Crash [@ js::jit::SnapshotIterator::allocationValue] or Hit MOZ_CRASH(Unexpected type) at jit/JitFrames.cpp:1612 with BigInt

RESOLVED FIXED in Firefox 67

Status

()

defect
--
critical
RESOLVED FIXED
5 months ago
5 months ago

People

(Reporter: decoder, Assigned: wingo)

Tracking

(Blocks 1 bug, 5 keywords)

Trunk
mozilla67
x86_64
Linux
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox-esr60 unaffected, firefox65 unaffected, firefox66 unaffected, firefox67 fixed)

Details

(Whiteboard: [jsbugmon:update], crash signature)

Attachments

(1 attachment)

The following testcase crashes on mozilla-central revision 22ca3a5f976f (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --disable-debug --enable-optimize, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off --ion-eager):

const zero = BigInt(0);
[zero].includes(zero);

Backtrace:

received signal SIGSEGV, Segmentation fault.
js::jit::SnapshotIterator::allocationValue (this=this@entry=0x7fffffffba70, alloc=..., rm=rm@entry=js::jit::SnapshotIterator::RM_Normal) at js/src/jit/JitFrames.cpp:1612
#0  js::jit::SnapshotIterator::allocationValue (this=this@entry=0x7fffffffba70, alloc=..., rm=rm@entry=js::jit::SnapshotIterator::RM_Normal) at js/src/jit/JitFrames.cpp:1612
#1  0x0000555555fa0a4a in js::jit::SnapshotIterator::read (this=this@entry=0x7fffffffba70) at js/src/jit/JSJitFrameIter.h:523
#2  0x000055555616df14 in InitFromBailout (invalidate=<optimized out>, excInfo=<optimized out>, nextCallee=..., startFrameFormals=..., builder=..., iter=..., script=..., fun=..., frameNo=0, cx=0x7ffff5f16000) at js/src/jit/BaselineBailouts.cpp:874
#3  js::jit::BailoutIonToBaseline (cx=cx@entry=0x7ffff5f16000, activation=0x7fffffffc0e0, iter=..., invalidate=invalidate@entry=true, bailoutInfo=bailoutInfo@entry=0x7fffffffbdf0, excInfo=excInfo@entry=0x0) at js/src/jit/BaselineBailouts.cpp:1794
#4  0x000055555617092e in js::jit::InvalidationBailout (sp=<optimized out>, frameSizeOut=0x7fffffffbdf8, bailoutInfo=0x7fffffffbdf0) at js/src/jit/Bailouts.cpp:134
#5  0x00002785e2c152ad in ?? ()
#6  0x00007fffffffbe30 in ?? ()
#7  0x00007fffffffbdf0 in ?? ()
#8  0x0000000000000000 in ?? ()
rax	0x555557551160	93825025773920
rbx	0x7fffffffba70	140737488337520
rcx	0x5555565f39ac	93825009662380
rdx	0x5555565f3a30	93825009662512
rsi	0x7fffffffb694	140737488336532
rdi	0x5555565bba96	93825009433238
rbp	0x7fffffffba70	140737488337520
rsp	0x7fffffffb688	140737488336520
r8	0x7fffffffb64c	140737488336460
r9	0x0	0
r10	0x10	16
r11	0x0	0
r12	0x7fffffffb8d0	140737488337104
r13	0x1	1
r14	0x7ffff5f16000	140737319624704
r15	0x7fffffffb940	140737488337216
rip	0x555555f18681 <js::jit::SnapshotIterator::allocationValue(js::jit::RValueAllocation const&, js::jit::SnapshotIterator::ReadMethod)+769>
=> 0x555555f18681 <js::jit::SnapshotIterator::allocationValue(js::jit::RValueAllocation const&, js::jit::SnapshotIterator::ReadMethod)+769>:	movl   $0x0,0x0
   0x555555f1868c <js::jit::SnapshotIterator::allocationValue(js::jit::RValueAllocation const&, js::jit::SnapshotIterator::ReadMethod)+780>:	ud2

Not s-s as BigInt is still off by default and this looks like a safe crash.

Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/4b74d76e55a8
user:        Andy Wingo
date:        Wed Feb 06 13:41:56 2019 +0000
summary:     Bug 1522436 - Enable BigInt compilation by default r=jandem,terpri,froydnj

This iteration took 545.159 seconds to run.
Blocks: 1522436
Flags: needinfo?(wingo)
Assignee: nobody → wingo
Flags: needinfo?(wingo)
Keywords: checkin-needed

Pushed by archaeopteryx@coole-files.de:
https://hg.mozilla.org/integration/autoland/rev/e803c3338809
Add support for reading BigInt values from bailout snapshots r=jandem

Keywords: checkin-needed
Status: NEW → RESOLVED
Closed: 5 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla67
You need to log in before you can comment on or make changes to this bug.