Closed Bug 1683616 Opened 3 years ago Closed 3 years ago

Assertion failure: !outerScript->hadEagerTruncationBailout(), at jit/BaselineBailouts.cpp:2026

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1683535
Tracking Flags:
Tracking Status
firefox86 --- affected

People

(Reporter: gkw, Unassigned)

References

(Regression)

Details

(Keywords: regression, testcase)

+++ This bug was initially created as a clone of Bug #1681597 +++

function f(x, y) {
    (Math.log() ? 0 : Math.abs(~y)) ^ x ? x : x;
}
for (let i = 0; i < 52; i++) {
    f(0, -2147483649);
}

(gdb) bt
#0  js::jit::FinishBailoutToBaseline (bailoutInfoArg=0x0) at /home/skygentoo/trees/mozilla-central/js/src/jit/BaselineBailouts.cpp:2026
#1  0x00000996fed3e1e7 in ?? ()
#2  0x0a08083004bd3802 in ?? ()
#3  0x00007fffffffb498 in ?? ()
#4  0x6d1403050a080838 in ?? ()
#5  0x00000996fed691a1 in ?? ()
#6  0x00007fffffffb508 in ?? ()
#7  0x00000000000000ff in ?? ()
#8  0x00000996fed691a1 in ?? ()
#9  0x0000000000005021 in ?? ()
#10 0x00002037cfa9a060 in ?? ()
#11 0x00007ffff6986500 in ?? ()
#12 0x00007ffff695b9a0 in ?? ()
#13 0x00002037cfa78040 in ?? ()
#14 0x00007ffff695b940 in ?? ()
#15 0x0000000000000000 in ?? ()
(gdb)

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/7fbcdc47728f
user:        Iain Ireland
date:        Tue Dec 08 21:34:32 2020 +0000
summary:     Bug 1676639: Add BailoutKind::EagerTruncation r=jandem

Run with --fuzzing-safe --no-threads --fast-warmup, compile with AR=ar sh ./configure --enable-debug --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests, tested on m-c rev 13f304ed6039.

Not sure if this is s-s yet. Iain, thoughts?

Flags: sec-bounty?
Flags: needinfo?(iireland)

We already filed this on Sunday as jsfunfuzz hits this frequently.

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → DUPLICATE

Do I get to access bug 1683535? Currently I cannot see it.

Going forward, do I get to access such bugs if their dupes are found?

Similarly to the previous bug, this is just a performance issue, not security-sensitive.

I'm landing a patch in the other bug to remove the assertion for now. When I add it back in, I'll include a comment indicating that it's unrelated to correctness.

Flags: needinfo?(iireland)
Group: core-security
Flags: sec-bounty? → sec-bounty-
Has Regression Range: --- → yes
Keywords: regression
You need to log in before you can comment on or make changes to this bug.