Closed
Bug 1919652
Opened 5 months ago
Closed 5 months ago
Assertion failure: masm.framePushed() == ionScript->frameSize() + sizeOfLiveRegsInBytes, at jit/IonCacheIRCompiler.cpp:229
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
RESOLVED
FIXED
132 Branch
| Tracking | Status | |
|---|---|---|
| firefox-esr115 | --- | unaffected |
| firefox-esr128 | --- | unaffected |
| firefox130 | --- | unaffected |
| firefox131 | --- | unaffected |
| firefox132 | --- | fixed |
People
(Reporter: gkw, Assigned: anba)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: regression, reporter-external, testcase)
Attachments
(2 files)
oomTest(function () {
2n % 2n;
var x = (function () {
return 0;
})();
for (var i = 0; i < 99; i++) {
x++;
}
});
228 MOZ_ASSERT(masm.framePushed() ==
(gdb) bt
#0 js::jit::CacheRegisterAllocator::saveIonLiveRegisters (this=this@entry=0x7fffffffb8f0, masm=..., liveRegs=..., scratch=..., ionScript=0x7ffff64efe00)
at /home/genxps15/trees/mozilla-central/js/src/jit/IonCacheIRCompiler.cpp:228
#1 0x000055555841cb4b in js::jit::AutoSaveLiveRegisters::AutoSaveLiveRegisters (this=0x7fffffffac40, compiler=...)
at /home/genxps15/trees/mozilla-central/js/src/jit/IonCacheIRCompiler.cpp:92
#2 0x000055555822a410 in mozilla::Maybe<js::jit::AutoSaveLiveRegisters>::emplace<js::jit::IonCacheIRCompiler&> (this=0x7ffff7be7700 <_IO_stdfile_2_lock>,
aArgs=...) at /home/genxps15/shell-cache/js-dbg-64-linux-x86_64-1c5ae0e00db2/objdir-js/dist/include/mozilla/Maybe.h:1015
#3 js::jit::AutoCallVM::AutoCallVM (this=this@entry=0x7fffffffabd0, masm=..., compiler=compiler@entry=0x7fffffffae40, allocator=...)
at /home/genxps15/trees/mozilla-central/js/src/jit/CacheIRCompiler.cpp:11128
#4 0x00005555581eacf4 in js::jit::CacheIRCompiler::emitIntPtrToBigIntResult (this=0x7fffffffae40, inputId=...)
at /home/genxps15/trees/mozilla-central/js/src/jit/CacheIRCompiler.cpp:3781
#5 0x000055555842185f in js::jit::CacheIRCompiler::emitIntPtrToBigIntResult (this=0x7fffffffae40, reader=...)
at /home/genxps15/trees/mozilla-central/js/src/jit/CacheIRCompiler.h:891
/snip
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/f97810bec9c0
user: André Bargull
date: Wed Sep 11 11:25:27 2024 +0000
summary: Bug 1914631 - Part 13: Support division and modulus. r=spidermonkey-reviewers,jandem
Run with --fuzzing-safe --no-threads --fast-warmup, compile with AR=ar sh ../configure --enable-debug --enable-debug-symbols --with-ccache --enable-nspr-build --enable-ctypes --enable-gczeal --enable-rust-simd --disable-tests, tested on m-c rev 1c5ae0e00db2.
Setting s-s just in case. :anba, is bug 1914631 a likely regressor?
Flags: sec-bounty?
Flags: needinfo?(andrebargull)
|
||
Comment 1•5 months ago
|
||
Set release status flags based on info from the regressing bug 1914631
status-firefox130:
--- → unaffected
status-firefox131:
--- → unaffected
status-firefox-esr115:
--- → unaffected
status-firefox-esr128:
--- → unaffected
|
Assignee | |
Comment 2•5 months ago
|
||
|
||
Updated•5 months ago
|
Assignee: nobody → andrebargull
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 3•5 months ago
|
||
The assertions were just missing some checks to account for OOM.
Flags: needinfo?(andrebargull)
|
||
Comment 4•5 months ago
|
||
This bug can be opened up. (I can't do this myself because it's in core-securty and not in the JS group.)
|
||
Updated•5 months ago
|
Group: core-security
Pushed by andre.bargull@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/b96aca9c553a
Don't assert pushed frames are correct after oom. r=jandem
|
||
Comment 6•5 months ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 5 months ago
Resolution: --- → FIXED
Target Milestone: --- → 132 Branch
|
||
Updated•5 months ago
|
Flags: sec-bounty? → sec-bounty-
You need to log in
before you can comment on or make changes to this bug.
Description
•