Crash in [@ js::jit::FinishBailoutToBaseline]
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr78 | --- | unaffected |
firefox84 | --- | unaffected |
firefox85 | --- | unaffected |
firefox86 | --- | fixed |
People
(Reporter: aryx, Assigned: iain)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: crash, regression)
Crash Data
Attachments
(1 file)
Crash report: https://crash-stats.mozilla.org/report/index/dc0b342b-dd58-4936-83dd-9d7ce0210112
MOZ_CRASH Reason: MOZ_CRASH(The IonScript should already have been invalidated.)
Top 2 frames of crashing thread:
0 xul.dll js::jit::FinishBailoutToBaseline js/src/jit/BaselineBailouts.cpp:2115
1 @0x1aae76e10ab
Assignee | ||
Comment 1•3 years ago
|
||
Looking at the BailoutKind switch statement above this crash, the only possible case where we don't either update the BailoutAction or invalidate the IonScript is DuringVMCall when no exception is pending. I'm not sure how that happens, and the fuzzer hasn't turned anything up yet. I'll put up a patch to change the MOZ_CRASH
to MOZ_ASSERT(false)
to stop the Nightly crashes, and then hopefully we can figure out the underlying issue.
Assignee | ||
Comment 2•3 years ago
|
||
This MOZ_CRASH is being hit in Nightly. The numbers are still small (8 crashes from 5 installs so far) but to be safe we can downgrade it to a debug assert for now.
The only case in FinishBailoutToBaseline where we don't either update the BailoutAction or invalidate the script is if we hit BailoutKind::DuringVMCall without an exception pending. I'm not sure how that happens, and we obviously don't have any test coverage for it. Maybe something involving interrupts?
Updated•3 years ago
|
Pushed by iireland@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/796e4a2e798f Downgrade MOZ_CRASH to MOZ_ASSERT r=jandem
Comment 4•3 years ago
|
||
bugherder |
Comment 5•3 years ago
|
||
bugherder |
Updated•3 years ago
|
Description
•