Closed Bug 1686337 Opened 3 years ago Closed 3 years ago

Crash in [@ js::jit::FinishBailoutToBaseline]

Categories

(Core :: JavaScript Engine: JIT, defect)

Firefox 86
defect

Tracking

()

RESOLVED FIXED
86 Branch
Tracking Status
firefox-esr78 --- unaffected
firefox84 --- unaffected
firefox85 --- unaffected
firefox86 --- fixed

People

(Reporter: aryx, Assigned: iain)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: crash, regression)

Crash Data

Attachments

(1 file)

Crash report: https://crash-stats.mozilla.org/report/index/dc0b342b-dd58-4936-83dd-9d7ce0210112

MOZ_CRASH Reason: MOZ_CRASH(The IonScript should already have been invalidated.)

Top 2 frames of crashing thread:

0 xul.dll js::jit::FinishBailoutToBaseline js/src/jit/BaselineBailouts.cpp:2115
1  @0x1aae76e10ab 
Flags: needinfo?(iireland)

Looking at the BailoutKind switch statement above this crash, the only possible case where we don't either update the BailoutAction or invalidate the IonScript is DuringVMCall when no exception is pending. I'm not sure how that happens, and the fuzzer hasn't turned anything up yet. I'll put up a patch to change the MOZ_CRASH to MOZ_ASSERT(false) to stop the Nightly crashes, and then hopefully we can figure out the underlying issue.

Flags: needinfo?(iireland)

This MOZ_CRASH is being hit in Nightly. The numbers are still small (8 crashes from 5 installs so far) but to be safe we can downgrade it to a debug assert for now.

The only case in FinishBailoutToBaseline where we don't either update the BailoutAction or invalidate the script is if we hit BailoutKind::DuringVMCall without an exception pending. I'm not sure how that happens, and we obviously don't have any test coverage for it. Maybe something involving interrupts?

Assignee: nobody → iireland
Status: NEW → ASSIGNED
Pushed by iireland@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/796e4a2e798f
Downgrade MOZ_CRASH to MOZ_ASSERT r=jandem
Blocks: 1686515
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → 86 Branch
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: