Assertion failure: popped[i]->isImplicitlyUsed() || popped[i]->isNewDerivedTypedObject() || popped[i]->defUseCount() > poppedUses[i], at jit/IonBuilder.cpp:1338

RESOLVED FIXED in mozilla29

Status

()

Core
JavaScript Engine: JIT
--
critical
RESOLVED FIXED
4 years ago
4 years ago

People

(Reporter: decoder, Assigned: jandem)

Tracking

(Blocks: 2 bugs, {assertion, testcase})

Trunk
mozilla29
x86_64
Linux
assertion, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(2 attachments, 2 obsolete attachments)

(Reporter)

Description

4 years ago
The following testcase asserts on mozilla-central revision fe7f7ead589c (run with --fuzzing-safe):


setJitCompilerOption("ion.usecount.trigger", 50);
var proxy = new Boolean({ get: function() {} }, {});
Function.prototype.__proto__ = proxy;
function g(x, y) {}
function f() {
  g.apply(this, arguments);
}
for (var i = 0; i < 1000; ++i) {
  f(i, i*2);
}
Created attachment 8355200 [details]
windows stack

also found via bughunter on http://saint-marc.ws/index.php

Updated

4 years ago
Blocks: 532972
(Assignee)

Comment 2

4 years ago
Created attachment 8355203 [details] [diff] [review]
Patch

Just need an extra setFoldedUnchecked call.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Attachment #8355203 - Flags: review?(nicolas.b.pierron)
Comment on attachment 8355203 [details] [diff] [review]
Patch

Review of attachment 8355203 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/jit/IonBuilder.cpp
@@ +4935,5 @@
>  
>          MArgumentsLength *numArgs = MArgumentsLength::New(alloc());
>          current->add(numArgs);
>  
>          MApplyArgs *apply = MApplyArgs::New(alloc(), target, argFunc, numArgs, argThis);

We are adding a use of argFunc here, The second part of the assertion should be verified in this case.

@@ +4971,5 @@
>      callInfo.setThis(argThis);
>  
>      // Pop function parameter.
>      MDefinition *argFunc = current->pop();
> +    argFunc->setFoldedUnchecked();

Is the function inlined?  If it is not, then the MCall should have a use of argFunc and the second part of the assertion should be verified too.

Otherwise the issue is likely located in the inlining code.
Attachment #8355203 - Flags: review?(nicolas.b.pierron)
Loading http://www.theb-hotels.com/the-b-roppongi/en/ yielded:

Assertion failure: popped[i]->isImplicitlyUsed() || popped[i]->isNewDerivedTypedObject() || popped[i]->defUseCount() > poppedUses[i], at /home/dbaron/builds/ssd/mozilla-central/mozilla/js/src/jit/IonBuilder.cpp:1338

which looks like it's the same, although the first piece of the || chain has changed since the bug was filed.
Yeah, bug 953256 changed isFolded to isImplicitlyUsed.
Summary: Assertion failure: popped[i]->isFolded() || popped[i]->isNewDerivedTypedObject() || popped[i]->defUseCount() > poppedUses[i], at jit/IonBuilder.cpp:1338 → Assertion failure: popped[i]->isImplicitlyUsed() || popped[i]->isNewDerivedTypedObject() || popped[i]->defUseCount() > poppedUses[i], at jit/IonBuilder.cpp:1338
(Assignee)

Comment 6

4 years ago
Created attachment 8360317 [details] [diff] [review]
Patch v2
Attachment #8355203 - Attachment is obsolete: true
Attachment #8360317 - Flags: review?(nicolas.b.pierron)
(Assignee)

Comment 7

4 years ago
Created attachment 8360320 [details] [diff] [review]
Patch

Realized there's another place where we should set the flag. Sorry for the bugspam.
Attachment #8360317 - Attachment is obsolete: true
Attachment #8360317 - Flags: review?(nicolas.b.pierron)
Attachment #8360320 - Flags: review?(nicolas.b.pierron)
Attachment #8360320 - Flags: review?(nicolas.b.pierron) → review+
https://hg.mozilla.org/mozilla-central/rev/103c0b6c135d
Status: ASSIGNED → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla29

Updated

4 years ago
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.