Segfault in RISC-V JIT
Categories
(Core :: JavaScript Engine: JIT, defect, P3)
Tracking
()
People
(Reporter: james, Unassigned, NeedInfo)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: regression)
Steps to reproduce:
In all recent versions of Firefox that I've tried, 121-126, built from scratch with GCC 13 on Gentoo with configure option --enable-jit
, visiting JS heavy sites like reddit.com or youtube.com results in a crash.
Actual results:
Firefox segfaults in the JIT with the following stack trace:
#0 0x0000003fafcc3b7c in ??? () at /usr/lib64/libc.so.6
#1 0x0000003fafc8e28e in raise () at /usr/lib64/libc.so.6
#2 0x0000003faa76e1a8 in nsProfileLock::FatalSignalHandler (signo=11, info=<optimized out>, context=0x3f1a004ce0)
at /var/tmp/portage/www-client/firefox-126.0/work/firefox-126.0/toolkit/profile/nsProfileLock.cpp:174
#3 0x0000003fb0079800 in <signal handler called> ()
#4 MOZ_Crash (aReason=<optimized out>, aLine=50, aFilename=<synthetic pointer>)
at /var/tmp/portage/www-client/firefox-126.0/work/firefox_build/dist/include/mozilla/Assertions.h:317
#5 mozilla::detail::InvalidArrayIndex_CRASH (aIndex=<optimized out>, aLength=aLength@entry=1024)
at /var/tmp/portage/www-client/firefox-126.0/work/firefox-126.0/mfbt/Assertions.cpp:50
#6 0x0000003faab396f4 in mozilla::Array<unsigned char, 1024ul>::operator[] (aIndex=<optimized out>, this=<optimized out>)
at /var/tmp/portage/www-client/firefox-126.0/work/firefox_build/dist/include/mozilla/Array.h:44
#7 js::jit::AssemblerBuffer<1024, js::jit::Instruction>::getInstBackwards
(updateFinger=<optimized out>, startOffset=<optimized out>, start=<optimized out>, off=..., this=<optimized out>)
at /var/tmp/portage/www-client/firefox-126.0/work/firefox-126.0/js/src/jit/shared/IonAssemblerBuffer.h:358
#8 js::jit::AssemblerBuffer<1024, js::jit::Instruction>::getInst (this=<optimized out>, off=...)
at /var/tmp/portage/www-client/firefox-126.0/work/firefox-126.0/js/src/jit/shared/IonAssemblerBuffer.h:411
#9 0x0000003faabe9002 in js::jit::Assembler::editSrc (bo=..., this=0x3efe38cc18)
at /var/tmp/portage/www-client/firefox-126.0/work/firefox-126.0/js/src/jit/riscv64/Assembler-riscv64.h:146
#10 js::jit::Assembler::target_at (this=this@entry=0x3efe38cc18, pos=..., is_internal=is_internal@entry=false)
at /var/tmp/portage/www-client/firefox-126.0/work/firefox-126.0/js/src/jit/riscv64/Assembler-riscv64.cpp:942
#11 0x0000003faabe9f46 in js::jit::Assembler::next_link (is_internal=<optimized out>, L=<optimized out>, this=<optimized out>)
at /var/tmp/portage/www-client/firefox-126.0/work/firefox-126.0/js/src/jit/riscv64/Assembler-riscv64.cpp:1018
#12 js::jit::Assembler::bind (this=this@entry=0x3efe38cc18, label=label@entry=0x3f1a0053b0, boff=..., boff@entry=...)
at /var/tmp/portage/www-client/firefox-126.0/work/firefox-126.0/js/src/jit/riscv64/Assembler-riscv64.cpp:1049
#13 0x0000003faac05e4c in js::jit::MacroAssemblerRiscv64Compat::loadInt32OrDouble (this=this@entry=0x3efe38cc18, src=..., dest=...)
at /var/tmp/portage/www-client/firefox-126.0/work/firefox-126.0/js/src/jit/riscv64/MacroAssembler-riscv64.cpp:1697
#14 0x0000003faac962ac in js::jit::MacroAssemblerRiscv64Compat::loadUnboxedValue<js::jit::Address>
(dest=..., type=<optimized out>, address=..., this=<optimized out>)
at /var/tmp/portage/www-client/firefox-126.0/work/firefox-126.0/js/src/jit/riscv64/MacroAssembler-riscv64.h:896
#15 js::jit::CodeGenerator::visitGetDOMMemberT (this=this@entry=0x3efe38cc00, ins=ins@entry=0x3ef9fbeba8)
at /var/tmp/portage/www-client/firefox-126.0/work/firefox-126.0/js/src/jit/CodeGenerator.cpp:18368
#16 0x0000003faacadf5e in js::jit::CodeGenerator::generateBody (this=this@entry=0x3efe38cc00)
at /var/tmp/portage/www-client/firefox-126.0/work/firefox-126.0/js/src/jit/CodeGenerator.cpp:7606
#17 0x0000003faacaf3ae in js::jit::CodeGenerator::generate (this=this@entry=0x3efe38cc00)
at /var/tmp/portage/www-client/firefox-126.0/work/firefox-126.0/js/src/jit/CodeGenerator.cpp:15573
#18 0x0000003faacb54ec in js::jit::GenerateCode (mir=0x3ef8f06128, lir=0x3ef9fbba18)
at /var/tmp/portage/www-client/firefox-126.0/work/firefox-126.0/js/src/jit/Ion.cpp:1597
#19 0x0000003faacb69e4 in js::jit::CompileBackEnd (mir=<optimized out>, snapshot=<optimized out>)
at /var/tmp/portage/www-client/firefox-126.0/work/firefox-126.0/js/src/jit/Ion.cpp:1626
#20 0x0000003faacb9c1a in js::jit::IonCompileTask::runTask (this=0x3ef8f09900)
at /var/tmp/portage/www-client/firefox-126.0/work/firefox-126.0/js/src/jit/IonCompileTask.cpp:52
#21 js::jit::IonCompileTask::runHelperThreadTask (this=0x3ef8f09900, locked=...)
at /var/tmp/portage/www-client/firefox-126.0/work/firefox-126.0/js/src/jit/IonCompileTask.cpp:30
#22 0x0000003faa87cd8a in js::GlobalHelperThreadState::runTaskLocked (this=this@entry=0x3f9d50d100, task=0x3ef8f09900, locked=...)
at /var/tmp/portage/www-client/firefox-126.0/work/firefox-126.0/js/src/vm/HelperThreads.cpp:1728
#23 0x0000003faa87ce9e in js::GlobalHelperThreadState::runOneTask (this=0x3f9d50d100, lock=...)
at /var/tmp/portage/www-client/firefox-126.0/work/firefox-126.0/js/src/vm/HelperThreads.cpp:1697
#24 0x0000003faa87cf32 in JS::RunHelperThreadTask () at /var/tmp/portage/www-client/firefox-126.0/work/firefox-126.0/js/src/vm/HelperThreads.cpp:1684
#25 0x0000003fa7ea6cbc in HelperThreadTaskHandler::Run (this=<optimized out>)
at /var/tmp/portage/www-client/firefox-126.0/work/firefox-126.0/js/xpconnect/src/XPCJSContext.cpp:1113
#26 0x0000003fa798ce3a in mozilla::TaskController::RunPoolThread (this=0x3fafa1d000)
at /var/tmp/portage/www-client/firefox-126.0/work/firefox-126.0/xpcom/threads/TaskController.cpp:368
#27 0x0000003fa65a9494 in _pt_root (arg=0x3f1ae1e160) at /var/tmp/portage/dev-libs/nspr-4.35-r2/work/nspr-4.35/nspr/pr/src/pthreads/ptthread.c:201
#28 0x0000003fafcc23ea in ??? () at /usr/lib64/libc.so.6
#29 0x0000003fafd0e640 in ??? () at /usr/lib64/libc.so.6
Expected results:
The browser should not crash. Disabling the JIT by removing the configure option restores stability at the cost of performance.
Comment 1•4 months ago
|
||
The Bugbug bot thinks this bug should belong to the 'Core::JavaScript Engine: JIT' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.
Comment 2•3 months ago
|
||
Yahan or Ji, can you look at this bug, if this is specific to the RISC-V backend?
(In reply to Nicolas B. Pierron [:nbp] from comment #2)
Yahan or Ji, can you look at this bug, if this is specific to the RISC-V backend?
Hi Nicolas, sorry for the late notice. We are checking now. Thank you for the reporting.
Description
•