Closed
Bug 1987401
Opened 6 months ago
Closed 6 months ago
MacroAssembler::preserveWrapper sets wrong result code on no-abiCall code path
Categories
(Core :: JavaScript Engine: JIT, defect)
Core
JavaScript Engine: JIT
Tracking
()
RESOLVED
DUPLICATE
of bug 1985591
People
(Reporter: csmantle, Unassigned)
References
(Regression)
Details
(Keywords: regression)
Attachments
(1 file, 1 obsolete file)
|
3.33 KB,
application/x-javascript
|
Details |
At https://searchfox.org/firefox-main/rev/1f462a0092bc995d91d3f5f790c197b1bf739954/js/src/jit/MacroAssembler.cpp#793-797, MacroAssembler::preserveWrapper uses scratchSuccess as a temp register to perform increment on preservedWrappersCount < preservedWrappersCapacity code path, but fails to set it to the correct Boolean return value before exiting. The net effect of this is an intermittent bailout loop that occurs if the lowest byte of preservedWrappersCount happens to be zero.
Running the attached scripts would produce the following output:
> ../gecko-dev/obj-x86_64-pc-windows-msvc/dist/bin/js.exe --no-threads --ion-check-range-analysis --ion-extra-checks --baseline-eager --ion-eager --fast-warmup ./program_20250908100959_BC9C6B4E-C540-4027-9E17-710FA43502B3_deterministic.js
[1676] Assertion failure: cx_->hadResourceExhaustion(), at D:/Workspace/gecko-dev/js/src/jit/WarpOracle.cpp:212
#01: js::jit::WarpOracle::createSnapshot (D:\Workspace\gecko-dev\js\src\jit\WarpOracle.cpp:211)
#02: js::jit::Compile (D:\Workspace\gecko-dev\js\src\jit\Ion.cpp:2014)
#03: IonCompileScriptForBaseline (D:\Workspace\gecko-dev\js\src\jit\Ion.cpp:2267)
[...]
#17: Shell (D:\Workspace\gecko-dev\js\src\shell\js.cpp:12260)
#18: main (D:\Workspace\gecko-dev\js\src\shell\js.cpp:12663)
[...]
>
The relevant simulation dump can be found below. Notice the addi t0, t0, 1 accumulation and andi s11, t0, 0xff, which converts the stale data to Bool.
[... ITER -3 ...]
0x0125fd559d0c 00128293 addi t0, t0, 1 00000000000009fd (1359857) int64:2557 uint64:2557
[...]
0x0125fd559d20 005eb023 sd t0, 0(t4) (1359862) int64:2557 uint64:2557 --> [addr: 17b8b0fd1a0]
0x0125fd559d24 2600006f j 608 -> 00000125FD559F84 0000000000000000 (1359863) int64:0 uint64:0
0x0125fd559f84 0ff2fd93 andi s11, t0, 0xff 00000000000000fd (1359864) int64:253 uint64:253
0x0125fd559f88 000d9663 bne s11, zero, 12 -> 00000125FD559F94
[... ITER -2 ...]
0x0125fd559d0c 00128293 addi t0, t0, 1 00000000000009fe (1360336) int64:2558 uint64:2558
[...]
0x0125fd559d20 005eb023 sd t0, 0(t4) (1360341) int64:2558 uint64:2558 --> [addr: 17b8b0fd1a0]
0x0125fd559d24 2600006f j 608 -> 00000125FD559F84 0000000000000000 (1360342) int64:0 uint64:0
0x0125fd559f84 0ff2fd93 andi s11, t0, 0xff 00000000000000fe (1360343) int64:254 uint64:254
0x0125fd559f88 000d9663 bne s11, zero, 12 -> 00000125FD559F94
[... ITER -1 ...]
0x0125fd559d0c 00128293 addi t0, t0, 1 00000000000009ff (1360815) int64:2559 uint64:2559
[...]
0x0125fd559d20 005eb023 sd t0, 0(t4) (1360820) int64:2559 uint64:2559 --> [addr: 17b8b0fd1a0]
0x0125fd559d24 2600006f j 608 -> 00000125FD559F84 0000000000000000 (1360821) int64:0 uint64:0
0x0125fd559f84 0ff2fd93 andi s11, t0, 0xff 00000000000000ff (1360822) int64:255 uint64:255
0x0125fd559f88 000d9663 bne s11, zero, 12 -> 00000125FD559F94
[... ITER 0 ...]
0x0125fd559d0c 00128293 addi t0, t0, 1 0000000000000a00 (1361698) int64:2560 uint64:2560
[...]
0x0125fd559d20 005eb023 sd t0, 0(t4) (1361703) int64:2560 uint64:2560 --> [addr: 17b8b0fd1a0]
0x0125fd559d24 2600006f j 608 -> 00000125FD559F84 0000000000000000 (1361704) int64:0 uint64:0
0x0125fd559f84 0ff2fd93 andi s11, t0, 0xff 0000000000000000 (1361705) int64:0 uint64:0
0x0125fd559f88 000d9663 bne s11, zero, 12 -> 00000125FD559F94
[... BAILOUT, s11 == 0 ...]
Call to host function at 00007FF6913C8090 with args 1630124880384, 1630127783384, 104, 1630124686611, 1630127783288, 6, 5, 45850024480
|
Reporter | |
Comment 1•6 months ago
|
||
|
||
Updated•6 months ago
|
Assignee: nobody → webmaster
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
|
|
||
Updated•6 months ago
|
Attachment #9511996 -
Attachment description: Bug 1987401 - Load success retval into scratchSuccess output register on no-abiCall code path. r=jandem → Bug 1987401 - Load success retval into scratchSuccess output register on MacroAssembler::preserveWrapper no-abiCall code path. r=jandem
|
|
||
Comment 2•6 months ago
|
||
Comment on attachment 9511996 [details]
Bug 1987401 - MacroAssembler: Load success retval into scratchSuccess output register on preserveWrapper no-abiCall code path. r=jandem
Revision D264072 was moved to bug 1987402. Setting attachment 9511996 [details] to obsolete.
Attachment #9511996 -
Attachment is obsolete: true
|
|
||
Updated•6 months ago
|
Attachment #9511996 -
Attachment description: Bug 1987401 - Load success retval into scratchSuccess output register on MacroAssembler::preserveWrapper no-abiCall code path. r=jandem → Bug 1987401 - MacroAssembler: Load success retval into scratchSuccess output register on preserveWrapper no-abiCall code path. r=jandem
Attachment #9511996 -
Attachment is obsolete: false
|
||
Updated•6 months ago
|
Keywords: regression
Regressed by: 1974519
|
|
Reporter | |
Comment 3•6 months ago
|
||
Marking this as dup of Bug 1985591. Thanks :anba for pointing out!
|
|
Reporter | |
Updated•6 months ago
|
Assignee: webmaster → nobody
|
|
||
Updated•6 months ago
|
Assignee: nobody → webmaster
|
|
||
Updated•6 months ago
|
Attachment #9511996 -
Attachment is obsolete: true
|
|
Reporter | |
Updated•6 months ago
|
Assignee: webmaster → nobody
You need to log in
before you can comment on or make changes to this bug.
Description
•