The following testcase crashes on mozilla-central revision 52b03bc34899 (build with --enable-debug --enable-more-deterministic --enable-simulator=arm64, run with --fuzzing-safe --no-threads --ion-eager --ion-check-range-analysis):

for (let i = 0; i < 1; i++) {
    f(-(!0 | 0));
}

No backtrace is available.

For detailed crash information, see attachment.

This is likely related to Ion on ARM64, waiting for bisection results...

This seems to still have existed since m-c rev e668e5f2fb8a:

https://hg.mozilla.org/mozilla-central/rev/e668e5f2fb8a

Setting needinfo? from Sean and Nicolas as a start.

This is a JS fuzzing bug and sdetar said the team will fix as many as they can in 67 but will not be able to get to all. Marking them fix-optional.

The testcase is invalid -- it refers to a function f that is never defined. It looks like minification was over-eager.

Setting to P3 for now, in the event that Gary might be able to reconstruct the original full testcase. If not, we should close.

Sean, that's the correct actual testcase, reproducible on m-c rev 52b03bc34899.

autobisectjs shows this is probably related to the following changeset:

The first good revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/425b8e0eb6d6
user: Nicolas B. Pierron
date: Thu Mar 14 21:48:08 2019 +0000
summary: Bug 1534810 - ARM64: LMulI should copy registers when multiplying by 1. r=sstangl

Would bug 1534810 be the likely fix then?

This sounds likely.