Closed Bug 1669913 Opened 4 years ago Closed 4 years ago

Assertion failure: hasJitScript(), at vm/JSScript.h:1818 with rateMyCacheIR

Categories

(Core :: JavaScript Engine: JIT, defect, P3)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
83 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- unaffected
firefox82 --- unaffected
firefox83 --- verified

People

(Reporter: decoder, Assigned: caroline)

References

(Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])

Attachments

(2 files)

Testcase
43 bytes, text/plain
Details
Bug 1669913 - Use maybeJitScript() to check for a JitScript to avoid failure in cases where a JitScript is not present. r?iain
47 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 20201007-7e9a6ef4ba02 (debug build, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off):

var g1 = newGlobal();
g1.rateMyCacheIR("");

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x0000555557a26dfe in js::jit::CacheIRHealth::rateMyCacheIR(JSContext*, JS::Handle<JSScript*>) ()
#1  0x0000555556ba514e in RateMyCacheIR(JSContext*, unsigned int, JS::Value*) ()
#2  0x0000555556d0c1d2 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
[...]
#13 0x0000555556b86ed4 in Shell(JSContext*, js::cli::OptionParser*, char**) ()
#14 0x0000555556b7f58d in main ()
rax	0x5555559443f1	93824996361201
rbx	0x7fffffffb820	140737488336928
rcx	0x555558543310	93825042494224
rdx	0x0	0
rsi	0x7ffff7105770	140737338431344
rdi	0x7ffff7104540	140737338426688
rbp	0x7fffffffb7f0	140737488336880
rsp	0x7fffffffb7a0	140737488336800
r8	0x7ffff7105770	140737338431344
r9	0x7ffff7f99e00	140737353719296
r10	0x58	88
r11	0x7ffff6dac7a0	140737334921120
r12	0x3	3
r13	0x7fffffffb830	140737488336944
r14	0x7ffff5a710a8	140737314754728
r15	0xaaaa00a800000001	-6149101619666485247
rip	0x555557a26dfe <js::jit::CacheIRHealth::rateMyCacheIR(JSContext*, JS::Handle<JSScript*>)+766>
=> 0x555557a26dfe <_ZN2js3jit13CacheIRHealth13rateMyCacheIREP9JSContextN2JS6HandleIP8JSScriptEE+766>:	movl   $0x71a,0x0
   0x555557a26e09 <_ZN2js3jit13CacheIRHealth13rateMyCacheIREP9JSContextN2JS6HandleIP8JSScriptEE+777>:	callq  0x555556c0e3e2 <abort>

Probably shell-only.

Attached file Testcase 

    
    

    
  
Caroline, can you have a look at this issue?


Flags: needinfo?(ccullen)
Severity: -- → S4
Priority: -- → P3

    
    

    
  
Bugmon Analysis:

Verified bug as reproducible on mozilla-central 20201008094950-e88890094825.

The bug appears to have been introduced in the following build range:




Start: a2631cd8a7f4784e7defc5762901ba483150f03f (20201006002718)

End: 543509e7d886b5aae1de4e5b092a9fd8c4f29cf1 (20201006002748)

Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=a2631cd8a7f4784e7defc5762901ba483150f03f&tochange=543509e7d886b5aae1de4e5b092a9fd8c4f29cf1




Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]

    
    

    
  
Yes, I was able to reproduce. It is failing on the check for a JitScript, this is because I should be using maybeJitScript().


Flags: needinfo?(ccullen)
Assignee: nobody → ccullen
Status: NEW → ASSIGNED

    
    

    
  
Pushed by ccullen@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/fc3e86aa0da0
Use maybeJitScript() to check for a JitScript to avoid failure in cases where a JitScript is not present. r=iain

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/fc3e86aa0da0


Status: ASSIGNED → RESOLVED
Closed: 4 years ago

          status-firefox83:
          affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 83 Branch

    
    

    
  
Bugmon Analysis:

Verified bug as fixed on rev mozilla-central 20201009153554-1581160e62e6.

Removing bugmon keyword as no further action possible.

Please review the bug and re-add the keyword for further analysis.


Status: RESOLVED → VERIFIED

          status-firefox83:
          fixedverified
Keywords: bugmon

    
  
Has Regression Range: --- → yes

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: