Crash due to Assertion failure: input()->isRecoveredOnBailout() == mustBeRecovered_ (assertRecoveredOnBailout failed during compilation), at js/src/jit/Recover.cpp:1465

RESOLVED INVALID

Status

()

Core
JavaScript Engine: JIT
RESOLVED INVALID
3 years ago
3 years ago

People

(Reporter: Spandan Veggalam, Unassigned)

Tracking

42 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

3 years ago
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0
Build ID: 20150629114049

Steps to reproduce:

mozilla-central revision 892594bdad30 (build with: --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --enable-debug)
(Shell Options: --ion-eager --ion-offthread-compile=off)


b = Math.pow(assertRecoveredOnBailout(i, true), 32);
for (var i = 0; i < 60000; i++) b = b & i;
assertEq(b, 0);



Actual results:

Assertion failure: input()->isRecoveredOnBailout() == mustBeRecovered_ (assertRecoveredOnBailout failed during compilation), at js/src/jit/Recover.cpp:1465
assertRecoveredOnBailout is another unsafe testing function that's not there with --fuzzing-safe.

Nicolas, can you confirm this assertion failure is expected?
Flags: needinfo?(nicolas.b.pierron)
(In reply to Jan de Mooij [:jandem] from comment #1)
> assertRecoveredOnBailout is another unsafe testing function that's not there
> with --fuzzing-safe.
> 
> Nicolas, can you confirm this assertion failure is expected?

Yes, assertRecoveredOnBailout is a function made to assert that optimizations are working as expected, thus, they are many test cases which will fail when this testing function is used, because they are many cases, where such optimization does not make sense.

The current test case assert that we recover a constant (undefined) on bailout, which is not the case because constants are encoded directly in the list of constants of the IonCode, and not computed during the recovery of the instruction value while returning to baseline.
Flags: needinfo?(nicolas.b.pierron)
Group: core-security
Status: UNCONFIRMED → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.