Closed Bug 1872656 Opened 9 months ago Closed 9 months ago

Assertion failure: entry, at jit/VMFunctions.cpp:1731

Categories

(Core :: JavaScript Engine: JIT, defect, P3)

defect

Tracking

()

RESOLVED FIXED
123 Branch
Tracking Status
firefox123 --- fixed

People

(Reporter: lukas.bernhard, Assigned: alexical)

References

(Blocks 2 open bugs)

Details

Attachments

(1 file)

Steps to reproduce:

On git commit 9137f80064364a41a1de394af4ce05dffdbf68e6 the attached sample asserts in the js-shell when invoked as obj-x86_64-pc-linux-gnu/dist/bin/js --baseline-warmup-threshold=10 --ion-warmup-threshold=100 --fuzzing-safe --disable-watchtower crash.js.

function main() {
    const Probe = (function() {
        function probe() {}

        return {
            probe: probe,
        };
    })();

    for (const v16 in getJitCompilerOptions()) {
        Probe.probe();
        setJitCompilerOption(v16, -1);
    }   
}

for (let i = 0; i < 100; i++) {
    main();
}
#0  0x00005555589d73db in js::jit::GetNativeDataPropertyPure (cx=0x7ffff662e100, obj=0x7f1721009a0, id=..., entry=0x0, 
    vp=0x7fffffff9ff0) at js/src/jit/VMFunctions.cpp:1731
#1  0x00002a1e9b78e231 in ?? ()
#2  0xfff9800000000000 in ?? ()
#3  0x00007fffffff9fc8 in ?? ()
#4  0xfff88000ffffffff in ?? ()
#5  0x000007f1721009a0 in ?? ()
#6  0x00007ffff54b3050 in ?? ()
#7  0x00007fffffff9658 in ?? ()
#8  0x00007ffff54f5c30 in ?? ()
#9  0x0000000000000081 in ?? ()
#10 0xfff9800000000000 in ?? ()
#11 0x00002a1e9b772fac in ?? ()
#12 0xfffe07f1721009a0 in ?? ()
#13 0xfffb2123e835de60 in ?? ()
#14 0xfffe2123e833f088 in ?? ()
#15 0xfffb2123e835de60 in ?? ()
#16 0xfffe07f1721009a0 in ?? ()
#17 0x00002123e8364060 in ?? ()
#18 0x00007ffff66af166 in ?? ()
#19 0x00007ffff54f5b50 in ?? ()
#20 0x00002123e833f038 in ?? ()
#21 0x00007ffff54f5a70 in ?? ()
#22 0x00007fffffffa070 in ?? ()
#23 0x00005555588a5890 in mozilla::detail::PoisonObject<JS::AutoAssertNoGC> (p=0x7fffffffa220)
    at obj-x86_64-pc-linux-gnu/dist/include/mozilla/Maybe.h:89
#24 0x00002a1e9b74ed81 in ?? ()
#25 0x0000000000000003 in ?? ()
#26 0x000007f172100650 in ?? ()
#27 0xfff9800000000000 in ?? ()
#28 0x00005555588a5835 in mozilla::Maybe<JS::AutoAssertNoGC>::poisonData (this=0x7fffffffdf28)
    at obj-x86_64-pc-linux-gnu/dist/include/mozilla/Maybe.h:367
#29 0x0000555558e0238b in EnterJit (cx=0x7ffff662e100, state=..., code=0x2a1e9b770d60 "UH\211\345\351#")
    at js/src/jit/Jit.cpp:115
#30 0x0000555558e01bac in js::jit::MaybeEnterJit (cx=0x7ffff662e100, state=...) at js/src/jit/Jit.cpp:261
#31 0x0000555557963769 in js::Interpret (cx=0x7ffff662e100, state=...) at js/src/vm/Interpreter.cpp:3099
#32 0x0000555557953fd5 in MaybeEnterInterpreterTrampoline (cx=0x7ffff662e100, state=...)
    at js/src/vm/Interpreter.cpp:393
#33 0x0000555557953c81 in js::RunScript (cx=0x7ffff662e100, state=...) at js/src/vm/Interpreter.cpp:451
#34 0x00005555579561c1 in js::ExecuteKernel (cx=0x7ffff662e100, script=..., envChainArg=..., evalInFrame=..., result=...)
    at js/src/vm/Interpreter.cpp:838
#35 0x000055555795653c in js::Execute (cx=0x7ffff662e100, script=..., envChain=..., rval=...)
    at js/src/vm/Interpreter.cpp:870
#36 0x0000555557b3401f in ExecuteScript (cx=0x7ffff662e100, envChain=..., script=..., rval=...)
    at js/src/vm/CompilationAndEvaluation.cpp:494
#37 0x0000555557b34145 in JS_ExecuteScript (cx=0x7ffff662e100, scriptArg=...)
    at js/src/vm/CompilationAndEvaluation.cpp:518
#38 0x00005555577ac0af in RunFile (cx=0x7ffff662e100, 
    filename=0x7ffff66a9390 "crash.jss", file=0x7ffff7669f20, 
    compileMethod=CompileUtf8::DontInflate, compileOnly=false, fullParse=false)
    at js/src/shell/js.cpp:1220
#39 0x00005555577ab97c in Process (cx=0x7ffff662e100, 
    filename=0x7ffff66a9390 "crash.js", forceTTY=false, kind=FileScript)
    at js/src/shell/js.cpp:1800
#40 0x00005555577854f1 in ProcessArgs (cx=0x7ffff662e100, op=0x7fffffffdcc0) at js/src/shell/js.cpp:10875
#41 0x00005555577740c7 in Shell (cx=0x7ffff662e100, op=0x7fffffffdcc0) at js/src/shell/js.cpp:11137
#42 0x000055555776ef44 in main (argc=6, argv=0x7fffffffdf28) at js/src/shell/js.cpp:11541
Component: Untriaged → JavaScript Engine: JIT
Product: Firefox → Core
Blocks: sm-jits
Severity: -- → S3
Priority: -- → P3

Sounds like this might be related to the assertion added in https://searchfox.org/mozilla-central/source/js/src/jit/VMFunctions.cpp#1731 .
Alex, can you investigate and fix this issue?

I suspect that problem comes from the fact that the setJitCompilerOption behaves like about:config is doing, which is that it mutates the settings as soon as this is reported, and the code might have already been generated when the VMFunction is called and the assertions trips on the newly set value not matching the one used while generating the code.

Blocks: Watchtower
No longer blocks: sm-jits
Flags: needinfo?(dothayer)

Taking a look. But does anyone happen to know off the top of their head how this would be evading the fact that we discard all JIT code for the runtime when we call setJitCompilerOption? Or am I misunderstanding that bit?

Assignee: nobody → dothayer
Flags: needinfo?(dothayer)

(In reply to Alex Thayer [:alexical] (she/her) from comment #2)

Taking a look. But does anyone happen to know off the top of their head how this would be evading the fact that we discard all JIT code for the runtime when we call setJitCompilerOption? Or am I misunderstanding that bit?

Maybe a script that's active on the stack because in that case we can't discard its JIT code. If it's the watchtower JitOption, I'm fine with just removing it. It was a temporary flag but now it's just adding complexity and a little performance overhead.

This is no longer really needed, and it can get awkward when it is toggled
off mid-execution.

Pushed by dothayer@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/811d08d75f1b Remove megamorphic watchtower option r=iain
Status: NEW → RESOLVED
Closed: 9 months ago
Resolution: --- → FIXED
Target Milestone: --- → 123 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: