Assertion failure: startOfUninitialized <= nfixed, at jit/MacroAssembler.cpp:922
Categories
(Core :: JavaScript Engine: JIT, defect, P2)
Tracking
()
People
(Reporter: nils.bars, Assigned: jandem)
References
(Blocks 3 open bugs, Regression)
Details
(Keywords: regression, reporter-external)
Attachments
(2 files)
|
776 bytes,
text/plain
|
Details | |
|
Bug 1902907 - Don't leak template RegExpObject to JS through 'disassemble' testing function. r?arai!
48 bytes,
text/x-phabricator-request
|
Details | Review |
Steps to reproduce:
Checkout commit 97eeb1c55a5c73bd3938d4899685321a7967333b and invoke the js shell as follows:
js --fuzzing-safe <testcase>
Actual results:
Assertion failure: startOfUninitialized <= nfixed, at jit/MacroAssembler.cpp:922
|
||
Updated•21 days ago
|
|
|
||
Updated•21 days ago
|
|
|
||
Updated•21 days ago
|
|
Assignee | |
Comment 1•21 days ago
•
|
||
Reduced test below.
// --fast-warmup --no-threads
Object.defineProperty(RegExp.prototype, "flags", {get: function() {
Array.prototype.push.call(this);
}});
function f() {
var s = disassemble();
for (var i = 0; i < 200; i++) {
s.replace(/0./);
}
}
f();
|
|
Assignee | |
Comment 2•21 days ago
|
||
Oh this is creative. The disassemble() call ends up calling ValueToSource on the script's template RegExp object. Unfortunately this can have side-effects, in this case it invokes our custom flags getter and this messes up the template object enough to confuse codegen later.
disassemble is a testing function that's not exposed to normal JS code.
|
|
Assignee | |
Updated•21 days ago
|
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/6b239eb7bae6
user: Tooru Fujisawa
date: Tue Aug 02 13:56:27 2022 +0000
summary: Bug 1782166 - Part 1: Add JSScript::dump and move shell dis() function implementation into it. r=nbp
Jan, would bug 1782166 be a likely regressor, since you're already working on it?
|
||
Comment 4•21 days ago
|
||
Set release status flags based on info from the regressing bug 1782166
|
||
Updated•21 days ago
|
|
||
Updated•20 days ago
|
|
|
Assignee | |
Comment 5•19 days ago
|
||
Call ToDisassemblySource instead of ValueToSource because it handles this without
calling into JS.
The JSOp::Object and JSOp::CallSiteObj objects can have a similar issue, but these
objects are already exposed to script so aren't affected the same way. I tried to add
a special mode to ValueToSource to handle these objects too without running JS, but it
got too complicated for this testing function issue.
Pushed by jdemooij@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/09d29cf7128f Don't leak template RegExpObject to JS through 'disassemble' testing function. r=arai
|
||
Comment 7•18 days ago
|
||
| bugherder | ||
|
|
||
Comment 8•17 days ago
|
||
The patch landed in nightly and beta is affected.
:jandem, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- If no, please set
status-firefox128towontfix.
For more information, please visit BugBot documentation.
|
|
Assignee | |
Updated•17 days ago
|
|
||
Updated•6 days ago
|
Description
•