Hit MOZ_CRASH(Currently unreachable) at jit/CacheIR.h:456
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr91 | --- | unaffected |
| firefox99 | --- | unaffected |
| firefox100 | --- | unaffected |
| firefox101 | --- | verified |
People
(Reporter: decoder, Assigned: anba)
References
(Regression)
Details
(4 keywords, Whiteboard: [bugmon:update,bisected,confirmed][fuzzblocker])
Attachments
(3 files)
The following testcase crashes on mozilla-central revision 20220413-4f936f5e57c8 (debug build, run with --fuzzing-safe --ion-offthread-compile=off --baseline-eager test.js):
[].constructor.call(undefined, 2)
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 0x5865e3a2 in js::jit::GetIndexOfArgument(js::jit::ArgumentKind, js::jit::CallFlags, bool*) ()
#1 0x588894e9 in js::jit::CacheIRWriter::loadArgumentFixedSlot(js::jit::ArgumentKind, unsigned int, js::jit::CallFlags) ()
#2 0x588a9d88 in js::jit::InlinableNativeIRGenerator::tryAttachArrayConstructor() ()
#3 0x588a5277 in js::jit::InlinableNativeIRGenerator::tryAttachStub() ()
#4 0x588a4b93 in js::jit::CallIRGenerator::tryAttachFunCall(JS::Handle<JSFunction*>) ()
#5 0x588aef4d in js::jit::CallIRGenerator::tryAttachStub() ()
#6 0x585f7e4d in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) ()
[...]
#10 0x58a557b2 in js::jit::MaybeEnterJit(JSContext*, js::RunState&) ()
[...]
#19 0x57ab58d6 in main ()
eax 0x56845b6d 1451514733
ebx 0x591587c4 1494583236
ecx 0x5915a29c 1494590108
edx 0xf7b74cc7 -138982201
esi 0xff9fe15b -6299301
edi 0xff9fe260 -6299040
ebp 0xff9fe138 4288667960
esp 0xff9fe120 4288667936
eip 0x5865e3a2 <js::jit::GetIndexOfArgument(js::jit::ArgumentKind, js::jit::CallFlags, bool*)+530>
=> 0x5865e3a2 <_ZN2js3jit18GetIndexOfArgumentENS0_12ArgumentKindENS0_9CallFlagsEPb+530>: movl $0x1c8,0x0
0x5865e3ac <_ZN2js3jit18GetIndexOfArgumentENS0_12ArgumentKindENS0_9CallFlagsEPb+540>: call 0x57b3e9ef <abort>
Marking as fuzzblocker due to frequent failures since the test is really easy.
|
Reporter | |
Comment 1•3 years ago
|
||
|
|
Reporter | |
Comment 2•3 years ago
|
||
|
Assignee | |
Comment 4•3 years ago
|
||
GetIndexOfArgument() doesn't yet support CallFlags::FunCall, so when we inline
the Array constructor through Function.prototype.call, use CallFlags::Standard
instead.
This is the only place where CallFlags::FunCall can be passed through to
GetIndexOfArgument().
Changing GetIndexOfArgument() to support CallFlags::FunCall isn't straight
forward, because the argument indices are different depending on whether or not
this is an inlined or non-inlined Function.prototype.call.
|
||
Updated•3 years ago
|
|
|
Assignee | |
Comment 6•3 years ago
|
||
FWIW, I don't think this issue needs to be hidden, because we always hit a MOZ_CRASH.
|
|
Reporter | |
Updated•3 years ago
|
|
||
Comment 8•3 years ago
|
||
Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220414092955-6c55ba30c858.
The bug appears to have been introduced in the following build range:
Start: 85290d18c6eeab2c1b741e2c92d2b6eaa252a7d5 (20220412213655)
End: 4f936f5e57c8e7c6b25d95e167a4480cbd61fc46 (20220413180638)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=85290d18c6eeab2c1b741e2c92d2b6eaa252a7d5&tochange=4f936f5e57c8e7c6b25d95e167a4480cbd61fc46
|
||
Comment 9•3 years ago
|
||
| bugherder | ||
|
|
||
Comment 10•3 years ago
|
||
Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20220414214512-d8f67ac43580.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
|
||
Comment 11•3 years ago
|
||
:anba, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.
|
|
||
Comment 12•3 years ago
|
||
Set release status flags based on info from the regressing bug 1738413
|
|
||
Updated•3 years ago
|
Description
•