Closed
Bug 1526413
Opened 6 years ago
Closed 6 years ago
Crash [@ js::jit::SnapshotIterator::allocationValue] or Hit MOZ_CRASH(Unexpected type) at jit/JitFrames.cpp:1612 with BigInt
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla67
Tracking | Status | |
---|---|---|
firefox-esr60 | --- | unaffected |
firefox65 | --- | unaffected |
firefox66 | --- | unaffected |
firefox67 | --- | fixed |
People
(Reporter: decoder, Assigned: wingo)
References
Details
(5 keywords, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(1 file)
The following testcase crashes on mozilla-central revision 22ca3a5f976f (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --disable-debug --enable-optimize, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off --ion-eager):
const zero = BigInt(0);
[zero].includes(zero);
Backtrace:
received signal SIGSEGV, Segmentation fault.
js::jit::SnapshotIterator::allocationValue (this=this@entry=0x7fffffffba70, alloc=..., rm=rm@entry=js::jit::SnapshotIterator::RM_Normal) at js/src/jit/JitFrames.cpp:1612
#0 js::jit::SnapshotIterator::allocationValue (this=this@entry=0x7fffffffba70, alloc=..., rm=rm@entry=js::jit::SnapshotIterator::RM_Normal) at js/src/jit/JitFrames.cpp:1612
#1 0x0000555555fa0a4a in js::jit::SnapshotIterator::read (this=this@entry=0x7fffffffba70) at js/src/jit/JSJitFrameIter.h:523
#2 0x000055555616df14 in InitFromBailout (invalidate=<optimized out>, excInfo=<optimized out>, nextCallee=..., startFrameFormals=..., builder=..., iter=..., script=..., fun=..., frameNo=0, cx=0x7ffff5f16000) at js/src/jit/BaselineBailouts.cpp:874
#3 js::jit::BailoutIonToBaseline (cx=cx@entry=0x7ffff5f16000, activation=0x7fffffffc0e0, iter=..., invalidate=invalidate@entry=true, bailoutInfo=bailoutInfo@entry=0x7fffffffbdf0, excInfo=excInfo@entry=0x0) at js/src/jit/BaselineBailouts.cpp:1794
#4 0x000055555617092e in js::jit::InvalidationBailout (sp=<optimized out>, frameSizeOut=0x7fffffffbdf8, bailoutInfo=0x7fffffffbdf0) at js/src/jit/Bailouts.cpp:134
#5 0x00002785e2c152ad in ?? ()
#6 0x00007fffffffbe30 in ?? ()
#7 0x00007fffffffbdf0 in ?? ()
#8 0x0000000000000000 in ?? ()
rax 0x555557551160 93825025773920
rbx 0x7fffffffba70 140737488337520
rcx 0x5555565f39ac 93825009662380
rdx 0x5555565f3a30 93825009662512
rsi 0x7fffffffb694 140737488336532
rdi 0x5555565bba96 93825009433238
rbp 0x7fffffffba70 140737488337520
rsp 0x7fffffffb688 140737488336520
r8 0x7fffffffb64c 140737488336460
r9 0x0 0
r10 0x10 16
r11 0x0 0
r12 0x7fffffffb8d0 140737488337104
r13 0x1 1
r14 0x7ffff5f16000 140737319624704
r15 0x7fffffffb940 140737488337216
rip 0x555555f18681 <js::jit::SnapshotIterator::allocationValue(js::jit::RValueAllocation const&, js::jit::SnapshotIterator::ReadMethod)+769>
=> 0x555555f18681 <js::jit::SnapshotIterator::allocationValue(js::jit::RValueAllocation const&, js::jit::SnapshotIterator::ReadMethod)+769>: movl $0x0,0x0
0x555555f1868c <js::jit::SnapshotIterator::allocationValue(js::jit::RValueAllocation const&, js::jit::SnapshotIterator::ReadMethod)+780>: ud2
Not s-s as BigInt is still off by default and this looks like a safe crash.
Updated•6 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Comment 1•6 years ago
|
||
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/4b74d76e55a8
user: Andy Wingo
date: Wed Feb 06 13:41:56 2019 +0000
summary: Bug 1522436 - Enable BigInt compilation by default r=jandem,terpri,froydnj
This iteration took 545.159 seconds to run.
Assignee | ||
Comment 2•6 years ago
|
||
Assignee | ||
Updated•6 years ago
|
Assignee: nobody → wingo
Flags: needinfo?(wingo)
Assignee | ||
Updated•6 years ago
|
Keywords: checkin-needed
Pushed by archaeopteryx@coole-files.de:
https://hg.mozilla.org/integration/autoland/rev/e803c3338809
Add support for reading BigInt values from bailout snapshots r=jandem
Keywords: checkin-needed
Comment 4•6 years ago
|
||
bugherder |
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla67
Updated•6 years ago
|
status-firefox65:
--- → unaffected
status-firefox66:
--- → unaffected
status-firefox-esr60:
--- → unaffected
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•