Closed Bug 1917565 Opened 3 months ago Closed 3 months ago

Assertion failure: get() (dereferencing a UniquePtr containing nullptr with *), at dist/include/mozilla/UniquePtr.h:277

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
132 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox-esr128 --- unaffected
firefox130 --- unaffected
firefox131 --- unaffected
firefox132 --- verified

People

(Reporter: decoder, Assigned: mgaudet)

References

(Regression)

Details

(4 keywords, Whiteboard: [bugmon:update,bisected,confirmed])

Attachments

(3 files)

Detailed Crash Information
2.40 KB, text/plain
Details
Testcase
178 bytes, text/plain
Details
Bug 1917565 - Correct OOM handling in CompilationDependencyTracker r?jandem
48 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 20240908-eb90f648ee67 (debug build, run with --fuzzing-safe --ion-offthread-compile=off):

setJitCompilerOption("ion.warmup.trigger", 100)
oomTest(function() {
  function foo() {
    for (a = 0; a < 10; a++) trialInline(..."use strict")
  }
  evaluate(foo + "foo()")
})

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x0000555557c47af2 in js::jit::CompilationDependencyTracker::addDependency(js::jit::CompilationDependency&) ()
#1  0x0000555557c87e59 in WarpCacheIRTranspiler::emitGuardGlobalGeneration(unsigned int, unsigned int, unsigned int) ()
#2  0x0000555557c34015 in WarpCacheIRTranspiler::transpile(std::initializer_list<js::jit::MDefinition*>) ()
#3  0x0000555557c88090 in js::jit::TranspileCacheIRToMIR(js::jit::WarpBuilder*, js::BytecodeLocation, js::jit::WarpCacheIR const*, std::initializer_list<js::jit::MDefinition*>, js::jit::CallInfo*) ()
#4  0x0000555557c0bacf in js::jit::WarpBuilder::buildIC(js::BytecodeLocation, js::jit::CacheKind, std::initializer_list<js::jit::MDefinition*>) ()
#5  0x0000555557c05d13 in js::jit::WarpBuilder::build_GetGName(js::BytecodeLocation) ()
#6  0x0000555557bf3a99 in js::jit::WarpBuilder::buildBody() ()
#7  0x0000555557bf293a in js::jit::WarpBuilder::build() ()
#8  0x0000555557fe8b61 in js::jit::CompileBackEnd(js::jit::MIRGenerator*, js::jit::WarpSnapshot*) ()
#9  0x0000555557fea0f8 in js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned char*) ()
#10 0x0000555557feabf3 in IonCompileScriptForBaseline(JSContext*, js::jit::BaselineFrame*, unsigned char*) ()
#11 0x0000555557feb53a in js::jit::IonCompileScriptForBaselineOSR(JSContext*, js::jit::BaselineFrame*, unsigned int, unsigned char*, js::jit::IonOsrTempData**) ()
#12 0x000032881565eb66 in ?? ()
#13 0x000028c21823f038 in ?? ()
#14 0x0000000000000000 in ?? ()
rax	0x5555557a1637	93824994645559
rbx	0x7ffff2303260	140737256632928
rcx	0x555558890e90	93825045958288
rdx	0x0	0
rsi	0x7ffff7105770	140737338431344
rdi	0x7ffff7104540	140737338426688
rbp	0x7fffffffaf80	140737488334720
rsp	0x7fffffffaf40	140737488334656
r8	0x7ffff7105770	140737338431344
r9	0x7ffff7f92840	140737353689152
r10	0x0	0
r11	0x0	0
r12	0x7ffff2303280	140737256632960
r13	0x0	0
r14	0x7fffffffaf90	140737488334736
r15	0x8	8
rip	0x555557c47af2 <js::jit::CompilationDependencyTracker::addDependency(js::jit::CompilationDependency&)+274>
=> 0x555557c47af2 <_ZN2js3jit28CompilationDependencyTracker13addDependencyERNS0_21CompilationDependencyE+274>:	movl   $0x115,0x0
   0x555557c47afd <_ZN2js3jit28CompilationDependencyTracker13addDependencyERNS0_21CompilationDependencyE+285>:	callq  0x555556f15c10 <abort>
Attached file Testcase
Flags: needinfo?(mgaudet)
Assignee: nobody → mgaudet
Status: NEW → ASSIGNED
Flags: needinfo?(mgaudet)

Verified bug as reproducible on mozilla-central 20240909092518-50016ed27344.
The bug appears to have been introduced in the following build range:

Start: 329b9c9dc1b675dc881777a61241045d2378667f (20240905163545)
End: 80db8b7ff2af7ea87c92c2784280f3141330d33f (20240905185055)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=329b9c9dc1b675dc881777a61241045d2378667f&tochange=80db8b7ff2af7ea87c92c2784280f3141330d33f

Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]

Based on comment #4, this bug contains a bisection range found by bugmon. However, the Regressed by field is still not filled.

:mgaudet, if possible, could you fill the Regressed by field and investigate this regression?

For more information, please visit BugBot documentation.

Flags: needinfo?(mgaudet)
Flags: needinfo?(mgaudet)

(Technically the regression was in the prep patch in Bug 1905987, but this test case fails with Bug 1905988)

Regressed by: 1905987
No longer regressed by: 1905988

Oh wait. I got my bug numbers backwards and Donal got it right. Sorry.

Regressed by: 1905988
No longer regressed by: 1905987
Severity: -- → S3
Priority: -- → P3
Priority: P3 → P1
Pushed by mgaudet@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/41d03199aa3c Correct OOM handling in CompilationDependencyTracker r=jandem

https://hg.mozilla.org/mozilla-central/rev/41d03199aa3c

Status: ASSIGNED → RESOLVED
Closed: 3 months ago
status-firefox132: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 132 Branch

Verified bug as fixed on rev mozilla-central 20240911092134-169a59fe35f8.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox132: fixedverified
Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: