Crash [@ js::ObjectImpl::lastProperty] or Opt-Crash [@ js::SavedStacksMetadataCallback] with enableTrackAllocations

NEW
Unassigned

Status

()

Core
JavaScript Engine
--
critical
4 years ago
4 years ago

People

(Reporter: decoder, Unassigned)

Tracking

(Blocks: 1 bug, {crash, testcase})

Trunk
x86_64
Linux
crash, testcase
Points:
---

Firefox Tracking Flags

(firefox34 affected)

Details

(Whiteboard: [jsbugmon:update,ignore], crash signature)

Attachments

(1 attachment)

(Reporter)

Description

4 years ago
The following testcase crashes on mozilla-central revision 0aaa2d3d15cc (threadsafe build, run with --fuzzing-safe --thread-count=2):


var lfcode = new Array();
lfcode.push("");
lfcode.push("");
lfcode.push("1");
lfcode.push("enableTrackAllocations();\n");
lfcode.push("");
lfcode.push("evaluate");
lfcode.push("");
lfcode.push("4");
lfcode.push("\
  var otherGlobalSameCompartment = newGlobal('same-compartment');\
  unescape = otherGlobalSameCompartment.eval;\
");
lfcode.push("evaluate");
while (true) {
	var file = lfcode.shift(); if (file == undefined) { break; }
        unescape("x");
        loadFile(file)
}
function loadFile(lfVarx) {
    try {
        if (lfVarx.substr(-3) != ".js" && lfVarx.length != 1) {
            switch (lfRunTypeId) {
                case 1: eval(lfVarx); break;
                case 4: eval("(function() { " + lfVarx + " })();"); break;
            }
        } else if (!isNaN(lfVarx)) {
            lfRunTypeId = parseInt(lfVarx);
        }
    } catch (lfVare) {}
}
(Reporter)

Updated

4 years ago
Crash Signature: [@ js::ObjectImpl::lastProperty] or Opt-Crash [@ js::SavedStacksMetadataCallback] → [@ js::ObjectImpl::lastProperty] [@ js::SavedStacksMetadataCallback]
status-firefox34: --- → affected
Whiteboard: [jsbugmon:update,bisect]
(Reporter)

Comment 1

4 years ago
Created attachment 8474591 [details]
[crash-signature] Machine-readable crash signature
(Reporter)

Updated

4 years ago
Crash Signature: [@ js::ObjectImpl::lastProperty] [@ js::SavedStacksMetadataCallback] → [@ js::ObjectImpl::lastProperty] [@ js::SavedStacksMetadataCallback]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]

Updated

4 years ago
Crash Signature: [@ js::ObjectImpl::lastProperty] [@ js::SavedStacksMetadataCallback] → [@ js::ObjectImpl::lastProperty] [@ js::SavedStacksMetadataCallback]
(Reporter)

Updated

4 years ago
Crash Signature: [@ js::ObjectImpl::lastProperty] [@ js::SavedStacksMetadataCallback] → [@ js::ObjectImpl::lastProperty] [@ js::SavedStacksMetadataCallback]
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
(Reporter)

Comment 2

4 years ago
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 1ddfd9afba40).
You need to log in before you can comment on or make changes to this bug.