Closed Bug 1568080 Opened 5 years ago Closed 5 years ago

Assertion failure: jit::IsBaselineJitEnabled(), at js/src/jit/Ion.cpp:2116

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla70
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox-esr68 --- unaffected
firefox68 --- unaffected
firefox69 --- unaffected
firefox70 --- fixed

People

(Reporter: gkw, Assigned: jandem)

References

(Regression)

Details

(4 keywords, Whiteboard: [fuzzblocker][jsbugmon:update])

Attachments

(2 files)

Detailed Crash Information
(deleted), text/plain
Details
Bug 1568080 - Fix IsIonEnabled to use IsBaselineJitEnabled instead of checking the JitOption directly. r?tcampbell!
(deleted), text/x-phabricator-request
Details

The following testcase crashes on mozilla-central revision b8141448e0ba (build with --enable-debug, run with --fuzzing-safe --no-blinterp):

quit();

Backtrace:

#0  js::jit::Compile (cx=<optimized out>, script=..., osrFrame=<optimized out>, osrPc=0x0, forceRecompile=<optimized out>) at js/src/jit/Ion.cpp:2116
#1  0x000055e1db25c159 in js::jit::CanEnterIon (cx=0x7f1148d19000, state=...) at js/src/jit/Ion.cpp:2268
#2  0x000055e1db305f64 in js::jit::MaybeEnterJit (cx=0x7f1148d19000, state=...) at js/src/jit/Jit.cpp:156
#3  0x000055e1da650931 in js::RunScript (cx=0x7f1148d19000, state=...) at js/src/vm/Interpreter.cpp:410
#4  0x000055e1da666d70 in js::ExecuteKernel (cx=0x7f1148d19000, script=..., envChainArg=..., newTargetValue=..., evalInFrame=..., result=0x7fff161972b8) at js/src/vm/Interpreter.cpp:787
/snip

For detailed crash information, see attachment.

Setting [fuzzblocker] due to the simplicity of the testcase.

autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/56b33927fd49
user: Jan de Mooij
date: Sat Jul 20 08:56:36 2019 +0000
summary: Bug 1566332 part 4 - Make IsBaselineJitEnabled imply IsBaselineInterpreterEnabled. r=tcampbell

Jan, is bug 1566332 a likely regressor?

Flags: needinfo?(jdemooij)
Regressed by: 1566332
Type: task → defect

Also moves these functions to JitOptions.h because Ion.h cannot include BaselineJIT.h
due to include dependencies. Ion.h should be split up eventually but JitOptions.h isn't
unreasonable for now.

Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Priority: -- → P1
Pushed by jdemooij@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/78a0b312e621 Fix IsIonEnabled to use IsBaselineJitEnabled instead of checking the JitOption directly. r=tcampbell

https://hg.mozilla.org/mozilla-central/rev/78a0b312e621

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox70: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla70
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: