Closed Bug 1937206 Opened 7 months ago Closed 6 months ago

Assertion failure: rawIndex > 0 && index < RealmFuses::FuseIndex::LastFuseIndex, at js/src/vm/RealmFuses.cpp:75

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1937176

People

(Reporter: sm-bugs, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: reporter-external)

Steps to reproduce:

Version: a5e04104f9c6cfd69f9c855f0b0f665afd444c74
Flags: js --fuzzing-safe --blinterp-eager <test-case>
Test-case:

a = []
function b() { [] = a }
c = {
  "switch2": b
}
d = c.switch2
d()
disblic(d)

Actual results:

Assertion failure: rawIndex > 0 && index < RealmFuses::FuseIndex::LastFuseIndex, at js/src/vm/RealmFuses.cpp:75

#0 0x5640e80bb4a1 in js::RealmFuses::getFuseName(js::RealmFuses::FuseIndex) js/src/vm/RealmFuses.cpp:75:3
#1 0x5640e90f5082 in CacheIROpsJitSpewer::spewRealmFuseIndexImm(char const*, js::RealmFuses::FuseIndex) js/src/jit/CacheIRSpewer.cpp:127:17
#2 0x5640e90f5082 in CacheIROpsJitSpewer::spewGuardFuse(js::jit::CacheIRReader&) js/src/jit/CacheIRSpewer.cpp:46:3
#3 0x5640e8fe81fd in CacheIROpsJitSpewer::spew(js::jit::CacheIRReader&) js/src/jit/CacheIRSpewer.cpp:141:9
#4 0x5640e8fe6bae in js::jit::SpewCacheIROps(js::GenericPrinter&, char const*, js::jit::CacheIRStubInfo const*) js/src/jit/CacheIRSpewer.cpp:155:10
#5 0x5640e83a0b4c in DisassembleBaselineICs(JSContext*, unsigned int, JS::Value*) js/src/builtin/TestingFunctions.cpp:1941:7
#6 0x5640e7b7dc8e in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) js/src/vm/Interpreter.cpp:532:13
#7 0x5640e7b7cf5c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) js/src/vm/Interpreter.cpp:628:12
#8 0x5640e8a6c4d9 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) js/src/jit/BaselineIC.cpp:1701:10
Blocks: 1903968
Group: firefox-core-security → core-security
Component: Untriaged → JavaScript Engine
Product: Firefox → Core
Group: core-security → javascript-core-security
See Also: → 1937176
Status: NEW → RESOLVED
Closed: 6 months ago
Duplicate of bug: 1937176
Resolution: --- → DUPLICATE
Group: javascript-core-security
See Also: 1937176
You need to log in before you can comment on or make changes to this bug.