Closed Bug 1875487 Opened 2 years ago Closed 2 years ago

Assertion failure: cx_->hadResourceExhaustion(), at jit/WarpOracle.cpp:206

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
124 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox122 --- wontfix
firefox123 --- fixed
firefox124 --- verified

People

(Reporter: decoder, Assigned: anba)

References

(Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])

Attachments

(3 files)

Detailed Crash Information
1.56 KB, text/plain
Details
Testcase
199 bytes, text/plain
Details
Bug 1875487: Skip unbox to floating point types when propagating unbox type information. r=jandem!
48 bytes, text/x-phabricator-request
pascalc
: approval-mozilla-beta+
Details | Review

The following testcase crashes on mozilla-central revision 20240117-f593f07c9772 (debug build, run with --fuzzing-safe --ion-offthread-compile=off):

uceFault = function(j29) {
    if (j29) return arguments;
}
function f85(j29) {
    i96 = Math.pow(2, j29);
    obj = (uceFault(j29) || uceFault);
}
max = 150;
for (j29 = 0; max; ++j29)
    f85(j29);

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x0000555558069faf in js::jit::WarpOracle::createSnapshot() ()
#1  0x0000555557fea6dd in js::jit::CreateWarpSnapshot(JSContext*, js::jit::MIRGenerator*, JS::Handle<JSScript*>) ()
#2  0x0000555557fe365c in js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned char*) ()
#3  0x0000555557fe4533 in IonCompileScriptForBaseline(JSContext*, js::jit::BaselineFrame*, unsigned char*) ()
#4  0x00000ed4a2160fc6 in ?? ()
[...]
#15 0x0000000000000000 in ?? ()
rax	0x55555589ca6a	93824995674730
rbx	0x7fffffffc9a0	140737488341408
rcx	0x555558967878	93825046837368
rdx	0x0	0
rsi	0x7ffff7105770	140737338431344
rdi	0x7ffff7104540	140737338426688
rbp	0x7fffffffc980	140737488341376
rsp	0x7fffffffc8e0	140737488341216
r8	0x7ffff7105770	140737338431344
r9	0x7ffff7f92840	140737353689152
r10	0x2	2
r11	0x0	0
r12	0x7ffff3d19580	140737283986816
r13	0x0	0
r14	0x7ffff2b5a908	140737265379592
r15	0x65fa6dac	1710910892
rip	0x555558069faf <js::jit::WarpOracle::createSnapshot()+1823>
=> 0x555558069faf <_ZN2js3jit10WarpOracle14createSnapshotEv+1823>:	movl   $0xce,0x0
   0x555558069fba <_ZN2js3jit10WarpOracle14createSnapshotEv+1834>:	callq  0x555556ebf980 <abort>
Attached file Testcase

Verified bug as reproducible on mozilla-central 20240119093321-b6393478fdf6.
The bug appears to have been introduced in the following build range:

Start: fdbf9ce9e9c3b39ed51622e0b013261837013e7f (20231103141653)
End: c1bbed9e33815cc111047e95375c6446ad566b5b (20231103153002)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=fdbf9ce9e9c3b39ed51622e0b013261837013e7f&tochange=c1bbed9e33815cc111047e95375c6446ad566b5b

Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]

Unbox to floating point types instructions support both boxed floating point
types and boxed int32 values. This means we can't propagate unbox-to-double when
the input can be a boxed int32 value, because other uses of the boxed value may
expect only int32 values.

Assignee: nobody → andrebargull
Status: NEW → ASSIGNED
Regressed by: 1861983
Pushed by andre.bargull@gmail.com: https://hg.mozilla.org/integration/autoland/rev/1d9bf66a4a9c Skip unbox to floating point types when propagating unbox type information. r=jandem

https://hg.mozilla.org/mozilla-central/rev/1d9bf66a4a9c

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox124: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 124 Branch

Verified bug as fixed on rev mozilla-central 20240123053648-7800a7cccda7.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox124: fixedverified
Keywords: bugmon

Set release status flags based on info from the regressing bug 1861983

status-firefox122: --- → affected
status-firefox-esr115: --- → unaffected

The patch landed in nightly and beta is affected.
:anba, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox123 to wontfix.

For more information, please visit BugBot documentation.

Flags: needinfo?(andrebargull)

Comment on attachment 9375742 [details]
Bug 1875487: Skip unbox to floating point types when propagating unbox type information. r=jandem!

Beta/Release Uplift Approval Request

  • User impact if declined: Repeated bailouts from Ion to Baseline, resulting in degraded performance.
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Not risky, because it only disables a JIT optimisation for a specific input type.
  • String changes made/needed:
  • Is Android affected?: Yes
Flags: needinfo?(andrebargull)
Attachment #9375742 - Flags: approval-mozilla-beta?

Comment on attachment 9375742 [details]
Bug 1875487: Skip unbox to floating point types when propagating unbox type information. r=jandem!

Approved for 123 beta 3, thanks.

Attachment #9375742 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: