Bug 1676639 Comment 3 Edit History

Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.

Original comment by
on 
This is an automated crash issue comment:

Summary: Crash [@ js::jit::IonCacheIRCompiler::compile]
Build version: mozilla-central revision 20201111-68867f327c62
Build type: optimized build (non-debug)
Runtime options: --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off --ion-full-warmup-threshold=0

Testcase:

    setJitCompilerOption('ion.forceinlineCaches', 1);
    function f82() {
      var a97 = arguments;
      for (var i42 = 0; i42 < 1000; ++i42) {
        a97.callee;
      }
    }
    f82();

Backtrace:

    received signal SIGSEGV, Segmentation fault.
    0x00005555560281ce in js::jit::IonCacheIRCompiler::compile(js::jit::IonICStub*) ()
    #0  0x00005555560281ce in js::jit::IonCacheIRCompiler::compile(js::jit::IonICStub*) ()
    #1  0x000055555602a006 in js::jit::IonIC::attachCacheIRStub(JSContext*, js::jit::CacheIRWriter const&, js::jit::CacheKind, js::jit::IonScript*, bool*, js::jit::PropertyTypeCheckInfo const*) ()
    #2  0x000055555602cbff in js::jit::IonGetPropertyIC::update(JSContext*, JS::Handle<JSScript*>, js::jit::IonGetPropertyIC*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) ()
    #3  0x00002914978b91f8 in ?? ()
    [...]
    #21 0x0000000000000000 in ?? ()
    rax	0x55555663ef12	93825009970962
    rbx	0x7fffffffa950	140737488333136
    rcx	0x55555765d000	93825026871296
    rdx	0x32	50
    rsi	0x64	100
    rdi	0x7fffffff	2147483647
    rbp	0x7fffffffa840	140737488332864
    rsp	0x7fffffffa6a0	140737488332448
    r8	0x7fffffffb4f8	140737488336120
    r9	0x7ffff560255c	140737310106972
    r10	0x17	23
    r11	0x7fffffffa5a0	140737488332192
    r12	0x55555663e1e4	93825009967588
    r13	0x7fffffffb2e8	140737488335592
    r14	0xfffffffd	4294967293
    r15	0x7fffffffb810	140737488336912
    rip	0x5555560281ce <js::jit::IonCacheIRCompiler::compile(js::jit::IonICStub*)+36590>
    => 0x5555560281ce <_ZN2js3jit18IonCacheIRCompiler7compileEPNS0_9IonICStubE+36590>:	movl   $0x483,0x0
       0x5555560281d9 <_ZN2js3jit18IonCacheIRCompiler7compileEPNS0_9IonICStubE+36601>:	callq  0x5555556d4090 <abort>

Back to Bug 1676639 Comment 3