Closed
Bug 1502853
Opened 6 years ago
Closed 1 year ago
Crash in js::jit::GetNativeDataPropertyByValuePure<T>
Categories
(Core :: JavaScript Engine, defect, P2)
Tracking
()
RESOLVED
INCOMPLETE
Tracking | Status | |
---|---|---|
firefox-esr60 | --- | unaffected |
firefox63 | --- | unaffected |
firefox64 | --- | wontfix |
firefox65 | --- | fix-optional |
firefox66 | --- | fix-optional |
firefox67 | --- | ? |
People
(Reporter: philipp, Unassigned)
References
Details
(5 keywords, Whiteboard: [#jsapi:crashes-retriage])
Crash Data
This bug was filed from the Socorro interface and is report bp-6534157a-8ca8-4c28-b15b-c06830181024. ============================================================= Top 2 frames of crashing thread: 0 @0xd3ca2dd 1 xul.dll js::jit::GetNativeDataPropertyByValuePure<0> js/src/jit/VMFunctions.cpp:1745 ============================================================= crash reports with this signature are starting to show up cross-platform since firefox 64 - likely related to the changes from bug 1492977.
Comment 1•6 years ago
|
||
This is Bug 1378365 with a signature change. Probably worth a fresh look, so leaving open and putting on crash triage list.
Crash Signature: [@ js::jit::GetNativeDataPropertyByValuePure<T>] → [@ js::jit::GetNativeDataPropertyByValuePure<T>]
[@ js::jit::GetNativeDataPropertyByValue<T> ]
Priority: -- → P2
Whiteboard: [#jsapi:crashes-retriage]
Updated•5 years ago
|
Comment 2•5 years ago
|
||
I see a couple scary _EXEC crashes on random addresses, and a few UAFs sprinkled in. Those could be different bugs.
Keywords: csectype-uaf,
sec-high
Updated•5 years ago
|
status-firefox67:
--- → ?
Comment 4•5 years ago
|
||
Looks like general jit crashes / corruption. This function does very little so we likely passed corrupted data from the JIT. Probably a variant of Bug 858032 (SadJit).
Keywords: stalled
Comment 5•4 years ago
|
||
Removing employee no longer with company from CC list of private bugs.
Updated•2 years ago
|
Severity: critical → S2
Updated•1 year ago
|
Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → INCOMPLETE
Comment 6•1 year ago
|
||
Since the bug is closed, the stalled keyword is now meaningless.
For more information, please visit auto_nag documentation.
Keywords: stalled
Updated•2 months ago
|
Group: javascript-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•