Crash [@ JS::Value::isMagic] or Assertion failure: s_.payload_.why_ == why, at dist/include/js/Value.h:669
Categories
(Core :: JavaScript Engine: JIT, defect, P1)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr60 | --- | unaffected |
firefox-esr68 | --- | unaffected |
firefox68 | --- | unaffected |
firefox69 | --- | unaffected |
firefox70 | --- | fixed |
People
(Reporter: decoder, Assigned: jandem)
References
(Regression)
Details
(5 keywords, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(1 file)
The following testcase crashes on mozilla-central revision b94a6b06c9b9 (build with --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --disable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off):
evaluate(`
for (var i69=0; i69<60; i69-- ) {
Array(Math, {});
bailout();
}
`);
Backtrace:
received signal SIGSEGV, Segmentation fault.
JS::Value::isMagic (why=JS_UNINITIALIZED_LEXICAL, this=<optimized out>) at /srv/jenkins/jobs/mozilla-central-build-jsshell/workspace/arch/64/compiler/gcc/instrumentation/none/type/opt/dist/include/js/Value.h:669
#0 JS::Value::isMagic (why=JS_UNINITIALIZED_LEXICAL, this=<optimized out>) at /srv/jenkins/jobs/mozilla-central-build-jsshell/workspace/arch/64/compiler/gcc/instrumentation/none/type/opt/dist/include/js/Value.h:669
#1 js::WrappedPtrOperations<JS::Value, JS::Handle<JS::Value> >::isMagic (why=JS_UNINITIALIZED_LEXICAL, this=<synthetic pointer>) at /srv/jenkins/jobs/mozilla-central-build-jsshell/workspace/arch/64/compiler/gcc/instrumentation/none/type/opt/dist/include/js/Value.h:1186
#2 js::jit::ICTypeMonitor_Fallback::addMonitorStubForValue (this=<optimized out>, cx=cx@entry=0x7ffff5f22000, frame=frame@entry=0x7fffffffbc80, types=<optimized out>, val=val@entry=...) at js/src/jit/BaselineIC.cpp:1315
#3 0x0000555555e3008a in js::jit::ICMonitoredFallbackStub::addMonitorStubForValue (val=..., types=<optimized out>, frame=0x7fffffffbc80, cx=0x7ffff5f22000, this=0x7ffff4cd4290) at js/src/jit/BaselineIC.cpp:1092
#4 js::jit::TypeMonitorResult (cx=cx@entry=0x7ffff5f22000, stub=0x7ffff4cd4290, frame=frame@entry=0x7fffffffbc80, script=script@entry=..., pc=pc@entry=0x7ffff4dfba1e "R\002", val=val@entry=...) at js/src/jit/BaselineIC.cpp:1102
#5 0x000055555621e598 in js::jit::FinishBailoutToBaseline (bailoutInfoArg=0x0) at js/src/jit/BaselineBailouts.cpp:1887
#6 0x00002b3407de00af in ?? ()
[...]
#19 0x0000000000000000 in ?? ()
rax 0x555557543100 93825025716480
rbx 0x55555662da50 93825009900112
rcx 0x1fff5 131061
rdx 0x7fffffffbc80 140737488338048
rsi 0x7ffff5f22000 140737319673856
rdi 0xfffa80000000000a -1548112371908598
rbp 0x7ffff5f22000 140737319673856
rsp 0x7fffffffb9d0 140737488337360
r8 0x7fffffffbbc0 140737488337856
r9 0xc9ed80a4890 13876368918672
r10 0x1 1
r11 0x7ffff4721a78 140737294506616
r12 0x7ffff4cd4200 140737300480512
r13 0x7fffffffbbc0 140737488337856
r14 0x7ffff4dfba1e 140737301690910
r15 0x7fffffffbb90 140737488337808
rip 0x555555e2f6d0 <js::jit::ICTypeMonitor_Fallback::addMonitorStubForValue(JSContext*, js::jit::BaselineFrame*, js::StackTypeSet*, JS::Handle<JS::Value>)+1504>
=> 0x555555e2f6d0 <js::jit::ICTypeMonitor_Fallback::addMonitorStubForValue(JSContext*, js::jit::BaselineFrame*, js::StackTypeSet*, JS::Handle<JS::Value>)+1504>: movl $0x0,0x0
0x555555e2f6db <js::jit::ICTypeMonitor_Fallback::addMonitorStubForValue(JSContext*, js::jit::BaselineFrame*, js::StackTypeSet*, JS::Handle<JS::Value>)+1515>: ud2
This could be the same as bug 1570926 (because it is related to bailouts) but the signatures are very different so filing to make sure we don't miss a bug here.
Reporter | ||
Comment 1•5 years ago
|
||
Jan, can you check if this is a dup? Thanks!
Assignee | ||
Updated•5 years ago
|
Assignee | ||
Comment 2•5 years ago
|
||
We did a bailout from Ion with a MagicValue(JS_OPTIMIZED_OUT) on top of the stack, then passed that
value to TypeMonitorResult and asserted in addMonitorStubForValue because we expected a different
kind of magic value.
This patch moves MagicValue handling into TypeMonitorMagicValue and calls it from both places so we
have consistent behavior.
Assignee | ||
Updated•5 years ago
|
autobisectjs shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/58ea17fc315e
user: Jan de Mooij
date: Tue Jul 30 12:08:48 2019 +0000
summary: Bug 1567438 part 1 - Replace the enter-monitor-chain bailout code with type monitoring in C++. r=tcampbell,iain
Guessing bug 1567438 is the regressor here.
Pushed by jdemooij@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/bde81f964234 Add TypeMonitorMagicValue and use it in DoTypeMonitorFallback and TypeMonitorResult. r=iain
Comment 6•5 years ago
|
||
Updated•5 years ago
|
Comment 7•5 years ago
|
||
bugherder |
Updated•5 years ago
|
Comment 8•5 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/58ea17fc315e user: Jan de Mooij date: Tue Jul 30 12:08:48 2019 +0000 summary: Bug 1567438 part 1 - Replace the enter-monitor-chain bailout code with type monitoring in C++. r=tcampbell,iain This iteration took 399.181 seconds to run.
Updated•2 years ago
|
Description
•