1825217 - Crash in [@ js::jit::MConstant::toJSValue]

Status: RESOLVED FIXED

(Core :: JavaScript Engine: JIT, defect)

Description

[Pascal Chevrel:pascalc (PTO until April 26)]

Crash report: https://crash-stats.mozilla.org/report/index/9fbb84ef-20bf-430f-a03a-7b21e0230329

MOZ_CRASH Reason: MOZ_CRASH(Unexpected type)

Top 10 frames of crashing thread:

0  xul.dll  js::jit::MConstant::toJSValue const  js/src/jit/MIR.cpp:1314
1  xul.dll  js::jit::CodeGenerator::toConstantOrRegister  js/src/jit/CodeGenerator.cpp:14081
2  xul.dll  js::jit::CodeGenerator::emitGetInlinedArgument<js::jit::LGetInlinedArgument>  js/src/jit/CodeGenerator.cpp:7603
3  xul.dll  js::jit::CodeGenerator::visitGetInlinedArgument  js/src/jit/CodeGenerator.cpp:7632
3  xul.dll  js::jit::CodeGenerator::generateBody  js/src/jit/CodeGenerator.cpp:6724
4  xul.dll  js::jit::CodeGenerator::generate  js/src/jit/CodeGenerator.cpp:13390
5  xul.dll  js::jit::GenerateCode  js/src/jit/Ion.cpp:1513
5  xul.dll  js::jit::CompileBackEnd  js/src/jit/Ion.cpp:1542
6  xul.dll  js::jit::IonCompileTask::runTask  js/src/jit/IonCompileTask.cpp:52
6  xul.dll  js::jit::IonCompileTask::runHelperThreadTask  js/src/jit/IonCompileTask.cpp:30

Spike started with BuildID 20230328095108
Changelog https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=4a92205e0d4075884895f244e8b7e2dec304925b&tochange=aff0b64247011767675227facc902a7968668686

Comment 1

[BugBot [:suhaib / :marco/ :calixte]]

The bug is marked as tracked for firefox113 (nightly). We have limited time to fix this, the soft freeze is in 8 days. However, the bug still isn't assigned.

:sdetar, could you please find an assignee for this tracked bug? If you disagree with the tracking decision, please talk with the release managers.

For more information, please visit auto_nag documentation.

Comment 2

[Steven DeTar [:sdetar]]

Doug, since this seems to be regressed by your bug fix for 1819722, could you take ownership and look investigate this bug.

Comment 3

[Ryan VanderMeulen [:RyanVM]]

Confirmed fixed by backout.