1666070 - Assertion failure: cx->realm()->jitRealm(), at jit/BaselineIC.cpp:193 or Crash [@ js::jit::AttachBaselineCacheIRStub]

Status: VERIFIED FIXED

(Core :: JavaScript Engine: JIT, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 20200918-ab7d302fd318 (debug build, run with --fuzzing-safe --ion-offthread-compile=off --baseline-eager --fast-warmup --warp):

var blacklist = { 'quit': true, 'readline': true, 'nukeAllCCWs': true, 'help': true, 'dis': true };
x = Object.values(newGlobal())
for (let e88 of x) {
    if (e88.name in blacklist) continue;
    try {
        e88();
    } catch (r53) {}
}

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  js::jit::ICScript::initICEntries (this=0x7ffff6051000, cx=0x7ffff6027000, script=<optimized out>) at js/src/jit/BaselineIC.cpp:193
#1  0x00005555577c03f7 in js::jit::TrialInliner::createInlinedICScript (this=this@entry=0x7fffffffb700, target=<optimized out>, loc=...) at js/src/jit/TrialInlining.cpp:323
#2  0x00005555577c0949 in js::jit::TrialInliner::maybeInlineCall (this=<optimized out>, this@entry=0x7fffffffb700, entry=..., loc=...) at js/src/jit/TrialInlining.cpp:369
#3  0x00005555577bede1 in js::jit::TrialInliner::tryInlining (this=this@entry=0x7fffffffb700) at js/src/jit/TrialInlining.cpp:405
#4  0x00005555577beb2a in js::jit::DoTrialInlining (cx=cx@entry=0x7ffff6027000, frame=frame@entry=0x7fffffffbca0) at js/src/jit/TrialInlining.cpp:54
#5  0x0000555557277801 in TrialInline (cx=0x7ffff6027000, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/TestingFunctions.cpp:527
#6  0x00001d124575629a in ?? ()
#7  0x0000000000000000 in ?? ()
rax	0x555555901f3b	93824996089659
rbx	0x7ffff6051000	140737320914944
rcx	0x5555584f8838	93825042188344
rdx	0x0	0
rsi	0x7ffff7105770	140737338431344
rdi	0x7ffff7104540	140737338426688
rbp	0x7fffffffb3d0	140737488335824
rsp	0x7fffffffb320	140737488335648
r8	0x7ffff7105770	140737338431344
r9	0x7ffff7f99e00	140737353719296
r10	0x0	0
r11	0x0	0
r12	0x430	1072
r13	0x81fbf704e0309ca3	-9080392623349261149
r14	0x7fffffffb700	140737488336640
r15	0x379ca23a00b0	61145876136112
rip	0x55555772e5bd <js::jit::ICScript::initICEntries(JSContext*, JSScript*)+5021>
=> 0x55555772e5bd <js::jit::ICScript::initICEntries(JSContext*, JSScript*)+5021>:	movl   $0xc1,0x0
   0x55555772e5c8 <js::jit::ICScript::initICEntries(JSContext*, JSScript*)+5032>:	callq  0x555556bf1e12 <abort()>

This is likely a shell-only issue with the recently added trialInline testing function.

Comment 1

[Christian Holler (:decoder)]

Attachment: Testcase

Comment 2

[Jason Kratzer [:jkratzer]]

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200919093453-bf7094ba8ae6.
The bug appears to have been introduced in the following build range:

Start: 206a04ae2fa7fcd8db9f903b7d654edf033ea1fb (20200918134248)
End: 653d91b24508b338a17a3dc165287d42914eee75 (20200918134353)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=206a04ae2fa7fcd8db9f903b7d654edf033ea1fb&tochange=653d91b24508b338a17a3dc165287d42914eee75

Comment 3

[Jan de Mooij [:jandem]]

Attachment: Bug 1666070 - Fix trialInline testing function to ignore cross-realm scripts. r?iain!

Comment 4

[Pulsebot]

Pushed by jdemooij@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/b2656b6122e4
Fix trialInline testing function to ignore cross-realm scripts. r=iain

Comment 5

[Atila Butkovits]

https://hg.mozilla.org/mozilla-central/rev/b2656b6122e4

Comment 6

[Jason Kratzer [:jkratzer]]

Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20200923095909-7927a1705247.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.