Closed Bug 1851976 Opened 9 months ago Closed 9 months ago

Assertion failure: Infallible unbox type mismatch, at jit/VMFunctions.cpp:2868

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
119 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- unaffected
firefox-esr115 --- unaffected
firefox117 --- unaffected
firefox118 --- unaffected
firefox119 --- verified

People

(Reporter: decoder, Assigned: jandem)

References

(Regression)

Details

(4 keywords, Whiteboard: [bugmon:update,bisected,confirmed][fuzzblocker])

Attachments

(3 files)

Detailed Crash Information
714 bytes, text/plain
Details
Testcase
33 bytes, text/plain
Details
Bug 1851976 - Mark infallible unbox non-movable. r?iain!
48 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 20230907-f829a45e2207 (debug build, run with --fuzzing-safe --ion-offthread-compile=off --ion-warmup-threshold=0 --baseline-eager --ion-gvn=off test.js):

function a() {}
for (;;) a(...[])

Backtrace:

received signal SIGTRAP, Trace/breakpoint trap.
#0  0x0000344cf4d0e83a in ?? ()
#1  0x0000375ef853f038 in ?? ()
#2  0x00007fae1b1a4700 in ?? ()
#3  0x0000000000000000 in ?? ()
rax	0x1	1
rbx	0x7fae1b1a4720	140385755744032
rcx	0xfff9800000000000	-1829587348619264
rdx	0x7fae1c32ee20	140385774136864
rsi	0x375ef853f038	60881032704056
rdi	0x1b	27
rbp	0x7ffe65380190	140730596589968
rsp	0x7ffe65380160	140730596589920
r8	0x0	0
r9	0x7ffe6537fc98	140730596588696
r10	0x7ffe653e6080	140730597007488
r11	0x7fae1f4bd340	140385826100032
r12	0x0	0
r13	0x0	0
r14	0x0	0
r15	0x0	0
rip	0x344cf4d0e83a	57505129490490
=> 0x344cf4d0e83a:	movabs $0xfffe000000000000,%rdx
   0x344cf4d0e844:	xor    %rcx,%rdx
Attached file Testcase 

    
  
Flags: needinfo?(jdemooij)

    
  
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Regressed by: 1850305

    
    

    
  
Set release status flags based on info from the regressing bug 1850305



          status-firefox117:
          --- → unaffected

          status-firefox118:
          --- → unaffected

          status-firefox-esr102:
          --- → unaffected

          status-firefox-esr115:
          --- → unaffected

    
    

    
  
Verified bug as reproducible on mozilla-central 20230907092106-c8b40099127c.

Unable to bisect testcase (Unable to launch the start build!):




Start: 2df511a16e4194617632cce3f261312c8e068620 (20220908045224)

End: f829a45e22076f02abeee8ca0f757a842da4f4de (20230907040951)

BuildFlags: BuildFlags(asan=None, tsan=None, debug=True, fuzzing=True, coverage=None, valgrind=None, no_opt=None, fuzzilli=None, nyx=None)




Whiteboard: [bugmon:update,bisect][fuzzblocker] → [bugmon:update,bisected,confirmed][fuzzblocker]

    
  
Flags: needinfo?(jdemooij)

    
    

    
  
Pushed by jdemooij@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/8de24ac4d247
Mark infallible unbox non-movable. r=iain

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/8de24ac4d247


Group: javascript-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 9 months ago

          status-firefox119:
          affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 119 Branch
Flags: in-testsuite+

    
    

    
  
Verified bug as fixed on rev mozilla-central 20230908211202-eb062b89c03a.

Removing bugmon keyword as no further action possible.  Please review the bug and re-add the keyword for further analysis.


Status: RESOLVED → VERIFIED

          status-firefox119:
          fixedverified
Keywords: bugmon
Group: core-security-release

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: