Assertion failure: baselineFrame()->debugFrameSize() == *baselineFrameSize_, at jit/JSJitFrameIter.cpp:219
Categories
(Core :: JavaScript Engine: JIT, defect, P1)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr91 | --- | unaffected |
| firefox-esr102 | --- | unaffected |
| firefox101 | --- | unaffected |
| firefox102 | --- | unaffected |
| firefox103 | --- | fixed |
People
(Reporter: decoder, Unassigned)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])
Attachments
(3 files)
The following testcase crashes on mozilla-central revision 20220620-650064fa4401 (debug build, run with --fuzzing-safe --no-threads --fast-warmup):
function main() {
function v7() {
try {
function* v11(v13) {
yield* v13;
}
const v15 = [13.37,13.37,13.37];
const v17 = v11(v15);
const v18 = v7();
for (const v19 of v17)
v20 = v19[[-2623679780]];
const v30 = Reflect.parse([]);
const v32 = v7();
} catch(v33) {}
}
v7();
}
main();
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 0x0000555557af92d5 in js::jit::JSJitFrameIter::operator++() ()
#1 0x0000555556e76fe1 in js::JitFrameIter::operator++() ()
#2 0x0000555557b01b13 in js::jit::HandleException(js::jit::ResumeFromException*) ()
#3 0x00001e7ac1817576 in ?? ()
[...]
#19 0x0000000000000000 in ?? ()
rax 0x555555836343 93824995255107
rbx 0x7fffffdfdf30 140737486249776
rcx 0x555558218c78 93825039174776
rdx 0x0 0
rsi 0x7ffff7105770 140737338431344
rdi 0x7ffff7104540 140737338426688
rbp 0x7fffffdfdbe0 140737486248928
rsp 0x7fffffdfdbe0 140737486248928
r8 0x7ffff7105770 140737338431344
r9 0x7ffff7f99840 140737353717824
r10 0x0 0
r11 0x0 0
r12 0x0 0
r13 0x7ffff602a200 140737320755712
r14 0x7fffffdfdf38 140737486249784
r15 0x7fffffdfdf30 140737486249776
rip 0x555557af92d5 <js::jit::JSJitFrameIter::operator++()+453>
=> 0x555557af92d5 <_ZN2js3jit14JSJitFrameIterppEv+453>: movl $0xdb,0x0
0x555557af92e0 <_ZN2js3jit14JSJitFrameIterppEv+464>: callq 0x555556bee368 <abort>
S-s because this is a JIT assert.
|
Reporter | |
Comment 1•3 years ago
|
||
|
|
Reporter | |
Comment 2•3 years ago
|
||
|
||
Updated•3 years ago
|
|
|
||
Comment 3•3 years ago
|
||
Also tidy up the code a bit: don't push an exit frame if there was no failure,
because we'll immediately clobber it with the Baseline frames anyway.
|
||
Updated•3 years ago
|
|
||
Comment 4•3 years ago
|
||
Set release status flags based on info from the regressing bug 1774390
|
||
Comment 5•3 years ago
|
||
Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220620095248-650064fa4401.
The bug appears to have been introduced in the following build range:
Start: d70914c7f1f3a1fe7cbbee8ff237075d06958f79 (20220616081031)
End: bdfcc8363de574df5125562b6731108b1251aa42 (20220616081143)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=d70914c7f1f3a1fe7cbbee8ff237075d06958f79&tochange=bdfcc8363de574df5125562b6731108b1251aa42
|
||
Updated•3 years ago
|
|
||
Comment 6•3 years ago
|
||
Use correct ExitFrameType for bailout exception. r=iain
https://hg.mozilla.org/integration/autoland/rev/2cf4891623895de20c24f42172787365e414fa94
https://hg.mozilla.org/mozilla-central/rev/2cf489162389
|
|
||
Comment 7•3 years ago
|
||
Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20220621155243-802e5ef4670f.
|
|
||
Comment 8•3 years ago
|
||
Set release status flags based on info from the regressing bug 1774390
|
||
Updated•3 years ago
|
Description
•