Closed Bug 1502853 Opened 6 years ago Closed 1 year ago

Crash in js::jit::GetNativeDataPropertyByValuePure<T>

Categories

(Core :: JavaScript Engine, defect, P2)

64 Branch
defect

Tracking

()

RESOLVED INCOMPLETE
Tracking Status
firefox-esr60 --- unaffected
firefox63 --- unaffected
firefox64 --- wontfix
firefox65 --- fix-optional
firefox66 --- fix-optional
firefox67 --- ?

People

(Reporter: philipp, Unassigned)

References

Details

(5 keywords, Whiteboard: [#jsapi:crashes-retriage])

Crash Data

This bug was filed from the Socorro interface and is
report bp-6534157a-8ca8-4c28-b15b-c06830181024.
=============================================================

Top 2 frames of crashing thread:

0  @0xd3ca2dd 
1 xul.dll js::jit::GetNativeDataPropertyByValuePure<0> js/src/jit/VMFunctions.cpp:1745

=============================================================

crash reports with this signature are starting to show up cross-platform since firefox 64 - likely related to the changes from bug 1492977.
This is Bug 1378365 with a signature change.

Probably worth a fresh look, so leaving open and putting on crash triage list.
Crash Signature: [@ js::jit::GetNativeDataPropertyByValuePure<T>] → [@ js::jit::GetNativeDataPropertyByValuePure<T>] [@ js::jit::GetNativeDataPropertyByValue<T> ]
Priority: -- → P2
Whiteboard: [#jsapi:crashes-retriage]
I see a couple scary _EXEC crashes on random addresses, and a few UAFs sprinkled in. Those could be different bugs.

Looks like general jit crashes / corruption. This function does very little so we likely passed corrupted data from the JIT. Probably a variant of Bug 858032 (SadJit).

Keywords: stalled

Removing employee no longer with company from CC list of private bugs.

Severity: critical → S2
Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → INCOMPLETE

Since the bug is closed, the stalled keyword is now meaningless.
For more information, please visit auto_nag documentation.

Keywords: stalled
Group: javascript-core-security
You need to log in before you can comment on or make changes to this bug.