1879688 - Assertion failure: masm.framePushed() == frameSize(), at jit/CodeGenerator.cpp:3664

Status: RESOLVED FIXED

(Core :: JavaScript Engine: JIT, defect, P2)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

let x = 0;
oomTest(function () {
  let y = x++;
  [](y.toString(y));
});

(gdb) bt
#0  js::jit::CodeGenerator::visitOsiPoint (this=this@entry=0x7ffff64ee200, lir=lir@entry=0x7ffff6468000) at /home/ubumain/trees/mozilla-central/js/src/jit/CodeGenerator.cpp:3664
#1  0x00005555581f7edd in js::jit::CodeGenerator::generateBody (this=this@entry=0x7ffff64ee200) at /home/ubumain/trees/mozilla-central/js/src/jit/CodeGenerator.cpp:7388
#2  0x00005555582577e2 in js::jit::CodeGenerator::generate (this=0x7ffff64ee200) at /home/ubumain/trees/mozilla-central/js/src/jit/CodeGenerator.cpp:15230
#3  0x00005555582a9076 in js::jit::GenerateCode (mir=0x7ffff6463180, lir=0x7ffff6466900) at /home/ubumain/trees/mozilla-central/js/src/jit/Ion.cpp:1585
#4  js::jit::CompileBackEnd (mir=mir@entry=0x7ffff6463180, snapshot=snapshot@entry=0x7ffff6463550) at /home/ubumain/trees/mozilla-central/js/src/jit/Ion.cpp:1614
#5  0x00005555582aa486 in js::jit::IonCompile (cx=0x7ffff6631500, script=..., osrPc=<optimized out>) at /home/ubumain/trees/mozilla-central/js/src/jit/Ion.cpp:1736
#6  js::jit::Compile (cx=cx@entry=0x7ffff6631500, script=script@entry=..., osrFrame=osrFrame@entry=0x7fffffffc328, osrPc=osrPc@entry=0x0) at /home/ubumain/trees/mozilla-central/js/src/jit/Ion.cpp:1890
#7  0x00005555582ab1f3 in BaselineCanEnterAtEntry (cx=0x7ffff6631500, frame=0x7fffffffc328, script=...) at /home/ubumain/trees/mozilla-central/js/src/jit/Ion.cpp:2022
#8  IonCompileScriptForBaseline (cx=0x7ffff6631500, frame=0x7fffffffc328, pc=<optimized out>) at /home/ubumain/trees/mozilla-central/js/src/jit/Ion.cpp:2147
#9  0x00001142644e33a6 in ?? ()
#10 0x00007fffffffc370 in ?? ()
#11 0x00000000000000ab in ?? ()
#12 0x00007fffffffc370 in ?? ()
#13 0x00001142645328c5 in ?? ()
#14 0x0000000000000001 in ?? ()
#15 0x00007fffffffc328 in ?? ()
#16 0xfff9800000000000 in ?? ()
#17 0x000005bb30666060 in ?? ()
#18 0x0000000000000000 in ?? ()
(gdb)

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/1c95cd727056
user:        André Bargull
date:        Tue Nov 29 13:52:54 2022 +0000
summary:     Bug 1802497 - Part 5: Inline Number.prototype.toString when an explicit "base" argument is present. r=jandem

Run with --fuzzing-safe --no-threads --no-ggc --baseline-warmup-threshold=10 --ion-warmup-threshold=0, compile with AR=ar sh ../configure --enable-debug --enable-debug-symbols --with-ccache --enable-nspr-build --enable-ctypes --enable-gczeal --enable-rust-simd --disable-tests, tested on m-c rev 9c7562b79131.

Setting s-s to be safe. Andre, is bug 1802497 a likely regressor?

Comment 1

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1802497

Comment 2

[André Bargull [:anba]]

This is an old issue, dating back to when MacroAssembler::flexibleDivMod32 was first added (bug 1438727). But it's likely that the error condition is only reachable through the changes from bug 1802497:

MacroAssembler::flexibleDivMod32 pushes registers on the stack, but returns early after oom. This leaves the registers on the stack and later debug assertions are confused about the extra registers on the stack. I don't think this is security-sensitive, because we throw away all generated code when the MacroAssembler's oom-flag is set.

Comment 3

[Jan de Mooij [:jandem]]

Opening up per comment 2.

Comment 4

[André Bargull [:anba]]

Attachment: Bug 1879688: Remove unnecessary early returns after oom. r=jandem!

Comment 5

[Pulsebot]

Pushed by andre.bargull@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/f5b3fb65351e
Remove unnecessary early returns after oom. r=jandem

Comment 6

[Cristian Tuns]

https://hg.mozilla.org/mozilla-central/rev/f5b3fb65351e