1502709 - Crash [@ ??] involving CacheIR

Status: RESOLVED DUPLICATE of bug 1502143

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

The following testcase crashes on mozilla-central revision 6d7686f1082f (no extra build flags needed, i.e. optimized build, run with --fuzzing-safe --no-threads --baseline-eager --no-ion):

try {
    x = [];
    Object.defineProperty(x, 1, {});
    y = [];
    Object.defineProperty(y, 1, {});
    y.__proto__ = null;
    Array.prototype.sort.apply(x, [function() {}]);
} catch (e) {}
Array.prototype.sort.apply(y, [function() {}]);

Backtrace:

#0  0x000023cb4a1daf49 in ?? ()
#1  0x000023cb4a1daaf3 in ?? ()
#2  0xfff9800000000000 in ?? ()
#3  0xfff9800000000000 in ?? ()
#4  0xfff8800000000000 in ?? ()
/snip

For detailed crash information, see attachment.

Debug shell stacks are similar (only memory addresses near the top).

Setting s-s because only scary memory addresses are near the top of the stack.

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: Detailed Crash Information

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/7fed4b128d9d
user:        Kannan Vijayan
date:        Tue Oct 23 10:49:04 2018 -0400
summary:     Bug 1494537: Add CacheIR stub for out-of-capacity-bounds assignments to arrays. r=tcampbell

Kannan, is bug 1494537 a likely regressor?

Comment 3

[Kannan Vijayan [:djvj]]

Yes, there's a decent chance.  I'm looking into it today.

Comment 5

[Liz Henry (:lizzard) (relman/hg->git project)]

Looks like this was fixed in 65 in bug 1502143.