Closed Bug 1571388 Opened 5 years ago Closed 5 years ago

Assertion failure: IsBaselineInterpreterEnabled(), at js/src/jit/Jit.cpp:27 or Assertion failure: IsBaselineJitEnabled(), at jit/Bailouts.cpp:129

Categories

(Core :: JavaScript Engine, defect, P2)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla71
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox-esr68 --- unaffected
firefox69 --- unaffected
firefox70 --- wontfix
firefox71 --- fixed

People

(Reporter: decoder, Assigned: jandem)

References

(Regression)

Details

(4 keywords, Whiteboard: [jsbugmon:update,ignore])

Attachments

(1 file)

Bug 1571388 - Disallow enabling or disabling the Baseline Interpreter via setJitCompilerOption. r?tcampbell!
(deleted), text/x-phabricator-request
Details

The following testcase crashes on mozilla-central revision 30a8df41ff6d (build with --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off --baseline-eager):

var lfLogBuffer = `
var oldOpts = getJitCompilerOptions();
for (var k32 in oldOpts)
    setJitCompilerOption(k32, 0);
`;
orig_setJitCompilerOption = setJitCompilerOption;
setJitCompilerOption = function(opt, num) { try { orig_setJitCompilerOption(opt, num); } catch(exc) {} };
evaluate(lfLogBuffer);
evaluate(lfLogBuffer);

Backtrace:

received signal SIGSEGV, Segmentation fault.
EnterJit (cx=<optimized out>, state=..., code=0x96b90ad7010 "\351#") at js/src/jit/Jit.cpp:27
#0  EnterJit (cx=<optimized out>, state=..., code=0x96b90ad7010 "\351#") at js/src/jit/Jit.cpp:27
#1  0x00005555558d6c31 in Interpret (cx=0x7ffff5f23000, state=...) at js/src/vm/Interpreter.cpp:3131
#2  0x00005555558dd7c6 in js::RunScript (cx=0x7ffff5f23000, state=...) at js/src/vm/Interpreter.cpp:425
#3  0x00005555558e0f6c in js::ExecuteKernel (cx=<optimized out>, script=..., script@entry=..., envChainArg=..., newTargetValue=..., evalInFrame=..., evalInFrame@entry=..., result=result@entry=0x7fffffffc600) at js/src/vm/Interpreter.cpp:787
#4  0x00005555558e1739 in js::Execute (cx=<optimized out>, cx@entry=0x7ffff5f23000, script=script@entry=..., envChainArg=..., rval=rval@entry=0x7fffffffc600) at js/src/vm/Interpreter.cpp:821
#5  0x0000555555a07992 in ExecuteScript (cx=0x7ffff5f23000, scope=scope@entry=..., script=script@entry=..., rval=rval@entry=0x7fffffffc600) at js/src/vm/CompilationAndEvaluation.cpp:448
#6  0x0000555555a1be90 in ExecuteScript (cx=<optimized out>, envChain=..., scriptArg=..., rval=0x7fffffffc600) at js/src/vm/CompilationAndEvaluation.cpp:468
#7  0x000055555584f849 in Evaluate (cx=<optimized out>, cx@entry=0x7ffff5f23000, argc=<optimized out>, vp=<optimized out>) at js/src/shell/js.cpp:2268
#8  0x00005555558e766f in CallJSNative (cx=0x7ffff5f23000, native=native@entry=0x55555584ec90 <Evaluate(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/Interpreter.cpp:448
#9  0x00005555558dddda in js::InternalCallOrConstruct (cx=<optimized out>, cx@entry=0x7ffff5f23000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:540
#10 0x00005555558de53f in InternalCall (cx=0x7ffff5f23000, args=...) at js/src/vm/Interpreter.cpp:595
#11 0x00005555558de68a in js::CallFromStack (cx=<optimized out>, args=...) at js/src/vm/Interpreter.cpp:599
#12 0x0000555556119ea3 in js::jit::DoCallFallback (cx=<optimized out>, frame=0x7fffffffc650, stub=0x7ffff58f4350, argc=1, vp=0x7fffffffc600, res=...) at js/src/jit/BaselineIC.cpp:3209
#13 0x0000096b90a803e3 in ?? ()
[...]
#34 0x0000000000000000 in ?? ()
rax	0x555557d0b200	93825033875968
rbx	0x96b90ad7010	10357593436176
rcx	0x555556cfbfe8	93825017036776
rdx	0x0	0
rsi	0x7ffff6eeb770	140737336227696
rdi	0x7ffff6eea540	140737336223040
rbp	0x7fffffffb160	140737488335200
rsp	0x7fffffffabf0	140737488333808
r8	0x7ffff6eeb770	140737336227696
r9	0x7ffff7fe6cc0	140737354034368
r10	0x58	88
r11	0x7ffff6b927a0	140737332717472
r12	0x7fffffffb640	140737488336448
r13	0x7fffffffb640	140737488336448
r14	0x7fffffffb258	140737488335448
r15	0x7fffffffb690	140737488336528
rip	0x555556365241 <EnterJit(JSContext*, js::RunState&, uint8_t*)+369>
=> 0x555556365241 <EnterJit(JSContext*, js::RunState&, uint8_t*)+369>:	movl   $0x0,0x0
   0x55555636524c <EnterJit(JSContext*, js::RunState&, uint8_t*)+380>:	ud2

This is probably shell-only.

Type: task → defect

Ugh. Yes shell only testing function silliness.

Flags: needinfo?(jdemooij)

autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/56b33927fd49
user: Jan de Mooij
date: Sat Jul 20 08:56:36 2019 +0000
summary: Bug 1566332 part 4 - Make IsBaselineJitEnabled imply IsBaselineInterpreterEnabled. r=tcampbell

Jan, is bug 1566332 a likely regressor?

Regressed by: 1566332
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/56b33927fd49 user: Jan de Mooij date: Sat Jul 20 08:56:36 2019 +0000 summary: Bug 1566332 part 4 - Make IsBaselineJitEnabled imply IsBaselineInterpreterEnabled. r=tcampbell This iteration took 475.982 seconds to run.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 115a4bcdb596).

autobisectjs shows this is probably related to the following changeset:

The first good revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/b2089a5f1393
user: Jan de Mooij
date: Fri Aug 16 12:40:20 2019 +0000
summary: Bug 1571446 part 1 - Make JSScript::jitScript() assert hasJitScript() and add JSScript::maybeJitScript(). r=tcampbell

Jan, is bug 1571446 a likely fix?

Flags: needinfo?(jdemooij)

(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #6)

Jan, is bug 1571446 a likely fix?

For this particular test yes, but it should be possible to trigger in other ways :) I just updated the fix.

Flags: needinfo?(jdemooij)
Pushed by jdemooij@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/0f21f9fdd43e Disallow enabling or disabling the Baseline Interpreter via setJitCompilerOption. r=tcampbell

https://hg.mozilla.org/mozilla-central/rev/0f21f9fdd43e

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox71: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla71
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: