Closed Bug 1647054 Opened 4 years ago Closed 4 years ago

[warp] Assertion failure: use.def()->id() <= mostRecentUse->id(), at jit/MIR.cpp:791

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla79
Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox-esr78 --- disabled
firefox77 --- unaffected
firefox78 --- disabled
firefox79 --- fixed

People

(Reporter: decoder, Assigned: jandem)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])

Attachments

(2 files)

Testcase
(deleted), text/plain
Details
Bug 1647054 - Fix a bogus assert in MDefinition::maybeMostRecentDefUse. r?iain!
(deleted), text/x-phabricator-request
Details

The following testcase crashes on mozilla-central revision 20200619-341563fe5463 (debug build, run with --fuzzing-safe --ion-offthread-compile=off --warp --ion-full-warmup-threshold=0):

function f() {
  for (var i = 0; i < 550; ++i)
    for (var j = 0; ["A"] & (i++); ++j) 
      i()
}
f();

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x0000555556737f2b in js::jit::MDefinition::maybeMostRecentDefUse() const ()
#1  0x0000555556a8b5cc in js::jit::TranspileCacheIRToMIR(js::jit::MIRGenerator&, js::BytecodeLocation, js::jit::MBasicBlock*, js::jit::WarpCacheIR const*, mozilla::Vector<js::jit::MDefinition*, 8ul, js::SystemAllocPolicy> const&) ()
#2  0x0000555556a86199 in js::jit::WarpBuilder::buildIC(js::BytecodeLocation, js::jit::CacheKind, std::initializer_list<js::jit::MDefinition*>) ()
#3  0x0000555556a85f89 in js::jit::WarpBuilder::buildUnaryOp(js::BytecodeLocation) ()
#4  0x0000555556a73655 in js::jit::WarpBuilder::buildBody() ()
#5  0x0000555556a72c3a in js::jit::WarpBuilder::build() ()
#6  0x00005555565f5dda in js::jit::CompileBackEnd(js::jit::MIRGenerator*, js::jit::WarpSnapshot*) ()
#7  0x000055555660a191 in js::jit::IonCompile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned int, unsigned char*, bool, js::jit::OptimizationLevel) ()
#8  0x00005555565f72a1 in js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned int, unsigned char*, bool) ()
#9  0x00005555565f7ac7 in IonCompileScriptForBaseline(JSContext*, js::jit::BaselineFrame*, unsigned int, unsigned char*) ()
#10 0x00005555565f80fd in js::jit::IonCompileScriptForBaselineOSR(JSContext*, js::jit::BaselineFrame*, unsigned int, unsigned char*, js::jit::IonOsrTempData**) ()
#11 0x00000bdc0550ba27 in ?? ()
#12 0x00007fffffffb758 in ?? ()
#13 0x00007fffffffb6d0 in ?? ()
#14 0x0000000000000000 in ?? ()
rax	0x5555570f520a	93825021202954
rbx	0x7ffff60328e8	140737320790248
rcx	0x555558358840	93825040484416
rdx	0x0	0
rsi	0x7ffff7105770	140737338431344
rdi	0x7ffff7104540	140737338426688
rbp	0x7fffffffac70	140737488333936
rsp	0x7fffffffac70	140737488333936
r8	0x7ffff7105770	140737338431344
r9	0x7ffff7f9bd40	140737353727296
r10	0x58	88
r11	0x7ffff6dac7a0	140737334921120
r12	0x8	8
r13	0x7fffffffadc8	140737488334280
r14	0x0	0
r15	0x38	56
rip	0x555556737f2b <js::jit::MDefinition::maybeMostRecentDefUse() const+667>
=> 0x555556737f2b <_ZNK2js3jit11MDefinition21maybeMostRecentDefUseEv+667>:	movl   $0x317,0x0
   0x555556737f36 <_ZNK2js3jit11MDefinition21maybeMostRecentDefUseEv+678>:	callq  0x55555584464e <abort>
Attached file Testcase (deleted) —

Also rename to maybeMostRecentlyAddedDefUse to make things a bit clearer.
The loop phi case here has no effect on the transpiler's use of this method.

Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]
Bugmon Analysis: Verified bug as reproducible on mozilla-central 20200622093309-24787602a9f6. The bug appears to have been introduced in the following build range: > Start: fb341901c6f7493c5cc8e1bc83eeb4922fb86510 (20200525080623) > End: 692e3068ef10e34aa9eba0a265de5f1c67aac0ce (20200525081047) > Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=fb341901c6f7493c5cc8e1bc83eeb4922fb86510&tochange=692e3068ef10e34aa9eba0a265de5f1c67aac0ce
Pushed by jdemooij@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/a40b3c017a19 Fix a bogus assert in MDefinition::maybeMostRecentDefUse. r=iain

https://hg.mozilla.org/mozilla-central/rev/a40b3c017a19

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla79
Status: RESOLVED → VERIFIED
Keywords: bugmon
Bugmon Analysis: Verified bug as fixed on rev mozilla-central 20200624093107-e858eb7ffeba. Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: