Closed
Bug 1691102
Opened 5 years ago
Closed 5 years ago
Test crashes running self-test/assertRecoveredOnBailout-1.js under TSAN
Categories
(Core :: JavaScript Engine: JIT, defect, P1)
Core
JavaScript Engine: JIT
Tracking
()
RESOLVED
FIXED
87 Branch
| Tracking | Status | |
|---|---|---|
| firefox87 | --- | fixed |
People
(Reporter: jonco, Assigned: jonco)
Details
Attachments
(1 file)
I'm seeing a crash under TSAN when I run the tests locally:
~/clone/bug/js/src$ jit-test/jit_test.py opt-tsan-build/shell
[6168| 0| 0| 0] 74% ==============================> | 209.6s
ThreadSanitizer:DEADLYSIGNAL
==823715==ERROR: ThreadSanitizer: SEGV on unknown address 0x000000000000 (pc 0x559ea524baf0 bp 0x000000000010 sp 0x7ffc5585de90 T823715)
==823715==The signal is caused by a WRITE memory access.
==823715==Hint: address points to the zero page.
#0 js::jit::MAssertRecoveredOnBailout::writeRecoverData(js::jit::CompactBufferWriter&) const /home/jon/clone/bug/js/src/jit/Recover.cpp:1837:3 (js+0x226caf0)
#1 js::jit::RecoverWriter::writeInstruction(js::jit::MNode const*) /home/jon/clone/bug/js/src/jit/Snapshots.cpp:643:12 (js+0x1e3d3fa)
#2 encode /home/jon/clone/bug/js/src/jit/shared/CodeGenerator-shared.cpp:534:15 (js+0x1e92cc2)
#3 js::jit::CodeGeneratorShared::encode(js::jit::LSnapshot*) /home/jon/clone/bug/js/src/jit/shared/CodeGenerator-shared.cpp:548:3 (js+0x1e92cc2)
#4 visitEncodeSnapshot /home/jon/clone/bug/js/src/jit/CodeGenerator.cpp:6033:3 (js+0x206cde5)
#5 js::jit::CodeGenerator::generateBody() /home/jon/clone/bug/js/src/jit/CodeGenerator.cpp:6528:9 (js+0x206cde5)
#6 js::jit::CodeGenerator::generate() /home/jon/clone/bug/js/src/jit/CodeGenerator.cpp:11340:8 (js+0x20ae057)
#7 js::jit::GenerateCode(js::jit::MIRGenerator*, js::jit::LIRGraph*) /home/jon/clone/bug/js/src/jit/Ion.cpp:1557:17 (js+0x20e8743)
#8 js::jit::CompileBackEnd(js::jit::MIRGenerator*, js::jit::WarpSnapshot*) /home/jon/clone/bug/js/src/jit/Ion.cpp:1586:10 (js+0x20e885c)
#9 IonCompile /home/jon/clone/bug/js/src/jit/Ion.cpp:1743:38 (js+0x20ea07d)
#10 js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned char*) /home/jon/clone/bug/js/src/jit/Ion.cpp:1929:24 (js+0x20ea07d)
#11 BaselineCanEnterAtEntry /home/jon/clone/bug/js/src/jit/Ion.cpp:2061:25 (js+0x20ea8ed)
#12 IonCompileScriptForBaseline(JSContext*, js::jit::BaselineFrame*, unsigned char*) /home/jon/clone/bug/js/src/jit/Ion.cpp:2185:12 (js+0x20ea8ed)
#13 js::jit::IonCompileScriptForBaselineAtEntry(JSContext*, js::jit::BaselineFrame*) /home/jon/clone/bug/js/src/jit/Ion.cpp:2212:10 (js+0x20ea4f6)
#14 <null> <null> (0x7f53958a1ac9)
ThreadSanitizer can not provide additional info.
SUMMARY: ThreadSanitizer: SEGV /home/jon/clone/bug/js/src/jit/Recover.cpp:1837:3 in js::jit::MAssertRecoveredOnBailout::writeRecoverData(js::jit::CompactBufferWriter&) const
==823715==ABORTING
Exit code: -6
FAIL - self-test/assertRecoveredOnBailout-1.js
After doing a little digging, it seems like the test is meant to crash, but TSAN doesn't know this. Maybe we could skip this if running under TSAN.
|
Assignee | |
Updated•5 years ago
|
Assignee: nobody → jcoppeard
|
|
Assignee | |
Comment 1•5 years ago
|
||
Assuming I'm right that this is supposed to crash, we should just skip running it under TSAN.
|
||
Updated•5 years ago
|
Severity: -- → S4
Priority: -- → P1
|
|
||
Updated•5 years ago
|
Status: NEW → ASSIGNED
Pushed by jcoppeard@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/116cfc28ed98
Skip running self-test/assertRecoveredOnBailout-1.js test under TSAN r=nbp
|
||
Comment 3•5 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox87:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 87 Branch
You need to log in
before you can comment on or make changes to this bug.
Description
•