Assertion failure: numValueSlots >= frame->script()->nfixed(), at js/src/jit/JitFrames.cpp:299
Categories
(Core :: JavaScript Engine: JIT, defect, P2)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr68 | --- | unaffected |
firefox71 | --- | unaffected |
firefox72 | --- | unaffected |
firefox73 | --- | fixed |
People
(Reporter: decoder, Assigned: jandem)
References
(Regression)
Details
(4 keywords, Whiteboard: [jsbugmon:update,bisect])
Attachments
(1 file)
The following testcase crashes on mozilla-central revision 053b0bb00fed (build with --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --without-intl-api --enable-debug --enable-optimize, run with --fuzzing-safe --ion-osr=off --ion-offthread-compile=off):
function canIoncompile() {
while (true) {
var r = canIoncompile();
}
}
if (canIoncompile() != true)
function p() {}
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 js::jit::BaselineTryNoteFilter::operator() (this=<optimized out>, note=0x7ffff5f5e664) at js/src/jit/JitFrames.cpp:299
#1 0x00005555566cbeb8 in js::TryNoteIter<js::jit::BaselineTryNoteFilter>::settle (this=0x7fffffdfdab0) at js/src/vm/Interpreter.h:427
#2 0x00005555566bf543 in js::jit::TryNoteIterBaseline::TryNoteIterBaseline (this=0x7ffff5f24030, cx=<optimized out>, frame=..., pc=0x7ffff5f5e621 "m\001") at js/src/jit/JitFrames.cpp:310
#3 js::jit::ProcessTryNotesBaseline (cx=<optimized out>, frame=..., ei=..., rfe=<optimized out>, pc=<optimized out>) at js/src/jit/JitFrames.cpp:345
#4 js::jit::HandleExceptionBaseline (cx=<optimized out>, frame=..., prevFrame=<optimized out>, rfe=<optimized out>) at js/src/jit/JitFrames.cpp:515
#5 js::jit::HandleException (rfe=<optimized out>) at js/src/jit/JitFrames.cpp:685
#6 0x00003fc8af6ef336 in ?? ()
[...]
#21 0x0000000000000000 in ?? ()
rax 0x555556f26b10 93825019308816
rbx 0x7fffffdfdbf8 140737486248952
rcx 0x5555574b8d00 93825025150208
rdx 0x0 0
rsi 0x7ffff6eeb770 140737336227696
rdi 0x7ffff6eea540 140737336223040
rbp 0x7fffffdfd550 140737486247248
rsp 0x7fffffdfd530 140737486247216
r8 0x7ffff6eeb770 140737336227696
r9 0x7ffff7fe6cc0 140737354034368
r10 0x58 88
r11 0x7ffff6b927a0 140737332717472
r12 0x7fffffdfdba8 140737486248872
r13 0x7ffff5f24000 140737319682048
r14 0x7ffff5f5e664 140737319921252
r15 0x0 0
rip 0x5555566cc07c <js::jit::BaselineTryNoteFilter::operator()(JSTryNote const*)+348>
=> 0x5555566cc07c <js::jit::BaselineTryNoteFilter::operator()(JSTryNote const*)+348>: movl $0x12b,0x0
0x5555566cc087 <js::jit::BaselineTryNoteFilter::operator()(JSTryNote const*)+359>: callq 0x5555559345f0 <abort()>
So far it looks like this only reproduces with --ion-osr=off
, marking s-s anyways until we confirmed that this cannot happen with OSR turned on (which is the default).
Assignee | ||
Updated•4 years ago
|
Assignee | ||
Updated•4 years ago
|
Updated•4 years ago
|
Assignee | ||
Comment 1•4 years ago
|
||
Scripts can now start with a JSOP_LOOPHEAD and the JSTRY_LOOP note for that confused BaselineTryNoteFilter when we throw an exception in the prologue. This is harmless because it ignores JSTRY_LOOP notes anyway.
Assignee | ||
Comment 2•4 years ago
|
||
Since bug 1598548 scripts can start with a JSOP_LOOPHEAD, for while-loops.
(do-while loops always start with a JSOP_NOP for the debugger.)
Updated•4 years ago
|
Updated•4 years ago
|
Comment 4•4 years ago
|
||
Comment 5•4 years ago
|
||
bugherder |
Updated•4 years ago
|
Description
•