Assertion failure: stubFields_.empty(), at jit/CacheIRWriter.h:343
Categories
(Core :: JavaScript Engine: JIT, defect, P1)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr91 | --- | unaffected |
| firefox99 | --- | unaffected |
| firefox100 | --- | unaffected |
| firefox101 | --- | verified |
People
(Reporter: decoder, Assigned: anba)
References
(Blocks 1 open bug, Regression)
Details
(4 keywords, Whiteboard: [bugmon:update,bisected,confirmed])
Attachments
(3 files)
The following testcase crashes on mozilla-central revision 20220415-86271ddb1099 (debug build, run with --fuzzing-safe --ion-offthread-compile=off --blinterp-eager):
gczeal(6, 1);
var a = [];
Array.call(a);
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 0x0000555557701df9 in js::jit::CacheIRWriter::trace(JSTracer*) ()
#1 0x00005555575dbc22 in JS::RootingContext::traceAllGCRooters(JSTracer*) ()
#2 0x00005555575dc114 in js::gc::GCRuntime::traceRuntimeCommon(JSTracer*, js::gc::GCRuntime::TraceOrMarkRuntime) ()
#3 0x00005555575dc7ff in js::gc::GCRuntime::traceRuntimeForMinorGC(JSTracer*, js::gc::AutoGCSession&) ()
#4 0x00005555575b95cd in js::Nursery::traceRoots(js::gc::AutoGCSession&, js::TenuringTracer&) ()
#5 0x00005555575b764e in js::Nursery::doCollection(JS::GCReason) ()
#6 0x00005555575b6c09 in js::Nursery::collect(JS::GCOptions, JS::GCReason) ()
#7 0x0000555557562337 in js::gc::GCRuntime::collectNursery(JS::GCOptions, JS::GCReason, js::gcstats::PhaseKind) ()
#8 0x0000555557561186 in js::gc::GCRuntime::incrementalSlice(js::SliceBudget&, JS::GCReason, bool) ()
#9 0x0000555557564e58 in js::gc::GCRuntime::gcCycle(bool, js::SliceBudget const&, JS::GCReason) ()
#10 0x00005555575660a6 in js::gc::GCRuntime::collect(bool, js::SliceBudget const&, JS::GCReason) ()
#11 0x00005555575694c9 in js::gc::GCRuntime::runDebugGC() ()
#12 0x00005555575322a7 in bool js::gc::GCRuntime::checkAllocatorState<(js::AllowGC)1>(JSContext*, js::gc::AllocKind) ()
#13 0x00005555575320b9 in JSObject* js::AllocateObject<(js::AllowGC)1>(JSContext*, js::gc::AllocKind, unsigned long, js::gc::InitialHeap, JSClass const*, js::gc::AllocSite*) ()
#14 0x0000555556d2629b in js::ArrayObject::create(JSContext*, js::gc::AllocKind, js::gc::InitialHeap, JS::Handle<js::Shape*>, unsigned int, unsigned int, js::AutoSetNewObjectMetadata&, js::gc::AllocSite*) ()
#15 0x0000555556d52fea in js::ArrayObject* NewArrayWithShape<4294967295u>(JSContext*, JS::Handle<js::Shape*>, unsigned int, js::NewObjectKind, js::gc::AllocSite*) ()
#16 0x0000555556d252a4 in js::NewDenseFullyAllocatedArray(JSContext*, unsigned int, js::NewObjectKind, js::gc::AllocSite*) ()
#17 0x000055555795f7de in js::jit::InlinableNativeIRGenerator::tryAttachArrayConstructor() ()
#18 0x000055555795af29 in js::jit::InlinableNativeIRGenerator::tryAttachStub() ()
#19 0x000055555795a827 in js::jit::CallIRGenerator::tryAttachFunCall(JS::Handle<JSFunction*>) ()
#20 0x0000555557964549 in js::jit::CallIRGenerator::tryAttachStub() ()
#21 0x00005555576ed6d9 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) ()
#22 0x00003430ae26b073 in ?? ()
[...]
#56 0x0000000000000000 in ?? ()
rax 0x55555584fe07 93824995360263
rbx 0x7ffff6018880 140737320683648
rcx 0x555558208838 93825039108152
rdx 0x0 0
rsi 0x7ffff7105770 140737338431344
rdi 0x7ffff7104540 140737338426688
rbp 0x7fffffffb370 140737488335728
rsp 0x7fffffffb370 140737488335728
r8 0x7ffff7105770 140737338431344
r9 0x7ffff7f99840 140737353717824
r10 0x0 0
r11 0x0 0
r12 0x7fffffffbf00 140737488338688
r13 0x7fffffffb518 140737488336152
r14 0x555555767557 93824994407767
r15 0x7ffff602a200 140737320755712
rip 0x555557701df9 <js::jit::CacheIRWriter::trace(JSTracer*)+57>
=> 0x555557701df9 <_ZN2js3jit13CacheIRWriter5traceEP8JSTracer+57>: movl $0x157,0x0
0x555557701e04 <_ZN2js3jit13CacheIRWriter5traceEP8JSTracer+68>: callq 0x555556bcc947 <abort>
JIT-related and GC involved, marking s-s.
|
Reporter | |
Comment 1•2 years ago
|
||
|
|
Reporter | |
Comment 2•2 years ago
|
||
|
||
Comment 3•2 years ago
|
||
Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220415213125-86271ddb1099.
The bug appears to have been introduced in the following build range:
Start: 8f10b666008a6ece0b513787ca332c766d11ce34 (20220413114337)
End: 3d5b7428d113a3c76f23c40bd76162df5de62c87 (20220413122513)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=8f10b666008a6ece0b513787ca332c766d11ce34&tochange=3d5b7428d113a3c76f23c40bd76162df5de62c87
|
Assignee | |
Comment 5•2 years ago
|
||
Move the fun_call guard into a separate function, so we can call it from
emitNativeCalleeGuard(). This ensures that all GC operations occur before we
write any stub fields.
|
||
Updated•2 years ago
|
|
|
Assignee | |
Comment 6•2 years ago
|
||
(In reply to Jan de Mooij [:jandem] from comment #4)
Maybe we need a GC suppression?
GC suppression should work, but alternatively we could also reorder the guards, so that they're emitted after GC operations.
|
||
Comment 7•2 years ago
|
||
:anba, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.
|
|
||
Updated•2 years ago
|
|
|
||
Comment 8•2 years ago
|
||
Set release status flags based on info from the regressing bug 1738413
|
||
Updated•2 years ago
|
|
||
Comment 9•2 years ago
|
||
This sounds like a possible GC tracing issue, so I'll mark it sec-high.
|
||
Comment 10•2 years ago
|
||
Ensure no stub fields are written after possible GC operations. r=jandem
https://hg.mozilla.org/integration/autoland/rev/71b1fbdb389bec8f1ff1244a261e9a8b83a52f0d
https://hg.mozilla.org/mozilla-central/rev/71b1fbdb389b
|
|
||
Comment 11•2 years ago
|
||
Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20220420215300-a33cd50e2f73.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
|
||
Updated•1 year ago
|
Description
•