Closed
Bug 1645818
Opened 5 years ago
Closed 5 years ago
Assertion failure: lastStub->isFallback(), at jit/BaselineIC.h:616 with shell-only rateMyCacheIR function
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
VERIFIED
FIXED
mozilla79
| Tracking | Status | |
|---|---|---|
| firefox-esr68 | --- | unaffected |
| firefox-esr78 | --- | unaffected |
| firefox77 | --- | unaffected |
| firefox78 | --- | unaffected |
| firefox79 | --- | verified |
People
(Reporter: decoder, Assigned: caroline)
References
(Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])
Attachments
(2 files, 1 obsolete file)
The following testcase crashes on mozilla-central revision 20200615-f05a0084c5f2 (debug build, run with --fuzzing-safe --ion-offthread-compile=off):
for (let e of Object.values(newGlobal(() => { e++ })))
if (e.name in {}) continue;
rateMyCacheIR();
Backtrace:
received signal SIGSEGV, Segmentation fault.
0x00005555563ee7e0 in js::jit::ICEntry::fallbackStub() const ()
#0 0x00005555563ee7e0 in js::jit::ICEntry::fallbackStub() const ()
#1 0x00005555565a1138 in js::jit::CacheIRHealth::spewHealthForStubsInCacheIREntry(js::jit::ICEntry*) ()
#2 0x00005555565a13d5 in js::jit::CacheIRHealth::rateMyCacheIR(JS::Handle<JSScript*>) ()
#3 0x00005555557dff05 in RateMyCacheIR(JSContext*, unsigned int, JS::Value*) ()
#4 0x00005555559435c2 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
[...]
#18 0x0000000000000000 in ?? ()
rax 0x55555711a781 93825021355905
rbx 0x7ffff4875170 140737295896944
rcx 0x5555583de980 93825041033600
rdx 0x0 0
rsi 0x7ffff7105770 140737338431344
rdi 0x7ffff7104540 140737338426688
rbp 0x7fffffffabf0 140737488333808
rsp 0x7fffffffabf0 140737488333808
r8 0x7ffff7105770 140737338431344
r9 0x7ffff7f9bd40 140737353727296
r10 0x58 88
r11 0x7ffff6dac7a0 140737334921120
r12 0x7fffffffac0c 140737488333836
r13 0x555557135d0a 93825021467914
r14 0x555557135d43 93825021467971
r15 0x7fffffffacd0 140737488334032
rip 0x5555563ee7e0 <js::jit::ICEntry::fallbackStub() const+144>
=> 0x5555563ee7e0 <_ZNK2js3jit7ICEntry12fallbackStubEv+144>: movl $0x268,0x0
0x5555563ee7eb <_ZNK2js3jit7ICEntry12fallbackStubEv+155>: callq 0x555555849bee <abort>
This is likely shell-only.
|
Reporter | |
Comment 1•5 years ago
|
||
|
||
Updated•5 years ago
|
Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]
|
|
||
Comment 2•5 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200615163035-4fdcaa5d6ec3.
The bug appears to have been introduced in the following build range:
> Start: f156ef6b0f03d4c5762a740c3db927d814bfd6cc (20200612235618)
> End: a3226c9856a8fd2338bc878fd60b092d2e1a7b9a (20200612235731)
> Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=f156ef6b0f03d4c5762a740c3db927d814bfd6cc&tochange=a3226c9856a8fd2338bc878fd60b092d2e1a7b9a
|
||
Comment 3•5 years ago
|
||
(You may have to mark this helper as fuzzing unsafe, but worth looking at this first)
Flags: needinfo?(ccullen)
|
Assignee | |
Comment 4•5 years ago
|
||
I see, I will mark as fuzzing unsafe and figure this issue out.
Flags: needinfo?(ccullen)
|
||
Updated•5 years ago
|
status-firefox77:
--- → unaffected
status-firefox78:
--- → unaffected
status-firefox-esr68:
--- → unaffected
status-firefox-esr78:
--- → unaffected
Regressed by: 1640284
|
|
Assignee | |
Comment 5•5 years ago
|
||
|
||
Updated•5 years ago
|
Assignee: nobody → ccullen
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 6•5 years ago
|
||
Depends on D80023
|
|
||
Updated•5 years ago
|
Attachment #9157346 -
Attachment is obsolete: true
|
|
Assignee | |
Comment 7•5 years ago
•
|
||
Decided not to mark as fuzzing unsafe since the fuzzer found a good bug!
Assignee: ccullen → nobody
Status: ASSIGNED → NEW
status-firefox77:
unaffected → ---
status-firefox78:
unaffected → ---
status-firefox-esr68:
unaffected → ---
status-firefox-esr78:
unaffected → ---
No longer regressed by: 1640284
|
|
||
Updated•5 years ago
|
status-firefox77:
--- → unaffected
status-firefox78:
--- → unaffected
status-firefox-esr68:
--- → unaffected
status-firefox-esr78:
--- → unaffected
Regressed by: 1640284
|
||
Updated•5 years ago
|
Has Regression Range: --- → yes
Pushed by ccullen@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/0962ac03e828
Add check for CacheIR or fallback before spewing health report. r=iain
|
|
||
Updated•5 years ago
|
Assignee: nobody → ccullen
Status: NEW → ASSIGNED
|
||
Comment 9•5 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla79
|
|
||
Updated•5 years ago
|
|
|
||
Comment 10•5 years ago
|
||
Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20200618094105-f291dd9e075c.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
You need to log in
before you can comment on or make changes to this bug.
Description
•