Closed
Bug 1942931
Opened 21 days ago
Closed 21 days ago
Assertion failure: def->type() == MIRType::Double, at src/js/src/jit/MIR.h:6604
Categories
(Core :: JavaScript Engine: JIT, defect)
Core
JavaScript Engine: JIT
Tracking
()
RESOLVED
DUPLICATE
of bug 1942737
People
(Reporter: sm-bugs, Unassigned)
References
(Blocks 1 open bug)
Details
Steps to reproduce:
Version: d55e89d48a8053ce45a74b0ec92c0ff6a9dcc43d
Args: js --fuzzing-safe <test-case>
Input:
a = new Float32Array(1000)
b = a
for (;;)
b[b[2]]
Actual results:
Assertion failure: def->type() == MIRType::Double, at src/js/src/jit/MIR.h:6604
#0 0x5603aee59fe3 in js::jit::MGuardNumberToIntPtrIndex::MGuardNumberToIntPtrIndex(js::jit::MDefinition*, bool) js/src/jit/MIR.h:6604:5
#1 0x5603aedee4fb in js::jit::MGuardNumberToIntPtrIndex* js::jit::MGuardNumberToIntPtrIndex::New<js::jit::MDefinition*&, bool&>(js::jit::TempAllocator&, js::jit::MDefinition*&, bool&) js/src/jit/MIR.h:6614:3
#2 0x5603aedee4fb in WarpCacheIRTranspiler::emitGuardNumberToIntPtrIndex(js::jit::NumberOperandId, bool, js::jit::IntPtrOperandId) js/src/jit/WarpCacheIRTranspiler.cpp:1539:15
#3 0x5603aedbc49f in WarpCacheIRTranspiler::transpile(std::initializer_list<js::jit::MDefinition*>) js/src/jit/WarpCacheIRTranspiler.cpp:350:7
#4 0x5603aedae893 in js::jit::TranspileCacheIRToMIR(js::jit::WarpBuilder*, js::BytecodeLocation, js::jit::WarpCacheIR const*, std::initializer_list<js::jit::MDefinition*>, js::jit::CallInfo*) js/src/jit/WarpCacheIRTranspiler.cpp:6981:19
#5 0x5603aedae893 in js::jit::WarpBuilder::buildIC(js::BytecodeLocation, js::jit::CacheKind, std::initializer_list<js::jit::MDefinition*>) js/src/jit/WarpBuilder.cpp:3297:12
#6 0x5603aed97c1d in js::jit::WarpBuilder::build_GetElem(js::BytecodeLocation) js/src/jit/WarpBuilder.cpp:1980:10
#7 0x5603aed8f00b in js::jit::WarpBuilder::buildBody() js/src/jit/WarpBuilder.cpp:673:19
#8 0x5603aed8bdb8 in js::jit::WarpBuilder::build() js/src/jit/WarpBuilder.cpp:300:8
#9 0x5603aed301ac in js::jit::CompileBackEnd(js::jit::MIRGenerator*, js::jit::WarpSnapshot*) js/src/jit/Ion.cpp:1603:18
#10 0x5603aee66c8d in js::jit::IonCompileTask::runTask() js/src/jit/IonCompileTask.cpp:52:24
#11 0x5603aee66c8d in js::jit::IonCompileTask::runHelperThreadTask(js::AutoLockHelperThreadState&) js/src/jit/IonCompileTask.cpp:30:5
#12 0x5603ada304c5 in js::GlobalHelperThreadState::runTaskLocked(JS::HelperThreadTask*, js::AutoLockHelperThreadState&) js/src/vm/HelperThreads.cpp:668:11
#13 0x5603ada3033f in js::GlobalHelperThreadState::runOneTask(JS::HelperThreadTask*, js::AutoLockHelperThreadState&) js/src/vm/HelperThreads.cpp:624:3
#14 0x5603ada76e42 in js::HelperThread::threadLoop(js::InternalThreadPool*) js/src/vm/InternalThreadPool.cpp:324:25
#15 0x5603ada76a87 in js::HelperThread::ThreadMain(js::InternalThreadPool*, js::HelperThread*) js/src/vm/InternalThreadPool.cpp:251:11
#16 0x5603adaa1f53 in void js::detail::ThreadTrampoline<void (&)(js::InternalThreadPool*, js::HelperThread*), js::InternalThreadPool*&, js::HelperThread*>::callMain<0ul, 1ul>(std::integer_sequence<unsigned long, 0ul, 1ul>) js/src/threading/Thread.h:228:5
#17 0x5603adaa1f53 in js::detail::ThreadTrampoline<void (&)(js::InternalThreadPool*, js::HelperThread*), js::InternalThreadPool*&, js::HelperThread*>::Start(void*) js/src/threading/Thread.h:217:11
#18 0x7fecd5c65e2d in start_thread nptl/pthread_create.c:447:8
#19 0x7fecd5cf7a4b in __GI___clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
Blocks: 1903968
Group: firefox-core-security → core-security
Component: Untriaged → JavaScript Engine
Product: Firefox → Core
Version: Firefox 134 → Trunk
|
||
Updated•21 days ago
|
Group: core-security → javascript-core-security
Component: JavaScript Engine → JavaScript Engine: JIT
|
||
Comment 1•21 days ago
|
||
This is a duplicate of bug 1942737.
|
||
Updated•21 days ago
|
Group: javascript-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•