Assertion failure: BytecodeOpCanHaveAllocSite(JSOp(*pc_)), at js/src/jit/CacheIR.cpp:276
Categories
(Core :: JavaScript Engine, defect, P3)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr115 | --- | unaffected |
firefox-esr128 | --- | unaffected |
firefox127 | --- | unaffected |
firefox128 | --- | unaffected |
firefox129 | --- | verified |
People
(Reporter: decoder, Assigned: jandem)
References
(Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])
Attachments
(3 files)
The following testcase crashes on mozilla-central revision 20240617-5dabfab7d5a5 (debug build, run with --fuzzing-safe --ion-offthread-compile=off --blinterp-eager test.js):
new Promise(RegExp).finally(Object)
Backtrace:
received signal SIGSEGV, Segmentation fault.
0x58d7c587 in js::jit::IRGenerator::maybeCreateAllocSite() ()
#0 0x58d7c587 in js::jit::IRGenerator::maybeCreateAllocSite() ()
#1 0x58dd8f08 in js::jit::InlinableNativeIRGenerator::tryAttachObjectConstructor() ()
#2 0x58dd4031 in js::jit::InlinableNativeIRGenerator::tryAttachStub() ()
#3 0x58dde24a in js::jit::CallIRGenerator::tryAttachInlinableNative(JS::Handle<JSFunction*>, js::jit::CallFlags) ()
#4 0x58ddfd49 in js::jit::CallIRGenerator::tryAttachCallNative(JS::Handle<JSFunction*>) ()
#5 0x58de185f in js::jit::CallIRGenerator::tryAttachStub() ()
#6 0x58a983f2 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) ()
#7 0xe8200978 in ?? ()
#8 0xe822a392 in ?? ()
#9 0xe822e2c6 in ?? ()
#10 0xe81fa7ed in ?? ()
#11 0x58fee3ae in js::jit::MaybeEnterJit(JSContext*, js::RunState&) ()
#12 0x5800e553 in js::RunScript(JSContext*, js::RunState&) ()
#13 0x5800f189 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) ()
#14 0x580108ea in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) ()
#15 0x58010ae3 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) ()
#16 0x580a9693 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) ()
#17 0x583347d8 in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) ()
#18 0x5800fb44 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
#19 0x5800f236 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) ()
#20 0x580108ea in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) ()
#21 0x58010ae3 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) ()
#22 0x5817d214 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) ()
#23 0x58248399 in js::InternalJobQueue::runJobs(JSContext*) ()
#24 0x58247dc3 in js::RunJobs(JSContext*) ()
#25 0x57e8ca28 in RunShellJobs(JSContext*) ()
#26 0x57e6ab44 in Shell(JSContext*, js::cli::OptionParser*) ()
#27 0x57e629d4 in main ()
eax 0x56759c0f 1450548239
ebx 0x597d545c 1501385820
ecx 0x597da844 1501407300
edx 0xf7b91cc7 -138863417
esi 0xffb9e488 -4594552
edi 0xffb9e2a0 -4595040
ebp 0xffb9e1f8 4290372088
esp 0xffb9e1d0 4290372048
eip 0x58d7c587 <js::jit::IRGenerator::maybeCreateAllocSite()+727>
=> 0x58d7c587 <_ZN2js3jit11IRGenerator20maybeCreateAllocSiteEv+727>: movl $0x114,0x0
0x58d7c591 <_ZN2js3jit11IRGenerator20maybeCreateAllocSiteEv+737>: call 0x57ef64e0 <abort>
Reporter | ||
Comment 1•7 months ago
|
||
Reporter | ||
Comment 2•7 months ago
|
||
Comment 3•7 months ago
|
||
This looks like it's related to Bug 1902308. Since Jon's out, ni? jandem who reviewed.
Assignee | ||
Comment 4•7 months ago
|
||
Without looking at it in detail, I expect this to be a call bytecode op that's not JSOp::Call
but maybe one of the self-hosted ones. I'll take a closer look tomorrow morning.
Comment 5•7 months ago
|
||
Verified bug as reproducible on mozilla-central 20240618094855-1f73c4ee1785.
The bug appears to have been introduced in the following build range:
Start: 305d93ccd56f1640bf8eeae5ea78799e572707bf (20240617053337)
End: 04f40bdacb57fd7507e3ecc9670c6c29ed516142 (20240617084623)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=305d93ccd56f1640bf8eeae5ea78799e572707bf&tochange=04f40bdacb57fd7507e3ecc9670c6c29ed516142
Assignee | ||
Comment 6•7 months ago
|
||
We're missing JSOp::CallContent
in BytecodeOpCanHaveAllocSite
. This means we don't create an allocation site for this op during Baseline compilation (the other place where we call BytecodeOpCanHaveAllocSite
) but it's not a security bug.
Comment 7•7 months ago
|
||
Set release status flags based on info from the regressing bug 1902308
Assignee | ||
Comment 8•7 months ago
|
||
In BytecodeOpCanHaveAllocSite
we were missing JSOp::CallContent
used in self-hosted code.
Comment 10•7 months ago
|
||
bugherder |
Comment 11•7 months ago
|
||
Verified bug as fixed on rev mozilla-central 20240620161057-ac120cec791e.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Comment 12•7 months ago
|
||
Set release status flags based on info from the regressing bug 1902308
Description
•