Steps to reproduce:

Attached testcase crashes on startup.
version/build info: gecko-dev/commit 94c7a9798630f81af3f5de929b7703ff3b707331(gecko-dev's beta branch) built with fuzzilli build option(https://github.com/googleprojectzero/fuzzilli/blob/3f0d246a47f39e066ab560f3bb23e2fe47a25850/Targets/Spidermonkey/fuzzbuild.sh).

Actual results:

Assertion failure: count.as<int32_t>() > 0, at /home/builder/firefox/js/src/jit/CodeGenerator.cpp:11916
#01: ???[Cloud/Docker/SpidermonkeyBuilder/out/js +0x1631745]
#02: ???[Cloud/Docker/SpidermonkeyBuilder/out/js +0x1605a11]
#03: ???[Cloud/Docker/SpidermonkeyBuilder/out/js +0x1668abb]
#04: ???[Cloud/Docker/SpidermonkeyBuilder/out/js +0x16ba9c6]
#05: ???[Cloud/Docker/SpidermonkeyBuilder/out/js +0x1703ccf]
#06: ???[Cloud/Docker/SpidermonkeyBuilder/out/js +0x61cf87]
#07: ???[Cloud/Docker/SpidermonkeyBuilder/out/js +0x61cb93]
#08: ???[Cloud/Docker/SpidermonkeyBuilder/out/js +0x6555c1]
#09: ???[Cloud/Docker/SpidermonkeyBuilder/out/js +0x6551a8]
#10: ???[Cloud/Docker/SpidermonkeyBuilder/out/js +0x6b6424]
#11: ???[/lib/x86_64-linux-gnu/libpthread.so.0 +0x8609]
#12: clone[/lib/x86_64-linux-gnu/libc.so.6 +0x11f133]
#13: ??? (???:???)

Thanks for the bug report!

Here's a reduced testcase (run with --fast-warmup --no-threads):

function foo(x) {
  var i = -2 & 0;
  return Array.prototype.slice.call(arguments,i,-2);
}
function bar(x) {
  return foo(x);
}

with ({}) {}
for (var i = 0; i < 100; i++) {
  bar(0);
}

The problem is in CodeGenerator::visitInlineArgumentsSlice; we assert that a constant count must be > 0, but in this case the start index (-2 & 0) wasn't a constant when we did scalar replacement, but was folded to a constant later. The fix is to replace the assertion with an early return.

I've poked around in the generated code in opt builds, and I don't believe this is exploitable.

Oops, testing on an older version of m-c.