Closed Bug 1660292 Opened 4 years ago Closed 4 years ago

[warp] Assertion failure: whyMagic() == why, at js/Value.h:683

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1652732
Tracking Flags:
Tracking Status
firefox81 --- disabled

People

(Reporter: decoder, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, regression, testcase)

Attachments

(1 file)

Testcase
119 bytes, text/plain
Details

The following testcase crashes on mozilla-central revision 20200820-920ef04bf423 (debug build, run with --fuzzing-safe --ion-offthread-compile=off --warp --baseline-eager --ion-full-warmup-threshold=0):

function f75(index) {
  var a70 = [123];
  return a70[() => {
      a70++;
  }, target => (f75[0] = "10"), {}]
}
f75();

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x0000555557758c99 in js::jit::DoGetElemFallback (cx=<optimized out>, frame=0x7fffffffb2d0, stub=0x7ffff6077128, lhs=..., rhs=..., res=...) at /builds/worker/checkouts/gecko/js/src/jit/BaselineIC.cpp:1868
#1  0x00002b229348f9f3 in ?? ()
[...]
#19 0x0000000000000000 in ?? ()
rax	0x555555886e86	93824995585670
rbx	0xffff800000000000	-140737488355328
rcx	0x555558515a88	93825042307720
rdx	0x0	0
rsi	0x7ffff7105770	140737338431344
rdi	0x7ffff7104540	140737338426688
rbp	0x7fffffffb260	140737488335456
rsp	0x7fffffffb140	140737488335168
r8	0x7ffff7105770	140737338431344
r9	0x7ffff7f9de00	140737353735680
r10	0x58	88
r11	0x7ffff6dac7a0	140737334921120
r12	0x7ffff6027060	140737320743008
r13	0x7fffffffb2b0	140737488335536
r14	0x7fffffffb2d0	140737488335568
r15	0x7ffff6027000	140737320742912
rip	0x555557758c99 <js::jit::DoGetElemFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICGetElem_Fallback*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>)+4441>
=> 0x555557758c99 <js::jit::DoGetElemFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICGetElem_Fallback*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>)+4441>:	movl   $0x2ab,0x0
   0x555557758ca4 <js::jit::DoGetElemFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICGetElem_Fallback*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>)+4452>:	callq  0x555556bd4b0e <abort()>
Attached file Testcase
Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]
Bugmon Analysis: Verified bug as reproducible on mozilla-central 20200820212107-e375b85cfba3. The bug appears to have been introduced in the following build range: > Start: 9dac3cf64ae60633df1b5668dd59872982baaf75 (20200630100415) > End: 5efefa92861dbc5764f28d7a0ab6ee2dc3933c89 (20200630102017) > Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=9dac3cf64ae60633df1b5668dd59872982baaf75&tochange=5efefa92861dbc5764f28d7a0ab6ee2dc3933c89

This looks like it could be the same issue as bug 1652732. I should look into these soon...

Flags: needinfo?(jdemooij)

(In reply to Jan de Mooij [:jandem] from comment #3)

This looks like it could be the same issue as bug 1652732. I should look into these soon...

Confirmed this.

Status: NEW → RESOLVED
Closed: 4 years ago
Flags: needinfo?(jdemooij)
Resolution: --- → DUPLICATE
Keywords: bugmon
Whiteboard: [bugmon:update,bisected,confirmed]
Bugmon Analysis: Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: