1046675 - Crash [@ ScriptFromCalleeToken] or Opt-Crash [@ js::jit::JitFrameIterator::script]

Status: RESOLVED DUPLICATE of bug 1046597

(Core :: JavaScript Engine: JIT, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 005424a764da (run with --fuzzing-safe):


function test() {
    Object.prototype.__proto__ = null;
    test(__proto__);
}
test();

Comment 1

[Christian Holler (:decoder)]

Attachment: [crash-signature] Machine-readable crash signature

Comment 2

[Christian Holler (:decoder)]

Crash trace from opt-build:


Program received signal SIGSEGV, Segmentation fault.
js::jit::JitFrameIterator::script (this=0x7ffffffc77b0) at js/src/jit/IonFrames.cpp:206
206         JSScript *script = ScriptFromCalleeToken(calleeToken());
#0  js::jit::JitFrameIterator::script (this=0x7ffffffc77b0) at js/src/jit/IonFrames.cpp:206
#1  0x00000000006700f8 in GetTopIonJSScript (mode=js::SequentialExecution, returnAddrOut=<synthetic pointer>, jitTop=<optimized out>) at js/src/jit/IonFrames.h:300
#2  GetTopIonJSScript (returnAddrOut=<synthetic pointer>, cx=0x1672af0) at js/src/jit/IonFrames-inl.h:86
#3  js::jit::NameIC::update (cx=0x1672af0, cacheIndex=<optimized out>, scopeChain=..., vp=...) at js/src/jit/IonCaches.cpp:4321
#4  0x00007ffff7e188ca in ?? ()
#5  0x0000000001672b28 in ?? ()
#6  0x00007ffffffc7900 in ?? ()
#7  0xfff9000000000000 in ?? ()
rax     0x200   512
=> 0x608f60 <js::jit::JitFrameIterator::script() const+128>:    mov    0x28(%rax),%rax


The crash is a non-null crash, hence marking s-s and sec-high for now.

Comment 3

[Christian Holler (:decoder)]

Attachment: [crash-signature] Machine-readable crash signature

Comment 4

[Nicolas B. Pierron [:nbp]]

This is probably a duplicate of Bug 1046597.