Closed Bug 1791987 Opened 2 years ago Closed 2 years ago

Assertion failure: producer_ != nullptr, at js/src/jit/MIR.h:209

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1791401

People

(Reporter: saelo, Unassigned)

References

(Blocks 2 open bugs)

Details

The following sample triggers an assertion failure (indicating a nullptr dereference), when run with --baseline-warmup-threshold=10 --ion-warmup-threshold=100:

// --baseline-warmup-threshold=10 --ion-warmup-threshold=100 
function main() {
let v2 = 0;
do {
    const v4 = 0;
    for (const v5 of "4294967297") {
        function v6(v7,v8) {
            with (`-2147483647`) {
            }
        }
        const v11 = new Promise(v6);
    }
    const v14 = new Date();
    let v15 = 0;
    do {
        const v17 = [];
        const v18 = v17.concat();
        let v20 = Int8Array.length;
        const v21 = v20++;
        const v22 = v21 << v15;
        const v24 = this.oomAtAllocation(v22,v20);
        const v25 = v15++;
    } while (v15 < 10);
    let v27 = Int8Array.length;
    const v28 = v27++;
    const v30 = this.oomAtAllocation(3720,v27);
    const v31 = v2++;
} while (v2 < 10);
for (const v32 of "4294967297") {
    const v33 = v32.search(v2);
    const v35 = new Uint8ClampedArray(v32,10,Uint16Array);
    function v36(v37,v38,v39,v40) {
    }
    for (const v42 of "4294967297") {
    }
}
gc();
}
main();
// CRASH INFO
// ==========
// TERMSIG: 11
// STDERR:
// Assertion failure: producer_ != nullptr, at /home/builder/firefox/js/src/jit/MIR.h:209

Here is the stacktrace from gdb:

#0  0x00005555583e7eb7 in js::jit::MUse::producer (this=0x7ffff500adb0) at js/src/jit/MIR.h:209
#1  0x00005555583e95b1 in js::jit::MDefinition::addUseUnchecked (this=0x0, use=0x7ffff500adb0) at js/src/jit/MIR.h:740
#2  0x00005555583e9588 in js::jit::MUse::initUnchecked (this=0x7ffff500adb0, producer=0x0, consumer=0x7ffff500ad30) at js/src/jit/MIR.h:10826
#3  0x00005555583e94dc in js::jit::MUse::init (this=0x7ffff500adb0, producer=0x0, consumer=0x7ffff500ad30) at js/src/jit/MIR.h:10819
#4  0x00005555583e85a9 in js::jit::MAryInstruction<2ul>::initOperand (this=0x7ffff500ad30, index=1, operand=0x0) at js/src/jit/MIR.h:1047
#5  0x00005555583e843d in js::jit::MBinaryInstruction::MBinaryInstruction (this=0x7ffff500ad30, op=js::jit::MDefinition::Opcode::AssertCanElidePostWriteBarrier, left=0x7ffff500aca0, right=0x0) at js/src/jit/MIR.h:1103
#6  0x00005555584ebede in js::jit::MAssertCanElidePostWriteBarrier::MAssertCanElidePostWriteBarrier (this=0x7ffff500ad30, object=0x7ffff500aca0, value=0x0) at js/src/jit/MIR.h:1218
#7  0x00005555584b3e7f in js::jit::MAssertCanElidePostWriteBarrier::New<js::jit::MNewLexicalEnvironmentObject*&, js::jit::MDefinition*&> (alloc=..., args=@0x7ffff67fc750: 0x0, args=@0x7ffff67fc750: 0x0) at js/src/jit/MIR.h:1218
#8  0x0000555558498c95 in js::jit::WarpBuilder::build_RecreateLexicalEnv (this=0x7ffff67fd7a0, loc=...) at js/src/jit/WarpBuilder.cpp:2158
#9  0x000055555848cab1 in js::jit::WarpBuilder::buildBody (this=0x7ffff67fd7a0) at js/src/jit/WarpBuilder.cpp:702
#10 0x0000555558487203 in js::jit::WarpBuilder::build (this=0x7ffff67fd7a0) at js/src/jit/WarpBuilder.cpp:294
#11 0x00005555588127da in js::jit::CompileBackEnd (mir=0x7ffff5666178, snapshot=0x7ffff5667668) at js/src/jit/Ion.cpp:1507
#12 0x000055555885e184 in js::jit::IonCompileTask::runTask (this=0x7ffff56676e0) at js/src/jit/IonCompileTask.cpp:52
#13 0x000055555885e0af in js::jit::IonCompileTask::runHelperThreadTask (this=0x7ffff56676e0, locked=...) at js/src/jit/IonCompileTask.cpp:30
#14 0x000055555772d92f in js::GlobalHelperThreadState::runTaskLocked (this=0x7ffff770d800, task=0x7ffff56676e0, locked=...) at js/src/vm/HelperThreads.cpp:2768
#15 0x000055555772d70b in js::GlobalHelperThreadState::runOneTask (this=0x7ffff770d800, lock=...) at js/src/vm/HelperThreads.cpp:2737
#16 0x000055555777ed18 in js::HelperThread::threadLoop (this=0x7ffff773b200, pool=0x7ffff7738880) at js/src/vm/InternalThreadPool.cpp:282
#17 0x000055555777eb72 in js::HelperThread::ThreadMain (pool=0x7ffff7738880, helper=0x7ffff773b200) at js/src/vm/InternalThreadPool.cpp:225
#18 0x00005555577b16f2 in js::detail::ThreadTrampoline<void (&)(js::InternalThreadPool*, js::HelperThread*), js::InternalThreadPool*&, js::HelperThread*>::callMain<0ul, 1ul> (this=0x7ffff7717c80) at js/src/threading/Thread.h:220
#19 0x00005555577b14fb in js::detail::ThreadTrampoline<void (&)(js::InternalThreadPool*, js::HelperThread*), js::InternalThreadPool*&, js::HelperThread*>::Start (aPack=0x7ffff7717c80) at js/src/threading/Thread.h:209
#20 0x00007ffff7f90d80 in start_thread (arg=0x7ffff67fe640) at pthread_create.c:481
#21 0x00007ffff7b01baf in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

This sounds like a duplicate of Bug 1791401.
André can you confirm whether it is or not a duplicate?

Flags: needinfo?(andrebargull)
Blocks: sm-opt-jits, sm-security
Severity: -- → S4
Type: task → defect
Priority: -- → P1

Ah yeah that does seem to be a duplicate of the linked bug, my source checkout was a few days old. The sample seems to no longer reproduce on latest HEAD. Sorry for the noise!

(In reply to Nicolas B. Pierron [:nbp] from comment #1)

This sounds like a duplicate of Bug 1791401.
André can you confirm whether it is or not a duplicate?

Yes, it's a duplicate of bug 1791401.

Status: NEW → RESOLVED
Closed: 2 years ago
Flags: needinfo?(andrebargull)
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.