Closed
Bug 1871880
Opened 1 year ago
Closed 1 year ago
Assertion failure: obj->nonCCWRealm()->realmFuses.optimizeGetIteratorFuse.intact(), at jit/CacheIR.cpp:13563
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1871597
| Tracking | Status | |
|---|---|---|
| firefox-esr115 | --- | unaffected |
| firefox121 | --- | unaffected |
| firefox122 | --- | unaffected |
| firefox123 | --- | affected |
People
(Reporter: gkw, Unassigned)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: regression, reporter-external, testcase)
Attachments
(1 file)
|
2.01 KB,
text/plain
|
Details |
Array.prototype[Symbol.iterator] = Array.prototype[Symbol.iterator];
[] = [];
Assertion failure: obj->nonCCWRealm()->realmFuses.optimizeGetIteratorFuse.intact(), at /home/yksnegowt/trees/mozilla-central/js/src/jit/CacheIR.cpp:13563
#01: ???[/home/yksnegowt/shell-cache/js-dbg-64-linux-x86_64-5c45743d053b/js-dbg-64-linux-x86_64-5c45743d053b +0x2ac8bd7]
#02: ???[/home/yksnegowt/shell-cache/js-dbg-64-linux-x86_64-5c45743d053b/js-dbg-64-linux-x86_64-5c45743d053b +0x2ac876e]
#03: ???[/home/yksnegowt/shell-cache/js-dbg-64-linux-x86_64-5c45743d053b/js-dbg-64-linux-x86_64-5c45743d053b +0x2889632]
#04: ??? (???:???)
Segmentation fault
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/74ac8b5c353a
user: Matthew Gaudet
date: Wed Dec 20 16:31:45 2023 +0000
summary: Bug 1870725 - Assert fuse isn't popped in CacheIR r=iain
Run with --fuzzing-safe --no-threads --blinterp-eager --no-baseline --no-ion, compile with AR=ar sh ../configure --enable-debug --with-ccache --enable-nspr-build --enable-ctypes --enable-debug-symbols --enable-gczeal --enable-rust-simd --disable-tests, tested on m-c rev 5c45743d053b.
Matthew, is bug 1870725 a likely regressor? Setting s-s just in case.
Flags: sec-bounty?
Flags: needinfo?(mgaudet)
|
Reporter | |
Updated•1 year ago
|
Summary: Assertion failure: buffer, at gc/Nursery.cpp:1620 → Assertion failure: obj->nonCCWRealm()->realmFuses.optimizeGetIteratorFuse.intact(), at jit/CacheIR.cpp:13563
|
||
Comment 1•1 year ago
|
||
Set release status flags based on info from the regressing bug 1870725
status-firefox121:
--- → unaffected
status-firefox122:
--- → unaffected
status-firefox-esr115:
--- → unaffected
|
||
Updated•1 year ago
|
Group: core-security → javascript-core-security
|
||
Comment 2•1 year ago
|
||
This looks like the same issue as bug 1871597. It is not security-sensitive, because we're still just asserting that we have the fuse implementation right, and aren't depending on fuses for anything yet.
Group: javascript-core-security
Status: NEW → RESOLVED
Closed: 1 year ago
Duplicate of bug: 1871597
Resolution: --- → DUPLICATE
|
||
Updated•1 year ago
|
Flags: needinfo?(mgaudet)
|
||
Updated•1 year ago
|
Flags: sec-bounty? → sec-bounty-
|
|
Reporter | |
Updated•11 months ago
|
Blocks: gkw-js-fuzzing
|
||
Updated•9 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•