The following testcase crashes on mozilla-central revision 081c6ac45c5d (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-baseline --no-ion --ion-loop-unrolling=on): // Adapted from randomly chosen test: js/src/jit-test/tests/ion/lazyLink-bug1150783.js (function() { 'use asm'; function f() { var $x = 0; while (($x | 0) < 0) { $x = $x + 1 | 0; } } return f; })() Backtrace: #0 js::jit::UnrollLoops (graph=..., bounds=...) at js/src/jit/LoopUnroller.cpp:451 #1 0x000055e4ff623e01 in js::jit::OptimizeMIR (mir=0x7ffc54704388) at js/src/jit/Ion.cpp:1478 #2 0x000055e4ff8acb5f in js::wasm::IonCompileFunctions (env=..., lifo=..., inputs=..., code=<optimized out>, dvs=..., error=0x0) at js/src/wasm/WasmIonCompile.cpp:4078 #3 0x000055e4ff89e1fc in ExecuteCompileTask (task=0x7fa92b288800, error=0x0) at js/src/wasm/WasmGenerator.cpp:718 #4 0x000055e4ff89eca7 in js::wasm::ModuleGenerator::locallyCompileCurrentTask (this=<optimized out>) at js/src/wasm/WasmGenerator.cpp:757 #5 js::wasm::ModuleGenerator::finishFuncDefs (this=0x7ffc547046f8) at js/src/wasm/WasmGenerator.cpp:884 #6 0x000055e4ff86d496 in ModuleValidator<char16_t>::finish (this=0x7ffc547055b0, linkData=0x7ffc54705de0) at js/src/wasm/AsmJS.cpp:2176 /snip For detailed crash information, see attachment. Not sure if this is s-s. --ion-loop-unrolling=on is required, but then again, MIR is on the stack, so locking s-s to be safe.
Bug 1520998 Comment 0 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
The following testcase crashes on mozilla-central revision 081c6ac45c5d (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-baseline --no-ion --ion-loop-unrolling=on): ``` // Adapted from randomly chosen test: js/src/jit-test/tests/ion/lazyLink-bug1150783.js (function() { 'use asm'; function f() { var $x = 0; while (($x | 0) < 0) { $x = $x + 1 | 0; } } return f; })() ``` Backtrace: #0 js::jit::UnrollLoops (graph=..., bounds=...) at js/src/jit/LoopUnroller.cpp:451 #1 0x000055e4ff623e01 in js::jit::OptimizeMIR (mir=0x7ffc54704388) at js/src/jit/Ion.cpp:1478 #2 0x000055e4ff8acb5f in js::wasm::IonCompileFunctions (env=..., lifo=..., inputs=..., code=<optimized out>, dvs=..., error=0x0) at js/src/wasm/WasmIonCompile.cpp:4078 #3 0x000055e4ff89e1fc in ExecuteCompileTask (task=0x7fa92b288800, error=0x0) at js/src/wasm/WasmGenerator.cpp:718 #4 0x000055e4ff89eca7 in js::wasm::ModuleGenerator::locallyCompileCurrentTask (this=<optimized out>) at js/src/wasm/WasmGenerator.cpp:757 #5 js::wasm::ModuleGenerator::finishFuncDefs (this=0x7ffc547046f8) at js/src/wasm/WasmGenerator.cpp:884 #6 0x000055e4ff86d496 in ModuleValidator<char16_t>::finish (this=0x7ffc547055b0, linkData=0x7ffc54705de0) at js/src/wasm/AsmJS.cpp:2176 /snip For detailed crash information, see attachment. Not sure if this is s-s. --ion-loop-unrolling=on is required, but then again, MIR is on the stack, so locking s-s to be safe.