86_64-382081ff53ef +0x27ec909]
#07: ???[/home/gen16gx500/shell-cache/js-dbg-32-armsim32-linux-x86_64-382081ff53ef/js-dbg-32-armsim32-linux-x86_64-382081ff53ef +0x27e9867]
#08: ???[/home/gen16gx500/shell-cache/js-dbg-32-armsim32-linux-x86_64-382081ff53ef/js-dbg-32-armsim32-linux-x86_64-382081ff53ef +0x27f21bb]
#09: ???[/home/gen16gx500/shell-cache/js-dbg-32-armsim32-linux-x86_64-382081ff53ef/js-dbg-32-armsim32-linux-x86_64-382081ff53ef +0x27f2780]
#10: ???[/home/gen16gx500/shell-cache/js-dbg-32-armsim32-linux-x86_64-382081ff53ef/js-dbg-32-armsim32-linux-x86_64-382081ff53ef +0x2b30011]
#11: ???[/home/gen16gx500/shell-cache/js-dbg-32-armsim32-linux-x86_64-382081ff53ef/js-dbg-32-armsim32-linux-x86_64-382081ff53ef +0x1ae45cc]
#12: ???[/home/gen16gx500/shell-cache/js-dbg-32-armsim32-linux-x86_64-382081ff53ef/js-dbg-32-armsim32-linux-x86_64-382081ff53ef +0x1ae787c]
#13: ???[/home/gen16gx500/shell-cache/js-dbg-32-armsim32-linux-x86_64-382081ff53ef/js-dbg-32-armsim32-linux-x86_64-382081ff53ef +0x1ae7cea]
#14: ???[/home/gen16gx500/shell-cache/js-dbg-32-armsim32-linux-x86_64-382081ff53ef/js-dbg-32-armsim32-linux-x86_64-382081ff53ef +0x1c6dc38]
#15: JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>)[/home/gen16gx500/shell-cache/js-dbg-32-armsim32-linux-x86_64-382081ff53ef/js-dbg-32-armsim32-linux-x86_64-382081ff53ef +0x1c6de18]
#16: ???[/home/gen16gx500/shell-cache/js-dbg-32-armsim32-linux-x86_64-382081ff53ef/js-dbg-32-armsim32-linux-x86_64-382081ff53ef +0x1a24647]
#17: ???[/home/gen16gx500/shell-cache/js-dbg-32-armsim32-linux-x86_64-382081ff53ef/js-dbg-32-armsim32-linux-x86_64-382081ff53ef +0x1a23737]
#18: ???[/home/gen16gx500/shell-cache/js-dbg-32-armsim32-linux-x86_64-382081ff53ef/js-dbg-32-armsim32-linux-x86_64-382081ff53ef +0x19e36c8]
#19: ???[/home/gen16gx500/shell-cache/js-dbg-32-armsim32-linux-x86_64-382081ff53ef/js-dbg-32-armsim32-linux-x86_64-382081ff53ef +0x19dd5e6]
Segmentation fault
Assignee | ||
Comment 2•1 year ago
•
|
||
Nice catch! This is a real performance-tanking bailout loop, although it can only happen on hardware we don't care about, and maybe only in the simulator.
It looks like we're hitting this bailout in SoftModI repeatedly, which seemingly only occurs when we're compiling for an arm32 device without hardware support for integer mod (!?!?). (That's why --arm-hwcap=vfp
is necessary.)
I can reproduce the same bug with a simpler testcase:
// |jit-test| --fast-warmup; --arm-hwcap=vfp
function foo(n) { return n % 2; }
with ({}) {}
for (var i = 0; i < 1000; i++) {
foo(0);
}
It looks like the problem here is that we're saving the original lhs value in a temp register here, calling __aeabi_idivmod to do the actual computation, and then using the saved value to check whether the result should be -0. But when we do the call in the simulator, scratchVolatileRegisters
clobbers our temp register. I suspect that this bug was introduced in this patch for bug 1659093, which hardcoded a fixed register that happened to be volatile.
Using a non-volatile temp fixes the bug.
The comment here from the original 12-year-old bug that initially added the -0 check to SoftModI is ironic:
Does LDefinition::GENERAL make it callee-saved? I think you need to ASSERT
in ::visitModI that the register is callee-saved, since things will break
subtlely (and horribly) if a caller gets this wrong.I'll add the assertion, but there shouldn't be any way that we can assign a caller saved register to that register.
It appears that we removed said assertion as part of bug 888237.
Assignee | ||
Comment 3•1 year ago
|
||
Updated•1 year ago
|
Comment 4•1 year ago
|
||
The severity field is not set for this bug.
:willyelm, could you have a look please?
For more information, please visit BugBot documentation.
Updated•1 year ago
|
Comment 6•1 year ago
|
||
bugherder |
Updated•1 year ago
|
![]() |
Reporter | |
Updated•10 months ago
|
Description
•