Closed Bug 1368573 Opened 7 years ago Closed 7 years ago

Assertion failure: !ins->hasDefUses(), at js/src/jit/TypePolicy.cpp:302

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1368576
Tracking Flags:
Tracking Status
firefox55 --- affected

People

(Reporter: gkw, Unassigned)

Details

(Keywords: assertion, bugmon, testcase, Whiteboard: [jsbugmon:update]) 

The following testcase crashes on mozilla-central revision 34ac1a5d6576 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --ion-eager):

(function () {
    "use strict";
    for (let x of []) {
        let y = {} = this;
    }
})();


Backtrace:

#0  0x0000000000833a40 in js::jit::TypeBarrierPolicy::adjustInputs (this=<optimized out>, alloc=..., def=0x7f16e739eaa0) at js/src/jit/TypePolicy.cpp:302
#1  0x00000000006e37c5 in (anonymous namespace)::TypeAnalyzer::adjustInputs (def=0x7f16e739eaa0, this=0x7ffe134dd810) at js/src/jit/IonAnalysis.cpp:1686
#2  (anonymous namespace)::TypeAnalyzer::insertConversions (this=0x7ffe134dd810) at js/src/jit/IonAnalysis.cpp:1753
#3  (anonymous namespace)::TypeAnalyzer::analyze (this=0x7ffe134dd810) at js/src/jit/IonAnalysis.cpp:2000
#4  js::jit::ApplyTypeInformation (mir=mir@entry=0x7f16e738c2b0, graph=...) at js/src/jit/IonAnalysis.cpp:2012
#5  0x00000000006ff477 in js::jit::OptimizeMIR (mir=mir@entry=0x7f16e738c2b0) at js/src/jit/Ion.cpp:1538
/snip

For detailed crash information, see attachment.

MIR is on the stack, setting s-s as a start.
FuzzManager error, sorry, duping.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
Group: javascript-core-security
You need to log in before you can comment on or make changes to this bug.