Closed
Bug 1331405
Opened 9 years ago
Closed 9 years ago
Assertion failure: !current, at js/src/jit/IonControlFlow.cpp:605
Categories
(Core :: JavaScript Engine: JIT, defect, P1)
Tracking
()
RESOLVED
FIXED
mozilla53
| Tracking | Status | |
|---|---|---|
| firefox50 | --- | unaffected |
| firefox51 | --- | unaffected |
| firefox52 | --- | unaffected |
| firefox53 | --- | fixed |
People
(Reporter: decoder, Assigned: h4writer)
Details
(4 keywords, Whiteboard: [jsbugmon:update,bisect][fuzzblocker])
Attachments
(1 file)
|
537 bytes,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 8eaf154b385b (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize, run with --fuzzing-safe --ion-eager):
++f();
try {} catch (e) {}
Backtrace:
#0 js::jit::ControlFlowGenerator::processTryEnd (this=0x7fffffffc7d0, state=...) at js/src/jit/IonControlFlow.cpp:605
#1 0x00000000006a7321 in js::jit::ControlFlowGenerator::processCfgStack (this=this@entry=0x7fffffffc7d0) at js/src/jit/IonControlFlow.cpp:393
#2 0x00000000006a8364 in js::jit::ControlFlowGenerator::traverseBytecode (this=this@entry=0x7fffffffc7d0) at js/src/jit/IonControlFlow.cpp:222
#3 0x0000000000630980 in GetOrCreateControlFlowGraph (tempAlloc=..., script=0x7ffff0690120, cfgOut=cfgOut@entry=0x7ffff69b54c0) at js/src/jit/IonBuilder.cpp:1356
#4 0x0000000000645ffe in js::jit::IonBuilder::traverseBytecode (this=this@entry=0x7ffff69b51c8) at js/src/jit/IonBuilder.cpp:1413
#5 0x0000000000647119 in js::jit::IonBuilder::build (this=this@entry=0x7ffff69b51c8) at js/src/jit/IonBuilder.cpp:842
#6 0x000000000065cbf9 in js::jit::IonCompile (cx=cx@entry=0x7ffff695f000, script=<optimized out>, baselineFrame=baselineFrame@entry=0x0, osrPc=<optimized out>, recompile=<optimized out>, optimizationLevel=optimizationLevel@entry=js::jit::OptimizationLevel::Normal) at js/src/jit/Ion.cpp:2280
#7 0x000000000065d632 in js::jit::Compile (cx=0x7ffff695f000, script=script@entry=..., osrFrame=osrFrame@entry=0x0, osrPc=osrPc@entry=0x0, forceRecompile=forceRecompile@entry=false) at js/src/jit/Ion.cpp:2533
#8 0x000000000065d822 in js::jit::CanEnter (cx=cx@entry=0x7ffff695f000, state=...) at js/src/jit/Ion.cpp:2630
#9 0x00000000005422f3 in js::RunScript (cx=0x7ffff695f000, state=...) at js/src/vm/Interpreter.cpp:379
#10 0x0000000000544a90 in js::ExecuteKernel (cx=0x7ffff695f000, script=..., script@entry=..., envChainArg=..., newTargetValue=..., evalInFrame=..., evalInFrame@entry=..., result=result@entry=0x0) at js/src/vm/Interpreter.cpp:684
#11 0x0000000000544fe8 in js::Execute (cx=cx@entry=0x7ffff695f000, script=script@entry=..., envChainArg=..., rval=rval@entry=0x0) at js/src/vm/Interpreter.cpp:717
#12 0x000000000088db02 in ExecuteScript (cx=0x7ffff695f000, scope=scope@entry=..., script=script@entry=..., rval=rval@entry=0x0) at js/src/jsapi.cpp:4410
#13 0x00000000008aafd0 in JS_ExecuteScript (cx=0x7ffff695f000, scriptArg=scriptArg@entry=...) at js/src/jsapi.cpp:4443
#14 0x000000000042baee in RunFile (compileOnly=<optimized out>, file=0x7ffff69a6000, filename=<optimized out>, cx=0x7ffff695f000) at js/src/shell/js.cpp:647
#15 Process (cx=<optimized out>, filename=<optimized out>, forceTTY=forceTTY@entry=false, kind=kind@entry=FileScript) at js/src/shell/js.cpp:1078
#16 0x00000000004383d0 in ProcessArgs (op=0x7fffffffdaa0, cx=0x7ffff695f000) at js/src/shell/js.cpp:7223
#17 Shell (envp=<optimized out>, op=0x7fffffffdaa0, cx=0x7ffff695f000) at js/src/shell/js.cpp:7585
#18 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:7963
rax 0x2064520 33965344
rbx 0x7fffffffc7d0 140737488340944
rcx 0x117eb27 18344743
rdx 0x0 0
rsi 0x7ffff6ef7770 140737336276848
rdi 0x7ffff6ef6540 140737336272192
rbp 0x7fffffffc6b0 140737488340656
rsp 0x7fffffffc690 140737488340624
r8 0x7ffff6ef7770 140737336276848
r9 0x7ffff7fe4740 140737354024768
r10 0x58 88
r11 0x7ffff6b9f750 140737332770640
r12 0x7fffffffc8c0 140737488341184
r13 0x7fffffffc720 140737488340768
r14 0x7ffff0327140 140737223225664
r15 0x7fffffffc7d0 140737488340944
rip 0x683235 <js::jit::ControlFlowGenerator::processTryEnd(js::jit::ControlFlowGenerator::CFGState&)+229>
=> 0x683235 <js::jit::ControlFlowGenerator::processTryEnd(js::jit::ControlFlowGenerator::CFGState&)+229>: movl $0x0,0x0
0x683240 <js::jit::ControlFlowGenerator::processTryEnd(js::jit::ControlFlowGenerator::CFGState&)+240>: ud2
This is a fuzzblocker, occurring with high frequency, needs immediate fixing for JS fuzzing to work.
|
||
Updated•9 years ago
|
status-firefox50:
--- → unaffected
status-firefox51:
--- → unaffected
status-firefox52:
--- → unaffected
|
Assignee | |
Updated•9 years ago
|
Assignee: nobody → hv1989
Priority: -- → P1
|
|
Assignee | |
Comment 1•9 years ago
|
||
Apparently we don't support JSOP_THROWMSG. That made the inconsistent state where we didn't expected a successor but still found one after the try.
Attachment #8827808 -
Flags: review?(jdemooij)
|
|
Assignee | |
Updated•9 years ago
|
Component: JavaScript Engine → JavaScript Engine: JIT
|
||
Comment 2•9 years ago
|
||
Comment on attachment 8827808 [details] [diff] [review]
Disable JSOP_THROWMSG
Review of attachment 8827808 [details] [diff] [review]:
-----------------------------------------------------------------
Add the testcase too?
Attachment #8827808 -
Flags: review?(jdemooij) → review+
Pushed by hv1989@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/f4b6c78a36f8
IonMonkey: Disable compiling JSOP_THROWMSG, r=jandem
|
||
Comment 4•9 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla53
You need to log in
before you can comment on or make changes to this bug.
Description
•