Closed Bug 1394791 Opened 7 years ago Closed 7 years ago

Assertion failure: stub->monitorsThis() || *GetNextPc(pc) == JSOP_CHECKTHIS || *GetNextPc(pc) == JSOP_CHECKTHISREINIT || *GetNextPc(pc) == JSOP_CHECKRETURN, at js/src/jit/SharedIC.cpp:2495 with Module

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1394493
Tracking Flags:
Tracking Status
firefox56 --- fixed
firefox57 --- fixed

People

(Reporter: decoder, Unassigned)

References

Details

(4 keywords, Whiteboard: [jsbugmon:update][adv-main56-])

The following testcase crashes on mozilla-central revision d10c97627b51 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --thread-count=2): var await = a => b => a; setJitCompilerOption("baseline.warmup.trigger", 0); function evalModuleAndCheck(source, expected) { let m = parseModule(source); await (getModuleEnvironmentValue(m, "r"), expected); } evalModuleAndCheck("export let r = x; x = 2;", 1); Backtrace: received signal SIGSEGV, Segmentation fault. 0x000000000082ca6a in js::jit::DoTypeMonitorFallback (cx=0x7ffff6924000, frame=<optimized out>, stub=0x7ffff4eb4058, value=..., res=...) at js/src/jit/SharedIC.cpp:2492 #0 0x000000000082ca6a in js::jit::DoTypeMonitorFallback (cx=0x7ffff6924000, frame=<optimized out>, stub=0x7ffff4eb4058, value=..., res=...) at js/src/jit/SharedIC.cpp:2492 #1 0x000030f5014096e7 in ?? () #2 0x00007fffffffba98 in ?? () #3 0x00007fffffffba28 in ?? () #4 0x0000000000000000 in ?? () rax 0x0 0 rbx 0x7ffff4eb4058 140737302446168 rcx 0x7ffff6c28a2d 140737333332525 rdx 0x0 0 rsi 0x7ffff6ef7770 140737336276848 rdi 0x7ffff6ef6540 140737336272192 rbp 0x7fffffffba00 140737488337408 rsp 0x7fffffffb910 140737488337168 r8 0x7ffff6ef7770 140737336276848 r9 0x7ffff7fe4740 140737354024768 r10 0x58 88 r11 0x7ffff6b9f750 140737332770640 r12 0x7ffff5295280 140737306514048 r13 0x7fffffffba60 140737488337504 r14 0x7ffff6924000 140737330167808 r15 0x7ffff4f77330 140737303245616 rip 0x82ca6a <js::jit::DoTypeMonitorFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICTypeMonitor_Fallback*, JS::HandleValue, JS::MutableHandleValue)+2058> => 0x82ca6a <js::jit::DoTypeMonitorFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICTypeMonitor_Fallback*, JS::HandleValue, JS::MutableHandleValue)+2058>: movl $0x0,0x0 0x82ca75 <js::jit::DoTypeMonitorFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICTypeMonitor_Fallback*, JS::HandleValue, JS::MutableHandleValue)+2069>: ud2 Marking s-s because this is an IC assertion.
Probably the same issue as bug 1394493.
Depends on: 1394493
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result: === Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20151008024831" and the hash "af903bae2619af2c0719f5a2734e5f39f0fa6743". The "bad" changeset has the timestamp "20151008025132" and the hash "1ac68e528d122516c02444c0bec1e03e06645211". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=af903bae2619af2c0719f5a2734e5f39f0fa6743&tochange=1ac68e528d122516c02444c0bec1e03e06645211
Flags: needinfo?(jcoppeard)
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: needinfo?(jcoppeard)
Resolution: --- → DUPLICATE
Looks like this was fixed in 56 (released a couple of weeks ago).
status-firefox56: --- → fixed
status-firefox57: affectedfixed
Whiteboard: [jsbugmon:update] → [jsbugmon:update][adv-main56-]
Group: javascript-core-security
You need to log in before you can comment on or make changes to this bug.