Closed Bug 1661530 Opened 4 years ago Closed 4 years ago

[warp] Assertion failure: data->callFlags.getArgFormat() == CallFlags::FunCall, at jit/TrialInlining.cpp:301

Tracking

()

Status:

VERIFIED FIXED

Milestone:

82 Branch

Tracking Flags:

Tracking

Status

firefox-esr68

---

unaffected

firefox-esr78

---

unaffected

firefox79

---

unaffected

firefox80

---

unaffected

firefox81

---

unaffected

firefox82

---

fixed

People

(Reporter: decoder, Assigned: iain)

References

(Blocks 2 open bugs, Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])

Attachments

(2 files)

Testcase 4 years ago Christian Holler (:decoder) (deleted), text/plain		Details
Bug 1661530: Attach FunApply and FunCall before scripted calls r=jandem 4 years ago Iain Ireland [:iain] (deleted), text/x-phabricator-request		Details

Christian Holler (:decoder)

Reporter

Description

•

4 years ago

The following testcase crashes on mozilla-central revision 20200826-61ed3192760a (debug build, run with --fuzzing-safe --ion-offthread-compile=off --warp):

Function.prototype.call = function() {};
function f10() {
    g20(arguments, 1);
}
function g20(a20, b44) {
    var s42 = Array.prototype.slice.call(a20, b44);
}
for (var i25 = 0; i25 < 1000; ++i25)
    f10(1, 2, 3, 4);

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  js::jit::TrialInliner::maybeInlineCall (this=0x7fffffffb510, entry=..., loc=...) at js/src/jit/TrialInlining.cpp:300
#1  0x00005555577e35c5 in js::jit::TrialInliner::tryInlining (this=0x7fffffffb510) at js/src/jit/TrialInlining.cpp:336
#2  0x00005555577e330a in js::jit::DoTrialInlining (cx=0x7ffff6027000, frame=0x7fffffffb5d0) at js/src/jit/TrialInlining.cpp:51
#3  0x00003d216db758e5 in ?? ()
[...]
#53 0x0000000000000000 in ?? ()
rax	0x555555876faa	93824995520426
rbx	0x7ffff60fe160	140737321623904
rcx	0x555558520aa8	93825042352808
rdx	0x0	0
rsi	0x7ffff7105770	140737338431344
rdi	0x7ffff7104540	140737338426688
rbp	0x7fffffffb490	140737488336016
rsp	0x7fffffffb280	140737488335488
r8	0x7ffff7105770	140737338431344
r9	0x7ffff7f9de00	140737353735680
r10	0x58	88
r11	0x7ffff6dac7a0	140737334921120
r12	0x1	1
r13	0x2b8f3129f100	47894005149952
r14	0x7ffff6088400	140737321141248
r15	0x7ffff4a4879d	140737297811357
rip	0x5555577e4fe5 <js::jit::TrialInliner::maybeInlineCall(js::jit::ICEntry const&, js::BytecodeLocation)+949>
=> 0x5555577e4fe5 <js::jit::TrialInliner::maybeInlineCall(js::jit::ICEntry const&, js::BytecodeLocation)+949>:	movl   $0x12d,0x0
   0x5555577e4ff0 <js::jit::TrialInliner::maybeInlineCall(js::jit::ICEntry const&, js::BytecodeLocation)+960>:	callq  0x555556bd985e <abort()>

Christian Holler (:decoder)

Reporter

Comment 1

•

4 years ago

Attached file Testcase (deleted) — Details

Nicolas B. Pierron [:nbp]

Updated

•

4 years ago

Blocks: WarpBuilder

Severity: -- → S4

Priority: -- → P2

Iain Ireland [:iain]

Assignee

Comment 2

•

4 years ago

I ran into this problem locally and already have a patch to fix it.

Assignee: nobody → iireland

Iain Ireland [:iain]

Assignee

Comment 3

•

4 years ago

Attached file Bug 1661530: Attach FunApply and FunCall before scripted calls r=jandem (deleted) — Details

Despite looking directly at this code while adding the assertion in bug 1660553, I somehow missed that scripted calls were being attached too early. It's not a problem for Ion, because we only inline FunCall/FunApply if we're calling the jsnative, but it matters for Warp.

Jason Kratzer [:jkratzer]

Updated

•

4 years ago

Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]

Jason Kratzer [:jkratzer]

Comment 4

•

4 years ago

Bugmon Analysis: Verified bug as reproducible on mozilla-central 20200827212940-109f3a4de567. The bug appears to have been introduced in the following build range: > Start: 26c5be98ea21c8c331cefe9649e3eb53197cd821 (20200825173421) > End: 6ada5dbc83d1c4a51724a67642fe41fbc52d2561 (20200825174133) > Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=26c5be98ea21c8c331cefe9649e3eb53197cd821&tochange=6ada5dbc83d1c4a51724a67642fe41fbc52d2561

Pulsebot

Comment 5

•

4 years ago

Pushed by iireland@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/3d4cde896b06 Attach FunApply and FunCall before scripted calls r=jandem

Cosmin Sabou [:CosminS]

Comment 6

•

4 years ago

bugherder

https://hg.mozilla.org/mozilla-central/rev/3d4cde896b06

Status: NEW → RESOLVED

Closed: 4 years ago

Resolution: --- → FIXED

Target Milestone: --- → 82 Branch

Jason Kratzer [:jkratzer]

Updated

•

4 years ago

Status: RESOLVED → VERIFIED

Keywords: bugmon

Jason Kratzer [:jkratzer]

Comment 7

•

4 years ago

Bugmon Analysis: Verified bug as fixed on rev mozilla-central 20200829091226-fdf95334aded. Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Ryan VanderMeulen [:RyanVM]

Updated

•

4 years ago

status-firefox79: --- → unaffected

status-firefox80: --- → unaffected

status-firefox81: --- → unaffected

status-firefox82: disabled → fixed

status-firefox-esr68: --- → unaffected

status-firefox-esr78: --- → unaffected

Flags: in-testsuite+

Regressed by: 1660553

BMO Automation

Updated

•

4 years ago

Has Regression Range: --- → yes

You need to log in before you can comment on or make changes to this bug.

Bugzilla

[warp] Assertion failure: data->callFlags.getArgFormat() == CallFlags::FunCall, at jit/TrialInlining.cpp:301

Categories

(Core :: JavaScript Engine: JIT, defect, P2)

Tracking

()

People

(Reporter: decoder, Assigned: iain)

References

(Blocks 2 open bugs, Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])

Crash Data

Security

(public)

User Story

Attachments

(2 files)

Description

Comment 1

Updated

Comment 2

Comment 3

Updated

Comment 4

Comment 5

Comment 6

Updated

Comment 7

Updated

Updated

Attachment

General

Description

File Name

Content Type