Closed Bug 1889105 Opened 1 year ago Closed 1 year ago

Assertion failure: !jitIter.done(), at js/src/vm/GeckoProfiler.cpp:62

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1888744
Tracking Flags:
Tracking Status
firefox126 --- affected

People

(Reporter: decoder, Unassigned)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisect])

Attachments

(2 files)

Detailed Crash Information
1.74 KB, text/plain
Details
Testcase
51 bytes, text/plain
Details

The following testcase crashes on mozilla-central revision 20240401-26157b52a8c3 (debug build, run with --fuzzing-safe --ion-offthread-compile=off test.js):

[1, 2].sort(enableGeckoProfilingWithSlowAssertions)

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x000055d0ef1fa240 in js::GeckoProfilerRuntime::enable(bool) ()
#1  0x000055d0eee66b65 in EnableGeckoProfilingWithSlowAssertions(JSContext*, unsigned int, JS::Value*) ()
#2  0x000055d0eefed6b5 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
#3  0x000055d0eefecc28 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) ()
#4  0x000055d0eefee4f3 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) ()
#5  0x000055d0ef0632d8 in CallComparatorSlow(js::ArraySortData*, JS::Value const&, JS::Value const&) ()
#6  0x000055d0ef039b40 in js::ArraySortData::sortWithComparator(js::ArraySortData*) ()
#7  0x000055d0ef03fc56 in js::ArraySortFromJit(JSContext*, js::jit::TrampolineNativeFrameLayout*) ()
[...]
#11 0x0000000000000000 in ?? ()
rax	0x55d0ed765525	94355825513765
rbx	0x7f2d1a139100	139831687745792
rcx	0x55d0f09cd708	94355878369032
rdx	0x1	1
rsi	0x0	0
rdi	0x7f2d1d4217d0	139831741126608
rbp	0x7ffdc00b30b0	140727825412272
rsp	0x7ffdc00b2fd0	140727825412048
r8	0x0	0
r9	0x6d	109
r10	0x55d0ed6cc3bb	94355824886715
r11	0x18	24
r12	0x7f2d1a12f378	139831687705464
r13	0x7ffdc00b35a0	140727825413536
r14	0x7ffdc00b3000	140727825412096
r15	0x1	1
rip	0x55d0ef1fa240 <js::GeckoProfilerRuntime::enable(bool)+1408>
=> 0x55d0ef1fa240 <_ZN2js20GeckoProfilerRuntime6enableEb+1408>:	movl   $0x3e,0x0
   0x55d0ef1fa24b <_ZN2js20GeckoProfilerRuntime6enableEb+1419>:	callq  0x55d0eeec1ac0 <abort>

Very likely a shell-only issue.

Attached file Testcase

Thanks. This will be fixed by the patch in bug 1888744.

Status: NEW → RESOLVED
Closed: 1 year ago
Duplicate of bug: 1888744
Resolution: --- → DUPLICATE

No valid actions for resolution (DUPLICATE).
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: