Assertion failure: result.unwrapErr() == AbortReason::Error, at js/src/jit/IonBuilder.cpp:3795 with OOM

NEW
Unassigned

Status

()

Core
JavaScript Engine
P3
critical
5 months ago
3 months ago

People

(Reporter: decoder, Unassigned)

Tracking

(Blocks: 2 bugs, 4 keywords)

Trunk
ARM
Linux
assertion, jsbugmon, testcase, triage-deferred
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox56 affected)

Details

(Whiteboard: [jsbugmon:update,bisect])

(Reporter)

Description

5 months ago
The following testcase crashes on mozilla-central revision 1b065ffd8a53 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --enable-debug --without-intl-api --enable-optimize --target=i686-pc-linux-gnu --enable-simulator=arm, run with --fuzzing-safe --ion-eager --ion-offthread-compile=off):

function f(arr) {}
function test(out)
  f(arr);
var obj = {};
try { test(obj); } catch (lfVare) {}
loadFile(`
function f() {
  this.e = function() {};
  expect.defineProperty(this, 
    test(() => Number.prototype.i.call(-Infinity, 555), i), {}
  );
}
new f();
`);
function loadFile(lfVarx) {
  try {
    oomTest(new Function(lfVarx));
  } catch (lfVare) {}
}



Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x08308f8e in js::jit::IonBuilder::inlineScriptedCall (this=0xffffa224, callInfo=..., target=0xf5382c20) at js/src/jit/IonBuilder.cpp:3795
#0  0x08308f8e in js::jit::IonBuilder::inlineScriptedCall (this=0xffffa224, callInfo=..., target=0xf5382c20) at js/src/jit/IonBuilder.cpp:3795
#1  0x083090c4 in js::jit::IonBuilder::inlineSingleCall (this=0xffffa224, callInfo=..., targetArg=0xf5382c20) at js/src/jit/IonBuilder.cpp:4319
#2  0x0830a875 in js::jit::IonBuilder::inlineCallsite (this=0xffffa224, targets=..., callInfo=...) at js/src/jit/IonBuilder.cpp:4373
#3  0x0830abed in js::jit::IonBuilder::jsop_call (this=0xffffa224, argc=2, constructing=false, ignoresReturnValue=false) at js/src/jit/IonBuilder.cpp:5375
#4  0x083100f6 in js::jit::IonBuilder::inspectOpcode (this=0xffffa224, op=JSOP_CALL) at js/src/jit/IonBuilder.cpp:2041
#5  0x0831133c in js::jit::IonBuilder::visitBlock (this=0xffffa224, cfgblock=0xf798f29c, mblock=0xf79b82e0) at js/src/jit/IonBuilder.cpp:1539
#6  0x08306ff1 in js::jit::IonBuilder::traverseBytecode (this=0xffffa224) at js/src/jit/IonBuilder.cpp:1456
#7  0x08307c54 in js::jit::IonBuilder::build (this=0xffffa224) at js/src/jit/IonBuilder.cpp:846
#8  0x083159da in js::jit::AnalyzeNewScriptDefiniteProperties (cx=0xf791d000, fun=..., group=0xf536a538, baseobj=..., initializerList=0xffffa568) at js/src/jit/IonAnalysis.cpp:4230
#9  0x088655b2 in js::TypeNewScript::maybeAnalyze (this=0xf519cca0, cx=0xf791d000, group=0xf536a538, regenerate=0x0, force=true) at js/src/vm/TypeInference.cpp:3861
#10 0x08074410 in js::jit::IonCompile (cx=cx@entry=0xf791d000, script=<optimized out>, baselineFrame=baselineFrame@entry=0x0, osrPc=0x0, recompile=false, optimizationLevel=js::jit::OptimizationLevel::Normal) at js/src/jit/Ion.cpp:2198
#11 0x0831a2cd in js::jit::Compile (cx=cx@entry=0xf791d000, script=script@entry=..., osrFrame=osrFrame@entry=0x0, osrPc=0x0, forceRecompile=false) at js/src/jit/Ion.cpp:2448
#12 0x0831a450 in js::jit::CanEnter (cx=0xf791d000, state=...) at js/src/jit/Ion.cpp:2545
#13 0x081731d7 in js::RunScript (cx=0xf791d000, state=...) at js/src/vm/Interpreter.cpp:386
#14 0x0817374d in js::InternalCallOrConstruct (cx=0xf791d000, args=..., construct=js::CONSTRUCT) at js/src/vm/Interpreter.cpp:488
#15 0x081745ea in InternalConstruct (cx=0xf791d000, cx@entry=0xd7792b00, args=...) at js/src/vm/Interpreter.cpp:563
#16 0x081747d3 in js::ConstructFromStack (cx=0xf791d000, args=...) at js/src/vm/Interpreter.cpp:599
#17 0x0823b967 in js::jit::DoCallFallback (cx=0xf791d000, frame=0xf55ffc98, stub_=0xf79b6030, argc=0, vp=0xf55ffc50, res=...) at js/src/jit/BaselineIC.cpp:2530
#18 0x084fa1f5 in js::jit::Simulator::softwareInterrupt (this=0xf7974000, instr=0xf5077594) at js/src/jit/arm/Simulator-arm.cpp:2624
#19 0x084fa5c6 in js::jit::Simulator::decodeType7 (this=0xf7974000, instr=0xf5077594) at js/src/jit/arm/Simulator-arm.cpp:3784
#20 0x084fbd42 in js::jit::Simulator::instructionDecode (this=0xf7974000, instr=0xf5077594) at js/src/jit/arm/Simulator-arm.cpp:4761
#21 0x084fc294 in js::jit::Simulator::execute<false> (this=0xf7974000) at js/src/jit/arm/Simulator-arm.cpp:4831
#22 js::jit::Simulator::callInternal (this=0xf7974000, entry=0x3db3da38 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345\r\260\240\341t\240\235", <incomplete sequence \345>) at js/src/jit/arm/Simulator-arm.cpp:4916
#23 0x084fc611 in js::jit::Simulator::call (this=<optimized out>, entry=<optimized out>, argument_count=<optimized out>) at js/src/jit/arm/Simulator-arm.cpp:4999
#24 0x0821a0c2 in EnterBaseline (cx=cx@entry=0xf791d000, data=...) at js/src/jit/BaselineJIT.cpp:162
#25 0x082345dd in js::jit::EnterBaselineMethod (cx=0xf791d000, state=...) at js/src/jit/BaselineJIT.cpp:200
#26 0x08173322 in js::RunScript (cx=0xf791d000, state=...) at js/src/vm/Interpreter.cpp:400
#27 0x081735f8 in js::InternalCallOrConstruct (cx=0xf791d000, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:488
#28 0x081738af in InternalCall (cx=cx@entry=0xf791d000, args=...) at js/src/vm/Interpreter.cpp:515
#29 0x08173a4a in js::Call (cx=0xf791d000, fval=..., thisv=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:534
#30 0x08566272 in JS_CallFunction (cx=0xf791d000, obj=..., fun=..., args=..., rval=...) at js/src/jsapi.cpp:2907
#31 0x084835e9 in OOMTest (cx=0xf791d000, argc=1, vp=0xf55ffd88) at js/src/builtin/TestingFunctions.cpp:1549
[...]
#67 main (argc=5, argv=0xffffcdd4, envp=0xffffcdec) at js/src/shell/js.cpp:8515
eax	0x0	0
ebx	0xffffa224	-24028
ecx	0xf7da4864	-136689564
edx	0x0	0
esi	0xffff9dbc	-25156
edi	0xffff99a4	-26204
ebp	0xffff9c38	4294941752
esp	0xffff9900	4294940928
eip	0x8308f8e <js::jit::IonBuilder::inlineScriptedCall(js::jit::CallInfo&, JSFunction*)+2254>
=> 0x8308f8e <js::jit::IonBuilder::inlineScriptedCall(js::jit::CallInfo&, JSFunction*)+2254>:	movl   $0x0,0x0
   0x8308f98 <js::jit::IonBuilder::inlineScriptedCall(js::jit::CallInfo&, JSFunction*)+2264>:	ud2
Keywords: triage-deferred
Priority: -- → P3
You need to log in before you can comment on or make changes to this bug.