Closed Bug 1090237 Opened 10 years ago Closed 10 years ago

Assertion failure: script->hasBaselineScript(), at jit/BaselineBailouts.cpp:532 or Crash [@ js::jit::BaselineScript::icEntryFromPCOffset]

Categories

(Core :: JavaScript Engine: JIT, defect)

x86
Linux
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 1087948
Tracking Status
firefox36 --- affected

People

(Reporter: decoder, Unassigned)

Details

(Keywords: assertion, testcase, Whiteboard: [jsbugmon:])

Attachments

(1 file)

The following testcase asserts on mozilla-central revision a255a234946e (run with --fuzzing-safe --no-threads --ion-eager):


gczeal(14 ,1);
function g() {}
function f() {
    for (var i=0; i<2; i++) {
	var o = { a: g() };
    }
}
f();
Crash trace:


Program received signal SIGSEGV, Segmentation fault.
js::jit::BaselineScript::icEntryFromPCOffset (this=0x0, pcOffset=17) at js/src/jit/BaselineJIT.cpp:506
506         size_t top = numICEntries();
#0  js::jit::BaselineScript::icEntryFromPCOffset (this=0x0, pcOffset=17) at js/src/jit/BaselineJIT.cpp:506
#1  0x00000000005ab87f in InitFromBailout (poppedLastSPSFrameOut=0x7fffffffc2df, excInfo=<optimized out>, callPC=<synthetic pointer>, nextCallee=..., startFrameFormals=..., builder=..., iter=..., ionScript=<optimized out>, script=..., fun=..., callerPC=<optimized out>, caller=..., cx=0x16b1ca0, invalidate=<optimized out>) at js/src/jit/BaselineBailouts.cpp:935
#2  js::jit::BailoutIonToBaseline (cx=0x16b1ca0, activation=<optimized out>, iter=..., invalidate=<optimized out>, bailoutInfo=0x7fffffffc4b0, excInfo=0x0, poppedLastSPSFrameOut=0x7fffffffc2df) at js/src/jit/BaselineBailouts.cpp:1453
#3  0x000000000051ec6f in js::jit::InvalidationBailout (sp=0x7fffffffc4c0, frameSizeOut=0x7fffffffc4b8, bailoutInfo=0x7fffffffc4b0) at js/src/jit/Bailouts.cpp:123
#4  0x00007ffff7f754a7 in ?? ()
rdi     0x0     0
=> 0x58c194 <js::jit::BaselineScript::icEntryFromPCOffset(unsigned int)+4>:     mov    0x60(%rdi),%r9d


Looks like a null-deref, but the test involves gczeal, therefore marking s-s until triaged.
Whiteboard: [jsbugmon:update,bisect]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/7f49fd6cc976
user:        Nicolas B. Pierron
date:        Wed Oct 22 18:37:35 2014 +0200
summary:     Bug 1083866 - No longer suppress GC for the evaluation of recover instructions. r=jandem

This iteration took 556.721 seconds to run.
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 53d84829b2b8).
Needinfo from nbp based on comment 3.
Flags: needinfo?(nicolas.b.pierron)
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:bisectfix]
Whiteboard: [jsbugmon:bisectfix] → [jsbugmon:]
JSBugMon: Fix Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/f9fd1dde27c5
user:        Nicolas B. Pierron
date:        Tue Oct 28 16:33:35 2014 +0100
summary:     Bug 1087948 - Mark Baseline code of bailout frames as being active. r=jonco

This iteration took 559.495 seconds to run.
Yes, this issue is fixed by Bug 1087948, and we have a test case in the test suite which is testing this issue as well ;)
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(nicolas.b.pierron)
Resolution: --- → DUPLICATE
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: