Closed Bug 1825217 Opened 2 years ago Closed 2 years ago

Crash in [@ js::jit::MConstant::toJSValue]

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
Unspecified
Windows 10
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
113 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- unaffected
firefox111 --- unaffected
firefox112 --- unaffected
firefox113 + fixed

People

(Reporter: pascalc, Assigned: alexical)

References

(Regression)

Details

(Keywords: crash, regression)

Crash Data

Crash report: https://crash-stats.mozilla.org/report/index/9fbb84ef-20bf-430f-a03a-7b21e0230329

MOZ_CRASH Reason: MOZ_CRASH(Unexpected type)

Top 10 frames of crashing thread:

0  xul.dll  js::jit::MConstant::toJSValue const  js/src/jit/MIR.cpp:1314
1  xul.dll  js::jit::CodeGenerator::toConstantOrRegister  js/src/jit/CodeGenerator.cpp:14081
2  xul.dll  js::jit::CodeGenerator::emitGetInlinedArgument<js::jit::LGetInlinedArgument>  js/src/jit/CodeGenerator.cpp:7603
3  xul.dll  js::jit::CodeGenerator::visitGetInlinedArgument  js/src/jit/CodeGenerator.cpp:7632
3  xul.dll  js::jit::CodeGenerator::generateBody  js/src/jit/CodeGenerator.cpp:6724
4  xul.dll  js::jit::CodeGenerator::generate  js/src/jit/CodeGenerator.cpp:13390
5  xul.dll  js::jit::GenerateCode  js/src/jit/Ion.cpp:1513
5  xul.dll  js::jit::CompileBackEnd  js/src/jit/Ion.cpp:1542
6  xul.dll  js::jit::IonCompileTask::runTask  js/src/jit/IonCompileTask.cpp:52
6  xul.dll  js::jit::IonCompileTask::runHelperThreadTask  js/src/jit/IonCompileTask.cpp:30

Spike started with BuildID 20230328095108
Changelog https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=4a92205e0d4075884895f244e8b7e2dec304925b&tochange=aff0b64247011767675227facc902a7968668686

The bug is marked as tracked for firefox113 (nightly). We have limited time to fix this, the soft freeze is in 8 days. However, the bug still isn't assigned.

:sdetar, could you please find an assignee for this tracked bug? If you disagree with the tracking decision, please talk with the release managers.

For more information, please visit auto_nag documentation.

Flags: needinfo?(sdetar)
Regressed by: 1819722
See Also: → 1825220

Doug, since this seems to be regressed by your bug fix for 1819722, could you take ownership and look investigate this bug.

Flags: needinfo?(sdetar) → needinfo?(dothayer)
Assignee: nobody → dothayer
Flags: needinfo?(dothayer)
Crash Signature: [@ js::jit::MConstant::toJSValue] → [@ js::jit::MConstant::toJSValue] [@ js::jit::MDefinition::type]

Confirmed fixed by backout.

Status: NEW → RESOLVED
Closed: 2 years ago
status-firefox113: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 113 Branch
You need to log in before you can comment on or make changes to this bug.