Closed Bug 1568080 Opened 6 months ago Closed 6 months ago

Assertion failure: jit::IsBaselineJitEnabled(), at js/src/jit/Ion.cpp:2116

Categories

(Core :: JavaScript Engine, defect, P1, critical)

x86_64
Linux
defect

Tracking

()

RESOLVED FIXED
mozilla70
Tracking Status
firefox-esr60 --- unaffected
firefox-esr68 --- unaffected
firefox68 --- unaffected
firefox69 --- unaffected
firefox70 --- fixed

People

(Reporter: gkw, Assigned: jandem)

References

(Blocks 1 open bug, Regression)

Details

(4 keywords, Whiteboard: [fuzzblocker][jsbugmon:update])

Attachments

(2 files)

The following testcase crashes on mozilla-central revision b8141448e0ba (build with --enable-debug, run with --fuzzing-safe --no-blinterp):

quit();

Backtrace:

#0  js::jit::Compile (cx=<optimized out>, script=..., osrFrame=<optimized out>, osrPc=0x0, forceRecompile=<optimized out>) at js/src/jit/Ion.cpp:2116
#1  0x000055e1db25c159 in js::jit::CanEnterIon (cx=0x7f1148d19000, state=...) at js/src/jit/Ion.cpp:2268
#2  0x000055e1db305f64 in js::jit::MaybeEnterJit (cx=0x7f1148d19000, state=...) at js/src/jit/Jit.cpp:156
#3  0x000055e1da650931 in js::RunScript (cx=0x7f1148d19000, state=...) at js/src/vm/Interpreter.cpp:410
#4  0x000055e1da666d70 in js::ExecuteKernel (cx=0x7f1148d19000, script=..., envChainArg=..., newTargetValue=..., evalInFrame=..., result=0x7fff161972b8) at js/src/vm/Interpreter.cpp:787
/snip

For detailed crash information, see attachment.

Setting [fuzzblocker] due to the simplicity of the testcase.

autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/56b33927fd49
user: Jan de Mooij
date: Sat Jul 20 08:56:36 2019 +0000
summary: Bug 1566332 part 4 - Make IsBaselineJitEnabled imply IsBaselineInterpreterEnabled. r=tcampbell

Jan, is bug 1566332 a likely regressor?

Flags: needinfo?(jdemooij)
Regressed by: 1566332

Also moves these functions to JitOptions.h because Ion.h cannot include BaselineJIT.h
due to include dependencies. Ion.h should be split up eventually but JitOptions.h isn't
unreasonable for now.

Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Priority: -- → P1
Pushed by jdemooij@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/78a0b312e621
Fix IsIonEnabled to use IsBaselineJitEnabled instead of checking the JitOption directly. r=tcampbell
Status: ASSIGNED → RESOLVED
Closed: 6 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla70
You need to log in before you can comment on or make changes to this bug.