Assertion failure: !outerScript->hadEagerTruncationBailout(), at jit/BaselineBailouts.cpp:2026
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
Tracking | Status | |
---|---|---|
firefox86 | --- | affected |
People
(Reporter: gkw, Unassigned)
References
(Regression)
Details
(Keywords: regression, testcase)
+++ This bug was initially created as a clone of Bug #1681597 +++
function f(x, y) {
(Math.log() ? 0 : Math.abs(~y)) ^ x ? x : x;
}
for (let i = 0; i < 52; i++) {
f(0, -2147483649);
}
(gdb) bt
#0 js::jit::FinishBailoutToBaseline (bailoutInfoArg=0x0) at /home/skygentoo/trees/mozilla-central/js/src/jit/BaselineBailouts.cpp:2026
#1 0x00000996fed3e1e7 in ?? ()
#2 0x0a08083004bd3802 in ?? ()
#3 0x00007fffffffb498 in ?? ()
#4 0x6d1403050a080838 in ?? ()
#5 0x00000996fed691a1 in ?? ()
#6 0x00007fffffffb508 in ?? ()
#7 0x00000000000000ff in ?? ()
#8 0x00000996fed691a1 in ?? ()
#9 0x0000000000005021 in ?? ()
#10 0x00002037cfa9a060 in ?? ()
#11 0x00007ffff6986500 in ?? ()
#12 0x00007ffff695b9a0 in ?? ()
#13 0x00002037cfa78040 in ?? ()
#14 0x00007ffff695b940 in ?? ()
#15 0x0000000000000000 in ?? ()
(gdb)
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/7fbcdc47728f
user: Iain Ireland
date: Tue Dec 08 21:34:32 2020 +0000
summary: Bug 1676639: Add BailoutKind::EagerTruncation r=jandem
Run with --fuzzing-safe --no-threads --fast-warmup
, compile with AR=ar sh ./configure --enable-debug --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests
, tested on m-c rev 13f304ed6039.
Not sure if this is s-s yet. Iain, thoughts?
Comment 1•3 years ago
|
||
We already filed this on Sunday as jsfunfuzz hits this frequently.
Reporter | ||
Comment 3•3 years ago
|
||
Do I get to access bug 1683535? Currently I cannot see it.
Going forward, do I get to access such bugs if their dupes are found?
Comment 4•3 years ago
|
||
Similarly to the previous bug, this is just a performance issue, not security-sensitive.
I'm landing a patch in the other bug to remove the assertion for now. When I add it back in, I'll include a comment indicating that it's unrelated to correctness.
Updated•3 years ago
|
Updated•3 years ago
|
Updated•3 years ago
|
Description
•