Closed Bug 1947125 Opened 1 month ago Closed 1 month ago

Assertion failure: cx_->hadResourceExhaustion(), at jit/WarpOracle.cpp:206

Categories

(Core :: JavaScript Engine: JIT, defect, P1)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
137 Branch
Tracking Flags:
Tracking Status
firefox-esr128 --- unaffected
firefox135 --- unaffected
firefox136 --- unaffected
firefox137 --- verified

People

(Reporter: decoder, Assigned: iain)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])

Attachments

(3 files)

Detailed Crash Information
3.79 KB, text/plain
Details
Testcase
44 bytes, text/plain
Details
Bug 1947125: Fix branchTestNaNValue on x86 r=jandem
48 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 20250210-9e1ae12b6d8f (debug build, run with --fuzzing-safe --ion-offthread-compile=off):

function a() {
  Math[-this] & new a;
}
a();

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x58f4d5e9 in js::jit::WarpOracle::createSnapshot() ()
#1  0x58e884c5 in js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned char*) ()
#2  0x58e89511 in IonCompileScriptForBaseline(JSContext*, js::jit::BaselineFrame*, unsigned char*) ()
#3  0x58e88ff3 in js::jit::IonCompileScriptForBaselineAtEntry(JSContext*, js::jit::BaselineFrame*) ()
#4  0x4b74d088 in ?? ()
[...]
#127 0x4b782a5b in ?? ()
eax	0x0	0
ebx	0x598ab310	1502262032
ecx	0xce	206
edx	0xf7c42cc7	-138138425
esi	0x364dccd4	911068372
edi	0xfff95c78	-435080
ebp	0xfff95c08	4294532104
esp	0xfff95bb0	4294532016
eip	0x58f4d5e9 <js::jit::WarpOracle::createSnapshot()+1897>
=> 0x58f4d5e9 <_ZN2js3jit10WarpOracle14createSnapshotEv+1897>:	mov    %ecx,(%eax)
   0x58f4d5eb <_ZN2js3jit10WarpOracle14createSnapshotEv+1899>:	call   0x57e325e0 <abort>
Attached file Testcase

Verified bug as reproducible on mozilla-central 20250210093033-9e1ae12b6d8f.
The bug appears to have been introduced in the following build range:

Start: c3fad748e37c53bcbcc913168cd9570a13ba4c0f (20250207175414)
End: 4e9c0a710588f889ae6c5b7272ea111c05515014 (20250207193227)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=c3fad748e37c53bcbcc913168cd9570a13ba4c0f&tochange=4e9c0a710588f889ae6c5b7272ea111c05515014

Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]

From the range, bug 1943704 seems the most suspect. Iain?

Flags: needinfo?(iireland)
Regressed by: 1943704

Set release status flags based on info from the regressing bug 1943704

status-firefox135: --- → unaffected
status-firefox136: --- → unaffected
status-firefox-esr128: --- → unaffected
Assignee: nobody → iireland
Status: NEW → ASSIGNED
Blocks: sm-opt-jits
Severity: -- → S3
Priority: -- → P1
Pushed by iireland@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/fc20ef182b36 Fix branchTestNaNValue on x86 r=jandem

https://hg.mozilla.org/mozilla-central/rev/fc20ef182b36

Status: ASSIGNED → RESOLVED
Closed: 1 month ago
status-firefox137: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 137 Branch

Verified bug as fixed on rev mozilla-central 20250212093207-11a45cb6835c.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox137: fixedverified
Keywords: bugmon
Flags: needinfo?(iireland)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: