f = function() { var Float64ArrayView = new Float64Array(); function f() { Math.abs() + 1 > (objectEmulatingUndefined | !{}); return Float64ArrayView[0]; } return f; }(); for (var j = 0; j < 9999; ++j) { f(); } asserts js debug shell on m-c changeset cd0d976e5f5c with --fuzzing-safe --no-threads --baseline-eager at Assertion failure: v.isUndefined(), at jsnum.cpp. Configure options: LD=ld CROSS_COMPILE=1 CC="clang -Qunused-arguments -msse2 -mfpmath=sse -arch i386" RANLIB=ranlib CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse -arch i386" AS=$CC AR=ar STRIP="strip -x -S" HOST_CC="clang -Qunused-arguments -msse2 -mfpmath=sse" AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 HOST_CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse" sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=i386-apple-darwin9.2.0 --enable-macos-target=10.5 --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests python -u ~/fuzzing/js/compileShell.py -b "--enable-debug --enable-more-deterministic --enable-nspr-build --32" -r cd0d976e5f5c autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/e51492b08d25 user: Nicolas B. Pierron date: Thu Jun 11 14:30:29 2015 +0200 summary: Bug 1165348 - Move Scalar Replacement after GVN. r=jandem Setting s-s first because this seems to involve ArrayBuffers. Nicolas, is bug 1165348 a likely regressor?

(lldb) bt 5 * thread #1: tid = 0x2e2c49, 0x008a5630 js-dbg-32-dm-nsprBuild-darwin-cd0d976e5f5c`js::ToNumberSlow(cx=<unavailable>, v=<unavailable>, out=<unavailable>) + 656 at jsnum.cpp:1525, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0) * frame #0: 0x008a5630 js-dbg-32-dm-nsprBuild-darwin-cd0d976e5f5c`js::ToNumberSlow(cx=<unavailable>, v=<unavailable>, out=<unavailable>) + 656 at jsnum.cpp:1525 frame #1: 0x008a571d js-dbg-32-dm-nsprBuild-darwin-cd0d976e5f5c`js::ToNumberSlow(cx=0x01e92040, v=<unavailable>, out=0xbfffea70) + 45 at jsnum.cpp:1548 frame #2: 0x00764fbe js-dbg-32-dm-nsprBuild-darwin-cd0d976e5f5c`js::jit::GreaterThan(JSContext*, JS::MutableHandle<JS::Value>, JS::MutableHandle<JS::Value>, bool*) [inlined] JS::ToNumber(out=<unavailable>) + 462 at Conversions.h:126 frame #3: 0x00764f65 js-dbg-32-dm-nsprBuild-darwin-cd0d976e5f5c`js::jit::GreaterThan(JSContext*, JS::MutableHandle<JS::Value>, JS::MutableHandle<JS::Value>, bool*) + 336 at Interpreter-inl.h:720 frame #4: 0x00764e15 js-dbg-32-dm-nsprBuild-darwin-cd0d976e5f5c`js::jit::GreaterThan(cx=0x01e92040, lhs=JS::MutableHandleValue at 0xbfffeab4, rhs=JS::MutableHandleValue at 0xbfffeab8, res=<unavailable>) + 37 at VMFunctions.cpp:231 (lldb)

See also bug 1166234.

JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.

What does this assertion mean in terms of security? Is it a correctness assertion or a potential security bug?

=== Treeherder Build Bisection Results by autoBisect === The "bad" changeset has the timestamp "20150617192341" and the hash "65703a2dc548". The "good" changeset has the timestamp "20150617192541" and the hash "a8e0bde30bd4". Likely fix window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=65703a2dc548&tochange=a8e0bde30bd4 Shu-yu, is bug 1175397 a likely fix?

(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #0) > changeset: https://hg.mozilla.org/mozilla-central/rev/e51492b08d25 > summary: Bug 1165348 - Move Scalar Replacement after GVN. r=jandem > > Nicolas, is bug 1165348 a likely regressor? Yes. But Bug 1165348 is backout for the moment. (In reply to Gary Kwong [:gkw] [:nth10sd] from comment #5) > Likely fix window: > https://hg.mozilla.org/integration/mozilla-inbound/ > pushloghtml?fromchange=65703a2dc548&tochange=a8e0bde30bd4 > > Shu-yu, is bug 1175397 a likely fix? likely.

Resolving FIXED by bug 1175397 as per comment 6.