Closed Bug 1055015 Opened 10 years ago Closed 10 years ago

Assertion failure: false (MOZ_ASSERT_UNREACHABLE: ToInt32 invalid input type), at jit/Lowering.cpp:1871 with Symbol

Categories

(Core :: JavaScript Engine: JIT, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 1054753
Tracking Status
firefox34 --- affected

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: assertion, testcase, Whiteboard: [jsbugmon:])

Attachments

(1 file)

The following testcase asserts on mozilla-central revision 0aaa2d3d15cc (run with --no-threads --fuzzing-safe --ion-eager): var x = Symbol.for("x"); function f(code) { code = code.replace(/\/\*DUPTRY\d+\*\//, function(k) { n = parseInt(k.substr(8), (null )); return g("try{}catch(e){}", n) }); } function g(s, n) { s2 = s + s r = n % 2 m = g(s2, x) } f("switch(''){default:break;/*DUPTRY525*/}")
Also aborts in the same way in release builds, but marking s-s because I don't know if this can be avoided and something else (bad) could happen. Needinfo from Jason because this involves "Symbol".
Flags: needinfo?(jorendorff)
Whiteboard: [jsbugmon:update,bisect]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/8e4e04daf2a6 user: 446240525@qq.com, Jason Orendorff date: Thu Jul 31 09:05:18 2014 -0500 summary: Bug 1042602 - Symbol behavior changes in ES6 draft rev 26. r=h4writer. This iteration took 258.790 seconds to run.
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision cd7cbdacf9d8).
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:bisectfix]
Whiteboard: [jsbugmon:bisectfix] → [jsbugmon:]
JSBugMon: Fix Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/9ef873917571 user: Hannes Verschore date: Mon Aug 18 18:47:47 2014 +0200 summary: Bug 1054753: IonMonkey: Infer functions should not optimize when encountering MIRType_Symbol, r=nbp This iteration took 312.923 seconds to run.
Hannes, is the bug in comment 5 a dup of this one?
Flags: needinfo?(hv1989)
Assignee: nobody → jorendorff
Flags: needinfo?(jorendorff)
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(hv1989)
Resolution: --- → DUPLICATE
Assignee: jorendorff → nobody
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: