Open
Bug 1666141
Opened 4 years ago
Updated 10 months ago
Assertion failure: makeWritable(), at jit/JitRealm.h:759
Categories
(Core :: JavaScript Engine: JIT, defect, P2)
Tracking
()
NEW
| Tracking | Status | |
|---|---|---|
| firefox82 | --- | wontfix |
People
(Reporter: decoder, Unassigned)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])
Attachments
(1 file)
|
232 bytes,
text/plain
|
Details |
The following testcase crashes on mozilla-central revision 20200918-ab7d302fd318 (debug build, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off):
function dummyAssertCallFunction(f) {
try {
f();
} catch (exc) {}
}
function testMemoryFailConstruct(initial) {
dummyAssertCallFunction(() => new WebAssembly.Memory({ initial }));
};
while(true) testMemoryFailConstruct(0);
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 js::jit::AutoWritableJitCode::AutoWritableJitCode (this=0xffffa410, rt=0xf6e3a000, addr=0x38ef9ec0, size=4212) at js/src/jit/JitRealm.h:759
#1 0x58732b89 in js::jit::AutoWritableJitCode::AutoWritableJitCode (this=0xffffa410, code=0xf6878280) at js/src/jit/JitRealm.h:766
#2 0x58988777 in InvalidateActivation (fop=<optimized out>, activations=..., invalidateAll=false) at js/src/jit/Ion.cpp:2546
#3 0x58988d5c in js::jit::Invalidate (types=..., fop=0xf6e24098, invalid=..., resetUses=<optimized out>, cancelOffThread=<optimized out>) at js/src/jit/Ion.cpp:2641
#4 0x5898913b in js::jit::Invalidate (cx=0xf6e24000, invalid=..., resetUses=<optimized out>, cancelOffThread=<optimized out>) at js/src/jit/Ion.cpp:2680
#5 0x589899b5 in js::jit::Invalidate (cx=0xf6e24000, script=0xf68750b0, resetUses=<optimized out>, cancelOffThread=<optimized out>) at js/src/jit/Ion.cpp:2732
#6 0x5891f8e1 in js::jit::CodeGenerator::link (this=0xf66e1000, cx=0xf6e24000, constraints=0xf65d70f8, snapshot=0x0) at js/src/jit/CodeGenerator.cpp:11494
#7 0x58995293 in LinkCodeGen (cx=0xf6e24000, codegen=<optimized out>, script=..., constraints=0xf65d70f8, snapshot=0x0) at js/src/jit/Ion.cpp:336
#8 0x589983d0 in js::jit::IonCompile (cx=0xf6e24000, script=..., baselineFrame=0x0, baselineFrameSize=0, osrPc=<optimized out>, recompile=<optimized out>, optimizationLevel=js::jit::OptimizationLevel::Full) at js/src/jit/Ion.cpp:1765
#9 0x58986f41 in js::jit::Compile (cx=<optimized out>, script=..., osrFrame=0x0, osrFrameSize=0, osrPc=0x0, forceRecompile=<optimized out>) at js/src/jit/Ion.cpp:1973
#10 0x589881cb in js::jit::Recompile (cx=0xf6e24000, script=..., force=<optimized out>) at js/src/jit/Ion.cpp:2390
#11 0x5865c3ec in js::jit::RecompileImpl (cx=0xf6e24000, force=<optimized out>) at js/src/jit/VMFunctions.cpp:1260
#12 0x5865c5fe in js::jit::IonRecompile (cx=0xf6e24000) at js/src/jit/VMFunctions.cpp:1273
#13 0x38ebfb51 in ?? ()
Backtrace stopped: Cannot access memory at address 0xffffff87
eax 0x567147b9 1450264505
ebx 0x59356e6c 1496673900
ecx 0x59357cd4 1496677588
edx 0x0 0
esi 0xffffa410 -23536
edi 0xf6e3a000 -152854528
ebp 0xffffa388 4294943624
esp 0xffffa360 4294943584
eip 0x58732d22 <js::jit::AutoWritableJitCode::AutoWritableJitCode(JSRuntime*, void*, unsigned int)+242>
=> 0x58732d22 <js::jit::AutoWritableJitCode::AutoWritableJitCode(JSRuntime*, void*, unsigned int)+242>: movl $0x2f7,0x0
0x58732d2c <js::jit::AutoWritableJitCode::AutoWritableJitCode(JSRuntime*, void*, unsigned int)+252>: call 0x57ab403f <abort()>
|
Reporter | |
Comment 1•4 years ago
|
||
|
||
Comment 2•4 years ago
|
||
My blind guess would be that this look like a loop of recompilation check combined with an eager OSR on entry.
Thus causing an overflow of page mapping in the TLB, and causing it to run out of memory.
Severity: -- → S4
Flags: needinfo?(jdemooij)
Priority: -- → P2
|
||
Updated•4 years ago
|
|
||
Comment 3•4 years ago
|
||
Bugmon Analysis:
The bug appears to have been fixed in the following build range:
Start: ba35799faec2ed9da469c2a7ade75398d9daf688 (20201001094020)
End: d70d61772f1aaace64f3df54d01d4d2057eecd78 (20201002041047)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=ba35799faec2ed9da469c2a7ade75398d9daf688&tochange=d70d61772f1aaace64f3df54d01d4d2057eecd78
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
Keywords: bugmon
Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]
|
||
Updated•10 months ago
|
Flags: needinfo?(jdemooij)
You need to log in
before you can comment on or make changes to this bug.
Description
•