Closed Bug 1689065 Opened 3 years ago Closed 3 years ago

Assertion failure: cx_->hadNondeterministicException(), at jit/WarpOracle.cpp:188

Categories

(Core :: JavaScript Engine: JIT, defect, P2)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1688136
Tracking Flags:
Tracking Status
firefox87 --- affected

People

(Reporter: decoder, Unassigned)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])

Attachments

(1 file)

Testcase
401 bytes, text/plain
Details

The following testcase crashes on mozilla-central revision 20210127-3ed82636d765 (build with --enable-debug, run with --fuzzing-safe --fast-warmup --ion-offthread-compile=off):

function testMathyFunction(f, inputs) {
    var results = [];
    for (var j = 0; j < inputs.length; ++j)
      for (var k = 0; k < inputs.length; ++k)
        results.push(f(inputs[j]));
}
mathy4 = (function(x) {
  Math.fround() >>> 0 || (-0x07fffffff - ((0x080000000 | 0) ? (x | 0) : null)) ? null: null;
});
testMathyFunction(mathy4, [0, Math.PI, 0, 0, 0, 0, 0, 0, 0, 2**53 + 2, 0, 0, 0, 0, 0, 0]);

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x000055555792abfb in js::jit::WarpOracle::createSnapshot() ()
#1  0x00005555578c8ee6 in js::jit::CreateWarpSnapshot(JSContext*, js::jit::MIRGenerator*, JS::Handle<JSScript*>) ()
#2  0x00005555578a86f8 in js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned char*) ()
#3  0x00005555578a94fd in IonCompileScriptForBaseline(JSContext*, js::jit::BaselineFrame*, unsigned char*) ()
#4  0x00003ef88ef7ae75 in ?? ()
#5  0x0000000000000000 in ?? ()
rax	0x555555729c7f	93824994155647
rbx	0x7ffff6024000	140737320730624
rcx	0x555557fd6b68	93825036807016
rdx	0x0	0
rsi	0x7ffff7105770	140737338431344
rdi	0x7ffff7104540	140737338426688
rbp	0x7fffffffb320	140737488335648
rsp	0x7fffffffb280	140737488335488
r8	0x7ffff7105770	140737338431344
r9	0x7ffff7f998c0	140737353717952
r10	0x58	88
r11	0x7ffff6dac7a0	140737334921120
r12	0x7ffff4a57270	140737297871472
r13	0x7fffffffb340	140737488335680
r14	0x7ffff4ede508	140737302619400
r15	0x51126fb8	1360162744
rip	0x55555792abfb <js::jit::WarpOracle::createSnapshot()+1627>
=> 0x55555792abfb <_ZN2js3jit10WarpOracle14createSnapshotEv+1627>:	movl   $0xbc,0x0
   0x55555792ac06 <_ZN2js3jit10WarpOracle14createSnapshotEv+1638>:	callq  0x555556a8aca0 <abort>
Attached file Testcase 

    
    

    
  
Dup. of bug 1688136?



    
    

    
  
Bugmon Analysis:

Verified bug as reproducible on mozilla-central 20210127093943-42791e22621d.

The bug appears to have been introduced in the following build range:




Start: f4af0087a1b49c221f54143a10b7bebca35db49c (20210111195436)

End: febd0fad07331284c49334bab4d9c653f2c80275 (20210111195806)

Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=f4af0087a1b49c221f54143a10b7bebca35db49c&tochange=febd0fad07331284c49334bab4d9c653f2c80275




Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]

    
    

    
  
This is most likely a duplicate, can you verify whether the test case reproduces the issue with patches from Bug 1688136?


Flags: needinfo?(iireland)
Severity: -- → S4
Priority: -- → P2

    
    

    
  
I confirm that the patch from bug 1688136 fixes this.


Status: NEW → RESOLVED
Closed: 3 years ago
Flags: needinfo?(iireland)
Resolution: --- → DUPLICATE

    
    

    
  
Bugmon Analysis

No valid actions for resolution (DUPLICATE)

Removing bugmon keyword as no further action possible.  Please review the bug and re-add the keyword for further analysis.


Keywords: bugmon

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: