Closed Bug 1851976 Opened 2 years ago Closed 2 years ago

Assertion failure: Infallible unbox type mismatch, at jit/VMFunctions.cpp:2868

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
119 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- unaffected
firefox-esr115 --- unaffected
firefox117 --- unaffected
firefox118 --- unaffected
firefox119 --- verified

People

(Reporter: decoder, Assigned: jandem)

References

(Regression)

Details

(4 keywords, Whiteboard: [bugmon:update,bisected,confirmed][fuzzblocker])

Attachments

(3 files)

Detailed Crash Information
714 bytes, text/plain
Details
Testcase
33 bytes, text/plain
Details
Bug 1851976 - Mark infallible unbox non-movable. r?iain!
48 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 20230907-f829a45e2207 (debug build, run with --fuzzing-safe --ion-offthread-compile=off --ion-warmup-threshold=0 --baseline-eager --ion-gvn=off test.js):

function a() {}
for (;;) a(...[])

Backtrace:

received signal SIGTRAP, Trace/breakpoint trap.
#0  0x0000344cf4d0e83a in ?? ()
#1  0x0000375ef853f038 in ?? ()
#2  0x00007fae1b1a4700 in ?? ()
#3  0x0000000000000000 in ?? ()
rax	0x1	1
rbx	0x7fae1b1a4720	140385755744032
rcx	0xfff9800000000000	-1829587348619264
rdx	0x7fae1c32ee20	140385774136864
rsi	0x375ef853f038	60881032704056
rdi	0x1b	27
rbp	0x7ffe65380190	140730596589968
rsp	0x7ffe65380160	140730596589920
r8	0x0	0
r9	0x7ffe6537fc98	140730596588696
r10	0x7ffe653e6080	140730597007488
r11	0x7fae1f4bd340	140385826100032
r12	0x0	0
r13	0x0	0
r14	0x0	0
r15	0x0	0
rip	0x344cf4d0e83a	57505129490490
=> 0x344cf4d0e83a:	movabs $0xfffe000000000000,%rdx
   0x344cf4d0e844:	xor    %rcx,%rdx
Attached file Testcase
Flags: needinfo?(jdemooij)
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Regressed by: 1850305

Set release status flags based on info from the regressing bug 1850305

status-firefox117: --- → unaffected
status-firefox118: --- → unaffected
status-firefox-esr102: --- → unaffected
status-firefox-esr115: --- → unaffected

Verified bug as reproducible on mozilla-central 20230907092106-c8b40099127c.
Unable to bisect testcase (Unable to launch the start build!):

Start: 2df511a16e4194617632cce3f261312c8e068620 (20220908045224)
End: f829a45e22076f02abeee8ca0f757a842da4f4de (20230907040951)
BuildFlags: BuildFlags(asan=None, tsan=None, debug=True, fuzzing=True, coverage=None, valgrind=None, no_opt=None, fuzzilli=None, nyx=None)

Whiteboard: [bugmon:update,bisect][fuzzblocker] → [bugmon:update,bisected,confirmed][fuzzblocker]
Flags: needinfo?(jdemooij)
Pushed by jdemooij@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/8de24ac4d247 Mark infallible unbox non-movable. r=iain

https://hg.mozilla.org/mozilla-central/rev/8de24ac4d247

Group: javascript-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox119: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 119 Branch
Flags: in-testsuite+

Verified bug as fixed on rev mozilla-central 20230908211202-eb062b89c03a.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox119: fixedverified
Keywords: bugmon
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: