Assertion failure: cx_->hadResourceExhaustion(), at jit/WarpOracle.cpp:206
Categories
(Core :: JavaScript Engine: JIT, defect, P3)
Tracking
()
People
(Reporter: gkw, Assigned: iain)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: regression, testcase)
Attachments
(1 file)
setJitCompilerOption("ion.frequent-bailout-threshold", 0);
for (let i = 0; i < 49; i++) {
(function () {
let x = new (function () {})();
Object.defineProperty(x, "z", {});
x.z;
})();
}
(gdb) bt
#0 js::jit::WarpOracle::createSnapshot (this=0x7fffffffc7a0) at /home/w11x500-lin/trees/mozilla-central/js/src/jit/WarpOracle.cpp:205
#1 0x000055555834a51d in js::jit::CreateWarpSnapshot (cx=cx@entry=0x7ffff6b39100, mirGen=mirGen@entry=0x7ffff6b55180, script=...) at /home/w11x500-lin/trees/mozilla-central/js/src/jit/Ion.cpp:1639
#2 0x0000555558346c2f in js::jit::IonCompile (cx=0x7ffff6b39100, script=..., osrPc=<optimized out>) at /home/w11x500-lin/trees/mozilla-central/js/src/jit/Ion.cpp:1709
#3 js::jit::Compile (cx=cx@entry=0x7ffff6b39100, script=script@entry=..., osrFrame=osrFrame@entry=0x7fffffffca58, osrPc=osrPc@entry=0x0) at /home/w11x500-lin/trees/mozilla-central/js/src/jit/Ion.cpp:1902
#4 0x0000555558347abe in BaselineCanEnterAtEntry (cx=0x7ffff6b39100, script=..., frame=0x7fffffffca58) at /home/w11x500-lin/trees/mozilla-central/js/src/jit/Ion.cpp:2034
#5 IonCompileScriptForBaseline (cx=0x7ffff6b39100, frame=0x7fffffffca58, pc=<optimized out>) at /home/w11x500-lin/trees/mozilla-central/js/src/jit/Ion.cpp:2159
#6 0x00002903f39d23a6 in ?? ()
#7 0x0000000000000000 in ?? ()
(gdb)
Run with --fuzzing-safe --no-threads --ion-eager, compile with AR=ar sh ../configure --enable-debug --enable-debug-symbols --with-ccache --enable-nspr-build --enable-ctypes --enable-gczeal --enable-rust-simd --disable-tests, tested on m-c rev f8ac03b3c764.
This seems to go as far back as m-c rev 443c7bf9d76b, I'll keep trying if possible.
Jan, is this a good testcase related to bug 1886549?
|
Reporter | |
Comment 1•1 year ago
|
||
I'm getting preliminary results pointing to bug 1671228 - switching needinfo? over to Iain for now.
|
||
Comment 2•1 year ago
|
||
Set release status flags based on info from the regressing bug 1671228
:iain, since you are the author of the regressor, bug 1671228, could you take a look? Also, could you set the severity field?
For more information, please visit BugBot documentation.
|
|
Reporter | |
Comment 3•1 year ago
|
||
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/ba8318539e16
user: Iain Ireland
date: Mon Nov 28 18:33:41 2022 +0000
summary: Bug 1671228: Part 5: Try folding stubs before transitioning IC state r=jandem
Iain, is this a likely regressor?
|
Assignee | |
Comment 4•1 year ago
|
||
|
||
Updated•1 year ago
|
|
|
Assignee | |
Comment 5•1 year ago
|
||
This is a false positive in the bailout loop detection code. Our strategy for updating the Ion script when we add a new case to a folded stub requires the frequent bailout threshold to be at least 2, so that we don't invalidate immediately before we have a chance to try folding.
There are a bunch of reasonable ways to fix this, but I think the most robust is to only set the failed IC hash if the frequent bailout threshold is >1. It's only used for this assertion, which only matters for catching potential performance cliffs, so we don't care what happens with non-default values.
If we're going to mark a regressor here, the stub-folding patches (bug 1671228) are as good a candidate as any.
|
|
Assignee | |
Updated•1 year ago
|
|
||
Updated•1 year ago
|
|
||
Updated•1 year ago
|
|
||
Comment 7•1 year ago
|
||
| bugherder | ||
|
|
||
Comment 8•1 year ago
|
||
The patch landed in nightly and beta is affected.
:iain, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- If no, please set
status-firefox125towontfix.
For more information, please visit BugBot documentation.
|
|
||
Updated•1 year ago
|
|
|
Reporter | |
Updated•1 year ago
|
Description
•