Closed
Bug 1502709
Opened 6 years ago
Closed 6 years ago
Crash [@ ??] involving CacheIR
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1502143
Tracking | Status | |
---|---|---|
firefox65 | --- | fixed |
People
(Reporter: gkw, Unassigned)
References
Details
(4 keywords, Whiteboard: [jsbugmon:update][adv-main65-])
Crash Data
Attachments
(1 file)
6.29 KB,
text/plain
|
Details |
The following testcase crashes on mozilla-central revision 6d7686f1082f (no extra build flags needed, i.e. optimized build, run with --fuzzing-safe --no-threads --baseline-eager --no-ion): try { x = []; Object.defineProperty(x, 1, {}); y = []; Object.defineProperty(y, 1, {}); y.__proto__ = null; Array.prototype.sort.apply(x, [function() {}]); } catch (e) {} Array.prototype.sort.apply(y, [function() {}]); Backtrace: #0 0x000023cb4a1daf49 in ?? () #1 0x000023cb4a1daaf3 in ?? () #2 0xfff9800000000000 in ?? () #3 0xfff9800000000000 in ?? () #4 0xfff8800000000000 in ?? () /snip For detailed crash information, see attachment. Debug shell stacks are similar (only memory addresses near the top). Setting s-s because only scary memory addresses are near the top of the stack.
Reporter | ||
Comment 1•6 years ago
|
||
Reporter | ||
Comment 2•6 years ago
|
||
autobisectjs shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/7fed4b128d9d user: Kannan Vijayan date: Tue Oct 23 10:49:04 2018 -0400 summary: Bug 1494537: Add CacheIR stub for out-of-capacity-bounds assignments to arrays. r=tcampbell Kannan, is bug 1494537 a likely regressor?
Flags: needinfo?(kvijayan)
Comment 3•6 years ago
|
||
Yes, there's a decent chance. I'm looking into it today.
Flags: needinfo?(kvijayan)
Updated•6 years ago
|
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
Comment 5•6 years ago
|
||
Looks like this was fixed in 65 in bug 1502143.
Updated•5 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update][adv-main65-]
Updated•4 years ago
|
Group: javascript-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•