Closed
Bug 1661894
Opened 4 years ago
Closed 4 years ago
Assertion failure: numBytecodeTypeSets == JSScript::MaxBytecodeTypeSets, at jit/JitScript-inl.h:70 or Crash [@ js::ConstraintTypeSet::addType] or various other crashes
Categories
(Core :: JavaScript Engine: JIT, defect, P2)
Tracking
()
VERIFIED
FIXED
82 Branch
| Tracking | Status | |
|---|---|---|
| firefox-esr68 | --- | unaffected |
| firefox-esr78 | --- | unaffected |
| firefox80 | --- | unaffected |
| firefox81 | --- | unaffected |
| firefox82 | --- | verified |
People
(Reporter: decoder, Assigned: jandem)
References
(Regression)
Details
(4 keywords, Whiteboard: [bugmon:update,bisected,confirmed][fuzzblocker])
Attachments
(2 files)
The following testcase crashes on mozilla-central revision 20200828-56166cae2e26 (debug build, run with --fuzzing-safe --ion-offthread-compile=off --blinterp-eager --no-ti):
setJitCompilerOption("warp.enable", 0);
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 js::jit::JitScript::BytecodeTypes<js::StackTypeSet> (script=<optimized out>, pc=<optimized out>, bytecodeMap=<optimized out>, hint=<optimized out>, typeArray=<optimized out>) at js/src/jit/JitScript-inl.h:70
#1 0x0000555557714a69 in js::jit::TypeMonitorResult (cx=<optimized out>, stub=stub@entry=0x7ffff4ded060, frame=frame@entry=0x7fffffffbc80, script=script@entry=..., pc=pc@entry=0x7ffff6094eb1 "y\002", val=...) at js/src/jit/BaselineIC.cpp:915
#2 0x000055555772550e in js::jit::DoCallFallback (cx=0x7ffff7104540 <_IO_2_1_stderr_>, frame=0x7fffffffbc80, stub=<optimized out>, argc=2, vp=0x7fffffffbc20, res=...) at js/src/jit/BaselineIC.cpp:3025
#3 0x0000166658c80083 in ?? ()
[...]
#30 0x0000000000000000 in ?? ()
rax 0x5555558645b4 93824995444148
rbx 0x7ffff4ded060 140737301631072
rcx 0x5555584c4668 93825041974888
rdx 0x0 0
rsi 0x7ffff7105770 140737338431344
rdi 0x7ffff7104540 140737338426688
rbp 0x7fffffffb780 140737488336768
rsp 0x7fffffffb780 140737488336768
r8 0x7ffff7105770 140737338431344
r9 0x7ffff7f99e00 140737353719296
r10 0x58 88
r11 0x7ffff6dac7a0 140737334921120
r12 0x7fffffffbc80 140737488338048
r13 0x7fffffffbbe0 140737488337888
r14 0x7fffffffb930 140737488337200
r15 0x7ffff4ded0f0 140737301631216
rip 0x5555571a7cf3 <js::jit::JitScript::BytecodeTypes<js::StackTypeSet>(JSScript*, unsigned char*, unsigned int*, unsigned int*, js::StackTypeSet*)+243>
=> 0x5555571a7cf3 <js::jit::JitScript::BytecodeTypes<js::StackTypeSet>(JSScript*, unsigned char*, unsigned int*, unsigned int*, js::StackTypeSet*)+243>: movl $0x46,0x0
0x5555571a7cfe <js::jit::JitScript::BytecodeTypes<js::StackTypeSet>(JSScript*, unsigned char*, unsigned int*, unsigned int*, js::StackTypeSet*)+254>: callq 0x555556bde6ce <abort()>
This is a highly frequent fuzzblocker that crashes regular JS fuzzing in all sorts of ways. I will try to temporarily mitigate this by removing --no-ti from tested options, as it seems to be required in all cases.
|
Reporter | |
Comment 1•4 years ago
|
||
|
Assignee | |
Comment 2•4 years ago
|
||
Oops, sorry about that. I think we should remove the --no-ti flag because it's implied by --warp and not that useful anymore (--warp --no-ion should be equivalent), so as long as we test --warp still, dropping --no-ti from fuzzing should be fine.
|
||
Updated•4 years ago
|
Whiteboard: [bugmon:update,bisect][fuzzblocker] → [bugmon:update,bisected,confirmed][fuzzblocker]
|
|
||
Comment 3•4 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200829091226-fdf95334aded.
The bug appears to have been introduced in the following build range:
> Start: ec21a1e3f01d45a03acd4a47390bcab837e81d38 (20200828085539)
> End: 4eca03d6b0b1a9b6881d80ed80765699f1916e34 (20200828085652)
> Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=ec21a1e3f01d45a03acd4a47390bcab837e81d38&tochange=4eca03d6b0b1a9b6881d80ed80765699f1916e34
|
|
Assignee | |
Comment 4•4 years ago
|
||
This was useful before Warp existed, but now --warp is the configuration we want
to test, it also disables TI.
|
||
Updated•4 years ago
|
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
|
||
Updated•4 years ago
|
Severity: -- → S4
Priority: -- → P2
Pushed by jdemooij@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/faae738db160
Remove --no-ti flag. r=iain
|
||
Comment 6•4 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → 82 Branch
|
|
||
Updated•4 years ago
|
|
|
||
Comment 7•4 years ago
|
||
Bugmon Analysis:
Bug appears to be fixed on mozilla-central 20200901151129-2766680ff190 but BugMon was unable to reproduce using mozilla-central 20200828153126-56166cae2e26.
|
||
Updated•4 years ago
|
status-firefox80:
--- → unaffected
status-firefox81:
--- → unaffected
status-firefox-esr68:
--- → unaffected
status-firefox-esr78:
--- → unaffected
Flags: in-testsuite+
Regressed by: 1661426
|
||
Updated•4 years ago
|
Has Regression Range: --- → yes
|
|
||
Comment 8•4 years ago
|
||
Bugmon Analysis:
Bug appears to be fixed on mozilla-central 20200901151129-2766680ff190 but BugMon was unable to reproduce using mozilla-central 20200828153126-56166cae2e26.
|
|
||
Comment 9•4 years ago
|
||
Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20200901151129-2766680ff190.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
You need to log in
before you can comment on or make changes to this bug.
Description
•