Closed
Bug 1326157
Opened 8 years ago
Closed 8 years ago
Crash [@ js::CurrentThreadCanAccessRuntime]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1326150
| Tracking | Status | |
|---|---|---|
| firefox53 | --- | affected |
People
(Reporter: gkw, Unassigned)
References
Details
(Keywords: bugmon, crash, testcase, Whiteboard: [fuzzblocker][jsbugmon:update])
Crash Data
Attachments
(1 file)
|
32.25 KB,
text/plain
|
Details |
The following testcase crashes on mozilla-central revision 143bb4b9249e (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --ion-eager):
Object.defineProperty(this, "f", {
get: function () {
this.f;
}
});
try {
f;
} catch (e) {}
relazifyFunctions();
f;
Backtrace:
0 js-dbg-64-dm-clang-darwin-143bb4b9249e 0x0000000105369c43 js::CurrentThreadCanAccessRuntime(JSRuntime const*) + 19 (Runtime.cpp:867)
1 js-dbg-64-dm-clang-darwin-143bb4b9249e 0x0000000104f761c9 js::jit::AssertValidObjectPtr(JSContext*, JSObject*) + 73 (Heap.h:1133)
2 ??? 0x00000001071a0fd4 0 + 4414115796
3 js-dbg-64-dm-clang-darwin-143bb4b9249e 0x0000000104d7e15a js::jit::IonCannon(JSContext*, js::RunState&) + 874 (Ion.cpp:2895)
4 js-dbg-64-dm-clang-darwin-143bb4b9249e 0x0000000104c0e447 js::RunScript(JSContext*, js::RunState&) + 359 (Interpreter.cpp:383)
/snip
For detailed crash information, see attachment.
|
Reporter | |
Comment 1•8 years ago
|
||
|
|
Reporter | |
Comment 2•8 years ago
|
||
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/547a8c1acff1
user: Jan de Mooij
date: Fri Dec 23 08:34:03 2016 +0100
summary: Bug 1322093 part 19 - Enable the new IonGetPropertyIC that's based on CacheIR. r=h4writer
Jan, is bug 1322093 a likely regressor?
Blocks: 1322093
Flags: needinfo?(jdemooij)
Whiteboard: [jsbugmon:update] → [fuzzblocker][jsbugmon:update]
|
|
Reporter | |
Comment 3•8 years ago
|
||
Setting [fuzzblocker] because some stacks of unreduced versions of this testcase can consist only of memory addresses, like:
backtrace
#0 0x00007f6e4df55d12 in ?? ()
#1 0x00007f6e4bfa4640 in ?? ()
#2 0x0000000000000000 in ?? ()
Locking s-s because of this.
Group: javascript-core-security
|
||
Comment 4•8 years ago
|
||
Same issue as bug 1326150.
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: needinfo?(jdemooij)
Resolution: --- → DUPLICATE
|
||
Updated•6 years ago
|
Group: javascript-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•