Open Bug 1991705 Opened 2 months ago Updated 1 month ago

Assertion failure: i->IsCondB(), at jit/arm64/Assembler-arm64.cpp:358

Categories

(Core :: JavaScript Engine: JIT, defect, P2)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox145 --- fix-optional

People

(Reporter: decoder, Unassigned)

References

(Blocks 2 open bugs)

Details

(4 keywords, Whiteboard: [bugmon:update,bisected,confirmed])

Attachments

(2 files)

Detailed Crash Information
2.90 KB, text/plain
Details
Testcase
410 bytes, text/plain
Details

The following testcase crashes on mozilla-central revision 20250929-2dfd502d8f50 (debug build, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off --more-compartments):

var g24 = newGlobal({newCompartment: true});
var dbg = Debugger(g24);
dbg.collectCoverageInfo = true;
var evalInFrame = (function (global) {
  var dbgGlobal = newGlobal({newCompartment: true});
  var dbg = new dbgGlobal.Debugger();
  dbg.addDebuggee(global);
})(this);
var dbgGlobal1 = newGlobal({ newCompartment: 10 });
var dbg = new dbgGlobal1.Debugger;
dbg.addDebuggee(this);
dbg.collectCoverageInfo = true;

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x0000aaaaad278660 in js::jit::Assembler::ToggleToCmp(js::jit::CodeLocationLabel) ()
#1  0x0000aaaaad38399c in js::jit::BaselineInterpreter::toggleCodeCoverageInstrumentationUnchecked(bool) ()
#2  0x0000aaaaac8f8798 in JSRuntime::incrementNumDebuggeeRealmsObservingCoverage() ()
#3  0x0000aaaaac8f86d8 in JS::Realm::updateDebuggerObservesCoverage() ()
#4  0x0000aaaaacc5bfbc in js::Debugger::removeDebuggeeGlobal(JS::GCContext*, js::GlobalObject*, mozilla::detail::HashTable<js::WeakHeapPtr<js::GlobalObject*> const, mozilla::HashSet<js::WeakHeapPtr<js::GlobalObject*>, js::StableCellHasher<js::WeakHeapPtr<js::GlobalObject*> >, js::TrackedAllocPolicy<(js::TrackingKind)1> >::SetHashPolicy, js::TrackedAllocPolicy<(js::TrackingKind)1> >::Enum*, js::Debugger::FromSweep) ()
#5  0x0000aaaaacc5b38c in js::DebugAPI::sweepAll(JS::GCContext*) ()
#6  0x0000aaaaacf788d4 in js::gc::GCRuntime::sweepDebuggerOnMainThread(JS::GCContext*) ()
#7  0x0000aaaaacf79c40 in js::gc::GCRuntime::beginSweepingSweepGroup(JS::GCContext*, JS::SliceBudget&) ()
#8  0x0000aaaaacfb0e70 in sweepaction::SweepActionSequence::run(js::gc::SweepAction::Args&) ()
#9  0x0000aaaaacf9d6a0 in sweepaction::SweepActionForEach<js::gc::SweepGroupsIter, JSRuntime*>::run(js::gc::SweepAction::Args&) ()
#10 0x0000aaaaacf828e8 in js::gc::GCRuntime::performSweepActions(JS::SliceBudget&) ()
#11 0x0000aaaaacee9600 in js::gc::GCRuntime::incrementalSlice(JS::SliceBudget&, JS::GCReason, bool) ()
#12 0x0000aaaaaceecfa4 in js::gc::GCRuntime::gcCycle(bool, JS::SliceBudget const&, JS::GCReason) ()
#13 0x0000aaaaaceee980 in js::gc::GCRuntime::collect(bool, JS::SliceBudget const&, JS::GCReason) ()
#14 0x0000aaaaaced5464 in js::gc::GCRuntime::gc(JS::GCOptions, JS::GCReason) ()
#15 0x0000aaaaac908438 in JSRuntime::destroyRuntime() ()
#16 0x0000aaaaac7990fc in js::DestroyContext(JSContext*) ()
#17 0x0000aaaaac420d80 in main ()
x0	0x0	0
x1	0xf7b83778	281474837788536
x2	0xf7b8257b	281474837783931
x3	0x0	0
x4	0xaae338ca	187649988180170
x5	0xffffc73d	281474976696125
x6	0x5d	93
x7	0x2f656761	7811904093213255521
x8	0x0	0
x9	0xaae4d052	187649988284498
x10	0x0	0
x11	0x0	0
x12	0x31	49
x13	0x10	16
x14	0x0	0
x15	0x0	0
x16	0x0	0
x17	0x0	0
x18	0x10	16
x19	0x166	358
x20	0x10	16
x21	0xf53ba684	281474796070532
x22	0xaaaaaaaa	-6148914691236517206
x23	0xaaaaaaaa	-6148914691236517206
x24	0x1	1
x25	0x0	1945555039024054272
x26	0x0	0
x27	0x0	0
x28	0x0	0
x29	0xffffda50	281474976701008
x30	0xad278648	187650026210888
sp	0xffffda50	281474976701008
pc	0xaaaaad278660 <js::jit::Assembler::ToggleToCmp(js::jit::CodeLocationLabel)+144>
cpsr	[ EL=0 BTYPE=0 C Z ]
fpcsr	void
fpcr	[ RMode=0 ]
=> 0xaaaaad278660 <_ZN2js3jit9Assembler11ToggleToCmpENS0_17CodeLocationLabelE+144>:	str	x19, [x8]
   0xaaaaad278664 <_ZN2js3jit9Assembler11ToggleToCmpENS0_17CodeLocationLabelE+148>:	bl	0xaaaaac4bbb64 <abort>
Attached file Testcase
Blocks: sm-masm, js-code-coverage
Severity: -- → S4
Priority: -- → P2

Verified bug as reproducible on mozilla-central 20250930162901-d43a14f1cca9.
Unable to bisect testcase (Testcase reproduces on start build!):

Start: fa0af5c61a2830b972c5fbdcd45f73a10a3f0ba9 (20250703040732)
End: 2dfd502d8f5074112d28557df03045a51f503058 (20250929081533)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False, searchfox=False, afl=False)

Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: