Closed Bug 1318492 Opened 8 years ago Closed 8 years ago

Crash [@ js::jit::AssertBasicGraphCoherency]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1314172
Tracking Flags:
Tracking Status
firefox51 --- unaffected
firefox52 --- affected
firefox53 --- affected

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: assertion, bugmon, testcase, Whiteboard: [jsbugmon:update,ignore])

Crash Data

Attachments

(2 files)

Detailed Crash Information
29.59 KB, text/plain
Details
OOM_VERBOSE=1 stack from m-c rev 05e5b12f41df
10.54 KB, text/plain
Details
The following testcase crashes on mozilla-central revision 05e5b12f41df (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --ion-eager): x = new Uint8ClampedArray; y = new Uint8Array; y.subarray(); z = x.subarray(); oomTest(function() { z.subarray(); }) Backtrace: 0 js-dbg-64-dm-clang-darwin-05e5b12f41df 0x0000000105a51d51 js::jit::AssertBasicGraphCoherency(js::jit::MIRGraph&) + 2161 (IonAnalysis.cpp:2625) 1 js-dbg-64-dm-clang-darwin-05e5b12f41df 0x0000000105a4e186 js::jit::OptimizeMIR(js::jit::MIRGenerator*) + 230 (Ion.cpp:1513) 2 js-dbg-64-dm-clang-darwin-05e5b12f41df 0x0000000105a5b81a js::jit::CompileBackEnd(js::jit::MIRGenerator*) + 74 (Ion.cpp:2023) 3 js-dbg-64-dm-clang-darwin-05e5b12f41df 0x0000000105a5d863 js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned char*, bool) + 3779 (Ion.cpp:2304) 4 js-dbg-64-dm-clang-darwin-05e5b12f41df 0x0000000105a5c5f6 js::jit::CanEnter(JSContext*, js::RunState&) + 438 (Ion.cpp:2584) /snip For detailed crash information, see attachment. Even though oomTest is involved, still locking s-s to be safe because TypedArrays are involved and MIR is on the stack.
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/47e4fb57325d user: Nicolas B. Pierron date: Fri Oct 28 12:45:31 2016 +0000 summary: Bug 1303399 part 2 - IonMonkey: Fallback when we fail to inline an uninlinable function. r=h4writer Nicolas, is bug 1303399 a likely regressor?
Blocks: 1303399
Flags: needinfo?(nicolas.b.pierron)
Bug 1314172 is adding a flag to disable Bug 1303399 feature. Once this is done and backtracked we should fix all the OOM reporting issues from IonBuilder (Bug 1286505) and hopefully fix this issue at the same time.
status-firefox51: --- → unaffected
status-firefox52: --- → affected
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision f8f4eaac1701).
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: needinfo?(nicolas.b.pierron)
Resolution: --- → DUPLICATE
Group: javascript-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: