Bug 1877357 Comment 0 Edit History

Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.

Original comment by
on 
```
function f(x) {
  let y = x | 0;
  z = 1;
  Function((x | 0 ? 1 : 9999999999) ? (z ? y : 9999999999) : 1);
}
f(1);
f(1);
f(1);
f(1);
f(1);
f(1);
f(1);
f(1);
f(9999999999);
f(1);
f();
f(9007199254740993);
```

```
Thread 1 "js-dbg-64-linux" received signal SIGSEGV, Segmentation fault.
js::ToStringSlow<(js::AllowGC)1> (cx=0x7ffff772e100, arg=...) at /home/skygentoo/trees/mozilla-central/js/src/vm/StringType.cpp:2467
2467	    MOZ_ASSERT(v.isUndefined());
(gdb) bt
#0  js::ToStringSlow<(js::AllowGC)1> (cx=0x7ffff772e100, arg=...) at /home/skygentoo/trees/mozilla-central/js/src/vm/StringType.cpp:2467
#1  0x00005555573f8286 in js::ToString<(js::AllowGC)1> (cx=0x7ffff7e31700 <_IO_stdfile_2_lock>, cx@entry=0x7ffff772e100, v=...)
    at /home/skygentoo/trees/mozilla-central/js/src/vm/StringType.h:1892
#2  0x00005555573ef2fb in CreateDynamicFunction (cx=0x7ffff772e100, args=..., generatorKind=js::GeneratorKind::NotGenerator, asyncKind=js::FunctionAsyncKind::SyncFunction)
    at /home/skygentoo/trees/mozilla-central/js/src/vm/JSFunction.cpp:1383
#3  0x00005555573ee929 in js::Function (cx=0x7ffff772e100, argc=<optimized out>, vp=<optimized out>) at /home/skygentoo/trees/mozilla-central/js/src/vm/JSFunction.cpp:1483
#4  0x000032f6f0cce3b3 in ?? ()
#5  0x00007ffff7795975 in ?? ()
#6  0x00007fffffffc0f8 in ?? ()
#7  0x00007fffffffc1c0 in ?? ()
#8  0x0000000000000000 in ?? ()
(gdb)
```

Run with `--fuzzing-safe --no-threads --ion-eager`, compile with `AR=ar sh ../configure --enable-debug --enable-debug-symbols --with-ccache --enable-nspr-build --enable-ctypes --enable-gczeal --enable-rust-simd --disable-tests`, tested on m-c rev 2eb7051ff4ed.

Nicolas, is bug 1874456 a likely regressor? Setting s-s to be safe.
Revision 1 by
on 
```
function f(x) {
  let y = x | 0;
  z = 1;
  Function((x | 0 ? 1 : 9999999999) ? (z ? y : 9999999999) : 1);
}
f(1);
f(1);
f(1);
f(1);
f(1);
f(1);
f(1);
f(1);
f(9999999999);
f(1);
f();
f(9007199254740993);
```

```
Thread 1 "js-dbg-64-linux" received signal SIGSEGV, Segmentation fault.
js::ToStringSlow<(js::AllowGC)1> (cx=0x7ffff772e100, arg=...) at /home/skygentoo/trees/mozilla-central/js/src/vm/StringType.cpp:2467
2467	    MOZ_ASSERT(v.isUndefined());
(gdb) bt
#0  js::ToStringSlow<(js::AllowGC)1> (cx=0x7ffff772e100, arg=...) at /home/skygentoo/trees/mozilla-central/js/src/vm/StringType.cpp:2467
#1  0x00005555573f8286 in js::ToString<(js::AllowGC)1> (cx=0x7ffff7e31700 <_IO_stdfile_2_lock>, cx@entry=0x7ffff772e100, v=...)
    at /home/skygentoo/trees/mozilla-central/js/src/vm/StringType.h:1892
#2  0x00005555573ef2fb in CreateDynamicFunction (cx=0x7ffff772e100, args=..., generatorKind=js::GeneratorKind::NotGenerator, asyncKind=js::FunctionAsyncKind::SyncFunction)
    at /home/skygentoo/trees/mozilla-central/js/src/vm/JSFunction.cpp:1383
#3  0x00005555573ee929 in js::Function (cx=0x7ffff772e100, argc=<optimized out>, vp=<optimized out>) at /home/skygentoo/trees/mozilla-central/js/src/vm/JSFunction.cpp:1483
#4  0x000032f6f0cce3b3 in ?? ()
#5  0x00007ffff7795975 in ?? ()
#6  0x00007fffffffc0f8 in ?? ()
#7  0x00007fffffffc1c0 in ?? ()
#8  0x0000000000000000 in ?? ()
(gdb)
```

```
The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/7ad5c59c746b
user:        Nicolas B. Pierron
date:        Thu Jan 25 16:45:20 2024 +0000
summary:     Bug 1874456 part 2 - Fix EliminateDeadResumePointOperands logic. r=iain
```

Run with `--fuzzing-safe --no-threads --ion-eager`, compile with `AR=ar sh ../configure --enable-debug --enable-debug-symbols --with-ccache --enable-nspr-build --enable-ctypes --enable-gczeal --enable-rust-simd --disable-tests`, tested on m-c rev 2eb7051ff4ed.

Nicolas, is bug 1874456 a likely regressor? Setting s-s to be safe.

Back to Bug 1877357 Comment 0