Closed Bug 1531287 Opened 5 years ago Closed 5 years ago

Assertion failure: Incorrect range for Value., at js/src/jit/MacroAssembler.cpp:2029 with BigInt

Categories

(Core :: JavaScript Engine: JIT, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 1527729
Tracking Status
firefox67 --- fixed

People

(Reporter: gkw, Unassigned)

Details

(4 keywords, Whiteboard: [fuzzblocker][jsbugmon:update])

Attachments

(1 file)

The following testcase crashes on mozilla-central revision 198cd4a81bf2 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --ion-eager --ion-check-range-analysis):

1n << 1n;

Backtrace:

#0 0x0000092dfda7ebfd in ?? ()
#1 0x0000092dfd95bac4 in ?? ()
#2 0x0000000000001043 in ?? ()
#3 0x00002f2b671b3a62 in ?? ()
#4 0x0000000000000000 in ?? ()
/snip

For detailed crash information, see attachment.

Not setting s-s yet because this involves BigInt. I added better support for BigInt in jsfunfuzz but then had to back it out as this was one of (possibly) several issues that came up.

Setting needinfo? from Robin and Andy as a start, also this keeps happening constantly so setting [fuzzblocker].

Flags: needinfo?(wingo)
Flags: needinfo?(robin)
Whiteboard: [jsbugmon:update] → [fuzzblocker][jsbugmon:update]

(happens constantly, specifically with --ion-check-range-analysis)

I believe this was fixed by https://bugzilla.mozilla.org/show_bug.cgi?id=1527729. At least, since that patch landed I don't see this issue any more. Suggest to dup -> bug 1527729; wdyt gkw?

Flags: needinfo?(wingo)

Sure, thanks!

Status: NEW → RESOLVED
Closed: 5 years ago
Flags: needinfo?(robin)
Resolution: --- → DUPLICATE
Component: JavaScript Engine → JavaScript Engine: JIT
You need to log in before you can comment on or make changes to this bug.