Closed
Bug 1439180
Opened 6 years ago
Closed 6 years ago
Crash [@ ??]
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
VERIFIED
FIXED
mozilla60
Tracking | Status | |
---|---|---|
firefox-esr52 | --- | unaffected |
firefox58 | --- | unaffected |
firefox59 | --- | unaffected |
firefox60 | --- | verified |
People
(Reporter: gkw, Unassigned)
References
Details
(Keywords: crash, testcase, Whiteboard: [fuzzblocker] [jsbugmon:update])
Crash Data
Attachments
(1 file, 1 obsolete file)
2.92 KB,
text/plain
|
Details |
The following testcase crashes on mozilla-central revision dde7eb1a589f (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --ion-eager): h = function() { ff = encodeURIComponent; function f(x) { x = +ff(0 / 0); return /I/ (~x); } return f; }() for (var j = 0; j < 3; j++) { try { h(); } catch (e) {} } Backtrace: (gdb) bt #0 0x000007507a556396 in ?? () #1 0xfff9800000000000 in ?? () #2 0xfff88000ffffffff in ?? () #3 0x00007ffff5d8e040 in ?? () #4 0x7ff8000000000000 in ?? () /snip For detailed crash information, see attachment. Setting [fuzzblocker] because this is happening very often.
Reporter | ||
Comment 1•6 years ago
|
||
Reporter | ||
Comment 2•6 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/52f1dfd75ff7 user: Matthew Gaudet date: Fri Feb 02 10:38:43 2018 -0500 summary: Bug 1434717: Part 5: Connect UnaryArith IC to IonMonkey r=tcampbell Matthew, is bug 1434717 a likely regressor?
Flags: needinfo?(mgaudet)
Reporter | ||
Comment 3•6 years ago
|
||
Since this got landed just before the long weekend, causing jsfunfuzz to continuously hit this bug, I contemplated backing the offending patch out. However, it is a series of patches, so I am not sure if all the patches should be backed out or just this one, so I didn't do anything. Please consider fixing this as soon as possible.
Whiteboard: [jsbugmon:update] → [fuzzblocker][jsbugmon:update]
Reporter | ||
Comment 4•6 years ago
|
||
(gdb) x/i $pc => 0x7507a556396: mov (%rax),%rdi (gdb) x/b $rax 0x0: Cannot access memory at address 0x0 (gdb) x/b $rdi 0x7fffffffce98: 0x00 (gdb) Actually, locking s-s until more analysis is in place. While it seems to be a null deref, memory addresses are all over the stack.
Group: javascript-core-security
Comment 5•6 years ago
|
||
This patch reverts the following revisions: 52f1dfd75ff7 286c42a171d8 bf1d9d0ebbe7 5c5ec856f0a6 43a875bf1c8a 7fd6eaf7fc97 reverting the delivery of Bug 1434717.
Updated•6 years ago
|
Assignee: nobody → mgaudet
Status: NEW → ASSIGNED
Comment 6•6 years ago
|
||
Comment on attachment 8951944 [details] [diff] [review] Revert CacheIR UnaryArith Stubs (r=me because this is a revert commit generated by hg backout)
Flags: needinfo?(mgaudet)
Attachment #8951944 -
Flags: review+
Comment 7•6 years ago
|
||
Attempting to land this via the original bug 1434717, depends on review.
Comment 8•6 years ago
|
||
Backout of bug 1434717: https://hg.mozilla.org/integration/mozilla-inbound/rev/11e086a7d4634a6e8f33f288422233a93734d601
Updated•6 years ago
|
Attachment #8951944 -
Attachment is obsolete: true
Updated•6 years ago
|
Whiteboard: [fuzzblocker][jsbugmon:update] → [fuzzblocker] [jsbugmon:update,ignore]
Comment 9•6 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 48b635e3d447).
Updated•6 years ago
|
Priority: -- → P1
Comment 10•6 years ago
|
||
Fixed by the backout of bug 1434717.
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Updated•6 years ago
|
Status: RESOLVED → VERIFIED
Comment 11•6 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Reporter | ||
Updated•6 years ago
|
Blocks: 1434717
Whiteboard: [fuzzblocker] [jsbugmon:update,ignore] → [fuzzblocker] [jsbugmon:update]
Updated•6 years ago
|
status-firefox58:
--- → unaffected
status-firefox59:
--- → unaffected
status-firefox-esr52:
--- → unaffected
Target Milestone: --- → mozilla60
Updated•6 years ago
|
Group: javascript-core-security → core-security-release
Updated•6 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•