Closed Bug 1511294 Opened 7 years ago Closed 7 years ago

Intermittent SUMMARY: AddressSanitizer: heap-use-after-free z:\build\build\src\js\src\jit\BaselineIC.cpp:530 in js::jit::ICStub::makesGCCalls(void)const

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1511412

People

(Reporter: CosminS, Unassigned)

Details

(Keywords: csectype-uaf, intermittent-failure)

Failure log: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=214807658&repo=autoland&lineNumber=3469 08:01:40 INFO - GECKO(4892) | 0x0417833ffdc0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa 08:01:40 INFO - GECKO(4892) | 0x0417833ffdd0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa 08:01:40 INFO - GECKO(4892) | =>0x0417833ffde0: fa fa fd fd fd fd fd fa fa fa[fd]fd fd fd fd fd 08:01:40 INFO - GECKO(4892) | 0x0417833ffdf0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd 08:01:40 INFO - GECKO(4892) | 0x0417833ffe00: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa 08:01:40 INFO - GECKO(4892) | 0x0417833ffe10: fa fa 00 00 00 00 00 05 fa fa fd fd fd fd fd fd 08:01:40 INFO - GECKO(4892) | 0x0417833ffe20: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd 08:01:40 INFO - GECKO(4892) | 0x0417833ffe30: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa 08:01:40 INFO - GECKO(4892) | Shadow byte legend (one shadow byte represents 8 application bytes): 08:01:40 INFO - GECKO(4892) | Addressable: 00 08:01:40 INFO - GECKO(4892) | Partially addressable: 01 02 03 04 05 06 07 08:01:40 INFO - GECKO(4892) | Heap left redzone: fa 08:01:40 INFO - GECKO(4892) | Freed heap region: fd 08:01:40 INFO - GECKO(4892) | Stack left redzone: f1 08:01:40 INFO - GECKO(4892) | Stack mid redzone: f2 08:01:40 INFO - GECKO(4892) | Stack right redzone: f3 08:01:40 INFO - GECKO(4892) | Stack after return: f5 08:01:40 INFO - GECKO(4892) | Stack use after scope: f8 08:01:40 INFO - GECKO(4892) | Global redzone: f9 08:01:40 INFO - GECKO(4892) | Global init order: f6 08:01:40 INFO - GECKO(4892) | Poisoned by user: f7 08:01:40 INFO - GECKO(4892) | Container overflow: fc 08:01:40 INFO - GECKO(4892) | Array cookie: ac 08:01:40 INFO - GECKO(4892) | Intra object redzone: bb 08:01:40 INFO - GECKO(4892) | ASan internal: fe 08:01:40 INFO - GECKO(4892) | Left alloca redzone: ca 08:01:40 INFO - GECKO(4892) | Right alloca redzone: cb 08:01:40 INFO - GECKO(4892) | Shadow gap: cc 08:01:40 INFO - GECKO(4892) | ==7568==ABORTING 08:01:40 INFO - TEST-INFO | Main app process: exit 1 08:01:40 INFO - Buffered messages logged at 08:01:39 08:01:40 INFO - Entering test bound 08:01:40 INFO - TEST-PASS | devtools/server/tests/browser/browser_perf-01.js | This test only runs on supported platforms. - 08:01:40 INFO - TEST-PASS | devtools/server/tests/browser/browser_perf-01.js | The browser is not in private browsing mode. - 08:01:40 INFO - TEST-PASS | devtools/server/tests/browser/browser_perf-01.js | The profiler is not active yet. - 08:01:40 INFO - Waiting for event: 'profiler-started' on [Front for perf/server1.conn0.perfActor6]. 08:01:40 INFO - Buffered messages finished
Problems with the new log viewer, here's a more comprehensive snippet: 08:01:39 INFO - TEST-START | devtools/server/tests/browser/browser_perf-01.js 08:01:39 INFO - GECKO(4892) | ================================================================= 08:01:39 ERROR - GECKO(4892) | ==7568==ERROR: AddressSanitizer: heap-use-after-free on address 0x11e31fbfef52 at pc 0x7ffc90977992 bp 0x0058cf9eb5e0 sp 0x0058cf9eb628 08:01:39 INFO - GECKO(4892) | READ of size 1 at 0x11e31fbfef52 thread T0 08:01:39 INFO - GECKO(4892) | #0 0x7ffc90977991 in js::jit::ICStub::makesGCCalls(void)const z:\build\build\src\js\src\jit\BaselineIC.cpp:530 08:01:39 INFO - GECKO(4892) | #1 0x7ffc903ad1c7 in js::jit::ICScript::purgeOptimizedStubs(class JS::Zone *) z:\build\build\src\js\src\jit\BaselineJIT.cpp:1100 08:01:39 INFO - GECKO(4892) | #2 0x7ffc8f5a3fea in JS::Zone::discardJitCode(class js::FreeOp *,bool,bool) z:\build\build\src\js\src\gc\Zone.cpp:277 08:01:39 INFO - GECKO(4892) | #3 0x7ffc8f4f6abe in js::ReleaseAllJITCode(class js::FreeOp *) z:\build\build\src\js\src\gc\GC.cpp:8793 08:01:39 INFO - GECKO(4892) | #4 0x7ffc8ebe0a69 in js::GeckoProfilerRuntime::enable(bool) z:\build\build\src\js\src\vm\GeckoProfiler.cpp:100 08:01:39 INFO - GECKO(4892) | #5 0x7ffc8dbd6e2b in locked_profiler_start z:\build\build\src\tools\profiler\core\platform.cpp:3232 08:01:39 INFO - GECKO(4892) | #6 0x7ffc8dbdf0e7 in profiler_start(unsigned int,double,unsigned int,char const * *,unsigned int,class mozilla::Maybe<double> const &) z:\build\build\src\tools\profiler\core\platform.cpp:3290 08:01:39 INFO - GECKO(4892) | #7 0x7ffc8dbf3e53 in nsProfiler::StartProfiler(unsigned int,double,char const * *,unsigned int,char const * *,unsigned int,double) z:\build\build\src\tools\profiler\gecko\nsProfiler.cpp:122 08:01:40 INFO - GECKO(4892) | #8 0x7ffc90e67d21 in XPTC__InvokebyIndex (Z:\task_1543563625\build\application\firefox\xul.dll+0x191517d21) 08:01:40 INFO - GECKO(4892) | #9 0x7ffc81957e19 in XPCWrappedNative::CallMethod(class XPCCallContext &,enum XPCWrappedNative::CallMode) z:\build\build\src\js\xpconnect\src\XPCWrappedNative.cpp:1234 08:01:40 INFO - GECKO(4892) | #10 0x7ffc8195f452 in XPC_WN_CallMethod(struct JSContext *,unsigned int,union JS::Value *) z:\build\build\src\js\xpconnect\src\XPCWrappedNativeJSOps.cpp:1021 08:01:40 INFO - GECKO(4892) | #11 0x7ffc8ff15b31 in js::InternalCallOrConstruct(struct JSContext *,class JS::CallArgs const &,enum js::MaybeConstruct) z:\build\build\src\js\src\vm\Interpreter.cpp:560 08:01:40 INFO - GECKO(4892) | #12 0x7ffc8ff18995 in InternalCall z:\build\build\src\js\src\vm\Interpreter.cpp:614 08:01:40 INFO - GECKO(4892) | #13 0x7ffc8fede8ea in Interpret z:\build\build\src\js\src\vm\Interpreter.cpp:3494 08:01:40 INFO - GECKO(4892) | #14 0x7ffc8fed9cec in js::RunScript(struct JSContext *,class js::RunState &) z:\build\build\src\js\src\vm\Interpreter.cpp:447 08:01:40 INFO - GECKO(4892) | #15 0x7ffc8ff1647e in js::InternalCallOrConstruct(struct JSContext *,class JS::CallArgs const &,enum js::MaybeConstruct) z:\build\build\src\js\src\vm\Interpreter.cpp:587 08:01:40 INFO - GECKO(4892) | #16 0x7ffc8ff18995 in InternalCall z:\build\build\src\js\src\vm\Interpreter.cpp:614 08:01:40 INFO - GECKO(4892) | #17 0x7ffc8ff18bc6 in js::Call(struct JSContext *,class JS::Handle<union JS::Value>,class JS::Handle<union JS::Value>,class js::AnyInvokeArgs const &,class JS::MutableHandle<union JS::Value>) z:\build\build\src\js\src\vm\Interpreter.cpp:634 08:01:40 INFO - GECKO(4892) | #18 0x7ffc8ec7f642 in js::fun_apply(struct JSContext *,unsigned int,union JS::Value *) z:\build\build\src\js\src\vm\JSFunction.cpp:1383 08:01:40 INFO - GECKO(4892) | #19 0x7ffc8ff15b31 in js::InternalCallOrConstruct(struct JSContext *,class JS::CallArgs const &,enum js::MaybeConstruct) z:\build\build\src\js\src\vm\Interpreter.cpp:560 08:01:40 INFO - GECKO(4892) | #20 0x7ffc8ff18995 in InternalCall z:\build\build\src\js\src\vm\Interpreter.cpp:614 08:01:40 INFO - GECKO(4892) | #21 0x7ffc8fede8ea in Interpret z:\build\build\src\js\src\vm\Interpreter.cpp:3494 08:01:40 INFO - GECKO(4892) | #22 0x7ffc8fed9cec in js::RunScript(struct JSContext *,class js::RunState &) z:\build\build\src\js\src\vm\Interpreter.cpp:447 08:01:40 INFO - GECKO(4892) | #23 0x7ffc8ff1647e in js::InternalCallOrConstruct(struct JSContext *,class JS::CallArgs const &,enum js::MaybeConstruct) z:\build\build\src\js\src\vm\Interpreter.cpp:587 08:01:40 INFO - GECKO(4892) | #24 0x7ffc8ff18995 in InternalCall z:\build\build\src\js\src\vm\Interpreter.cpp:614 08:01:40 INFO - GECKO(4892) | #25 0x7ffc8ff18bc6 in js::Call(struct JSContext *,class JS::Handle<union JS::Value>,class JS::Handle<union JS::Value>,class js::AnyInvokeArgs const &,class JS::MutableHandle<union JS::Value>) z:\build\build\src\js\src\vm\Interpreter.cpp:634 08:01:40 INFO - GECKO(4892) | #26 0x7ffc8ec7f642 in js::fun_apply(struct JSContext *,unsigned int,union JS::Value *) z:\build\build\src\js\src\vm\JSFunction.cpp:1383 08:01:40 INFO - GECKO(4892) | #27 0x7ffc8ff15b31 in js::InternalCallOrConstruct(struct JSContext *,class JS::CallArgs const &,enum js::MaybeConstruct) z:\build\build\src\js\src\vm\Interpreter.cpp:560 08:01:40 INFO - GECKO(4892) | #28 0x7ffc8ff18995 in InternalCall z:\build\build\src\js\src\vm\Interpreter.cpp:614 08:01:40 INFO - GECKO(4892) | #29 0x7ffc909b9183 in js::jit::DoCallFallback z:\build\build\src\js\src\jit\BaselineIC.cpp:3943 08:01:40 INFO - GECKO(4892) | #30 0xe3fd144dde (<unknown module>) 08:01:40 INFO - GECKO(4892) | 0x11e31fbfef52 is located 2 bytes inside of 44-byte region [0x11e31fbfef50,0x11e31fbfef7c) 08:01:40 INFO - GECKO(4892) | freed by thread T0 here: 08:01:40 INFO - GECKO(4892) | #0 0x7ffcaac63fd0 in free Z:\task_1543259150\build\src\build\build-clang\build-clang\src\llvm\projects\compiler-rt\lib\asan\asan_malloc_win.cc:44 08:01:40 INFO - GECKO(4892) | #1 0x7ffc90620ce1 in JS::GCHashMap<struct js::jit::CacheIRStubKey,class js::ReadBarriered<class js::jit::JitCode *>,struct js::jit::CacheIRStubKey,class js::SystemAllocPolicy,struct js::jit::IcStubCodeMapGCPolicy<struct js::jit::CacheIRStubKey> >::sweep(void) z:\build\build\src\obj-firefox\dist\include\js\GCHashTable.h:81 08:01:40 INFO - GECKO(4892) | #2 0x7ffc8f4cd3c9 in js::gc::GCRuntime::sweepJitDataOnMainThread(class js::FreeOp *) z:\build\build\src\js\src\gc\GC.cpp:5883 08:01:40 INFO - GECKO(4892) | #3 0x7ffc8f4d0257 in js::gc::GCRuntime::beginSweepingSweepGroup(class js::FreeOp *,class js::SliceBudget &) z:\build\build\src\js\src\gc\GC.cpp:6055 08:01:40 INFO - GECKO(4892) | #4 0x7ffc8f5513cc in sweepaction::SweepActionSequence<class js::gc::GCRuntime *,class js::FreeOp *,class js::SliceBudget &>::run(class js::gc::GCRuntime *,class js::FreeOp *,class js::SliceBudget &) z:\build\build\src\js\src\gc\GC.cpp:6715 08:01:40 INFO - GECKO(4892) | #5 0x7ffc8f551cd6 in sweepaction::SweepActionRepeatFor<class js::gc::SweepGroupsIter,struct JSRuntime *,class js::gc::GCRuntime *,class js::FreeOp *,class js::SliceBudget &>::run(class js::gc::GCRuntime *,class js::FreeOp *,class js::SliceBudget &) z:\build\build\src\js\src\gc\GC.cpp:6779 08:01:40 INFO - GECKO(4892) | #6 0x7ffc8f4ddf27 in js::gc::GCRuntime::performSweepActions(class js::SliceBudget &) z:\build\build\src\js\src\gc\GC.cpp:6955 08:01:40 INFO - GECKO(4892) | #7 0x7ffc8f4e5376 in js::gc::GCRuntime::incrementalSlice(class js::SliceBudget &,enum JS::gcreason::Reason,class js::gc::AutoGCSession &) z:\build\build\src\js\src\gc\GC.cpp:7558 08:01:40 INFO - GECKO(4892) | #8 0x7ffc8f4e8577 in js::gc::GCRuntime::gcCycle(bool,class js::SliceBudget &,enum JS::gcreason::Reason) z:\build\build\src\js\src\gc\GC.cpp:7914 08:01:40 INFO - GECKO(4892) | #9 0x7ffc8f4ec9af in js::gc::GCRuntime::collect(bool,class js::SliceBudget,enum JS::gcreason::Reason) z:\build\build\src\js\src\gc\GC.cpp:8095 08:01:40 INFO - GECKO(4892) | #10 0x7ffc8f4f82fd in JS::IncrementalGCSlice(struct JSContext *,enum JS::gcreason::Reason,__int64) z:\build\build\src\js\src\gc\GC.cpp:9091 08:01:40 INFO - GECKO(4892) | #11 0x7ffc839d86e6 in nsJSContext::GarbageCollectNow(enum JS::gcreason::Reason,enum nsJSContext::IsIncremental,enum nsJSContext::IsShrinking,__int64) z:\build\build\src\dom\base\nsJSEnvironment.cpp:1212 08:01:40 INFO - GECKO(4892) | #12 0x7ffc839e9342 in InterSliceGCRunnerFired(class mozilla::TimeStamp,void *) z:\build\build\src\dom\base\nsJSEnvironment.cpp:1853 08:01:40 INFO - GECKO(4892) | #13 0x7ffc83a14e55 in std::_Func_impl_no_alloc<`lambda at z:/build/build/src/dom/base/nsJSEnvironment.cpp:2405:34',bool,mozilla::TimeStamp>::_Do_call z:\build\build\src\vs2017_15.8.4\VC\include\functional:1227 08:01:40 INFO - GECKO(4892) | #14 0x7ffc7fbbe974 in mozilla::IdleTaskRunner::Run(void) z:\build\build\src\xpcom\threads\IdleTaskRunner.cpp:63 08:01:40 INFO - GECKO(4892) | #15 0x7ffc7fbbfafc in mozilla::TimedOut z:\build\build\src\xpcom\threads\IdleTaskRunner.cpp:85 08:01:40 INFO - GECKO(4892) | #16 0x7ffc7fc31a52 in nsTimerImpl::Fire(int) z:\build\build\src\xpcom\threads\nsTimerImpl.cpp:684 08:01:40 INFO - GECKO(4892) | #17 0x7ffc7fbf0eb7 in nsTimerEvent::Run(void) z:\build\build\src\xpcom\threads\TimerThread.cpp:297 08:01:40 INFO - GECKO(4892) | #18 0x7ffc7fc06215 in nsThread::ProcessNextEvent(bool,bool *) z:\build\build\src\xpcom\threads\nsThread.cpp:1244 08:01:40 INFO - GECKO(4892) | #19 0x7ffc7fc0eaf8 in NS_ProcessNextEvent(class nsIThread *,bool) z:\build\build\src\xpcom\threads\nsThreadUtils.cpp:530 08:01:40 INFO - GECKO(4892) | #20 0x7ffc80cc7959 in mozilla::ipc::MessagePump::Run(class base::MessagePump::Delegate *) z:\build\build\src\ipc\glue\MessagePump.cpp:97 08:01:40 INFO - GECKO(4892) | #21 0x7ffc80c26b2e in MessageLoop::RunHandler(void) z:\build\build\src\ipc\chromium\src\base\message_loop.cc:318 08:01:40 INFO - GECKO(4892) | #22 0x7ffc80c268b6 in MessageLoop::Run(void) z:\build\build\src\ipc\chromium\src\base\message_loop.cc:298 08:01:40 INFO - GECKO(4892) | #23 0x7ffc89bedc1a in nsBaseAppShell::Run(void) z:\build\build\src\widget\nsBaseAppShell.cpp:158 08:01:40 INFO - GECKO(4892) | #24 0x7ffc89d7e0a7 in nsAppShell::Run(void) z:\build\build\src\widget\windows\nsAppShell.cpp:420 08:01:40 INFO - GECKO(4892) | #25 0x7ffc8e265c2e in nsAppStartup::Run(void) z:\build\build\src\toolkit\components\startup\nsAppStartup.cpp:290 08:01:40 INFO - GECKO(4892) | #26 0x7ffc8e52592e in XREMain::XRE_mainRun(void) z:\build\build\src\toolkit\xre\nsAppRunner.cpp:4790 08:01:40 INFO - GECKO(4892) | #27 0x7ffc8e52a231 in XREMain::XRE_main(int,char * * const,struct mozilla::BootstrapConfig const &) z:\build\build\src\toolkit\xre\nsAppRunner.cpp:4935 08:01:40 INFO - GECKO(4892) | #28 0x7ffc8e52c466 in XRE_main(int,char * * const,struct mozilla::BootstrapConfig const &) z:\build\build\src\toolkit\xre\nsAppRunner.cpp:5027 08:01:40 INFO - GECKO(4892) | #29 0x7ff721051d5d (Z:\task_1543563625\build\application\firefox\firefox.exe+0x140001d5d) 08:01:40 INFO - GECKO(4892) | previously allocated by thread T0 here: 08:01:40 INFO - GECKO(4892) | #0 0x7ffcaac640c0 in malloc Z:\task_1543259150\build\src\build\build-clang\build-clang\src\llvm\projects\compiler-rt\lib\asan\asan_malloc_win.cc:60 08:01:40 INFO - GECKO(4892) | #1 0x7ffc9042d882 in js::jit::CacheIRStubInfo::New(enum js::jit::CacheKind,enum js::jit::ICStubEngine,bool,unsigned int,class js::jit::CacheIRWriter const &) z:\build\build\src\js\src\jit\CacheIRCompiler.cpp:1167 08:01:40 INFO - GECKO(4892) | #2 0x7ffc90db0a98 in js::jit::AttachBaselineCacheIRStub(struct JSContext *,class js::jit::CacheIRWriter const &,enum js::jit::CacheKind,enum js::jit::BaselineCacheIRStubKind,class JSScript *,class js::jit::ICFallbackStub *,bool *) z:\build\build\src\js\src\jit\BaselineCacheIRCompiler.cpp:2274 08:01:40 INFO - GECKO(4892) | #3 0x7ffc909e15ca in js::jit::DoNewObject z:\build\build\src\js\src\jit\BaselineIC.cpp:6113 08:01:40 INFO - GECKO(4892) | #4 0xe3fd14480f (<unknown module>) 08:01:40 INFO - GECKO(4892) | SUMMARY: AddressSanitizer: heap-use-after-free z:\build\build\src\js\src\jit\BaselineIC.cpp:530 in js::jit::ICStub::makesGCCalls(void)const 08:01:40 INFO - GECKO(4892) | Shadow bytes around the buggy address: 08:01:40 INFO - GECKO(4892) | 0x0417833ffd90: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd 08:01:40 INFO - GECKO(4892) | 0x0417833ffda0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd 08:01:40 INFO - GECKO(4892) | 0x0417833ffdb0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd 08:01:40 INFO - GECKO(4892) | 0x0417833ffdc0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa 08:01:40 INFO - GECKO(4892) | 0x0417833ffdd0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa 08:01:40 INFO - GECKO(4892) | =>0x0417833ffde0: fa fa fd fd fd fd fd fa fa fa[fd]fd fd fd fd fd 08:01:40 INFO - GECKO(4892) | 0x0417833ffdf0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd 08:01:40 INFO - GECKO(4892) | 0x0417833ffe00: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa 08:01:40 INFO - GECKO(4892) | 0x0417833ffe10: fa fa 00 00 00 00 00 05 fa fa fd fd fd fd fd fd 08:01:40 INFO - GECKO(4892) | 0x0417833ffe20: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd 08:01:40 INFO - GECKO(4892) | 0x0417833ffe30: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa 08:01:40 INFO - GECKO(4892) | Shadow byte legend (one shadow byte represents 8 application bytes): 08:01:40 INFO - GECKO(4892) | Addressable: 00 08:01:40 INFO - GECKO(4892) | Partially addressable: 01 02 03 04 05 06 07 08:01:40 INFO - GECKO(4892) | Heap left redzone: fa 08:01:40 INFO - GECKO(4892) | Freed heap region: fd 08:01:40 INFO - GECKO(4892) | Stack left redzone: f1 08:01:40 INFO - GECKO(4892) | Stack mid redzone: f2 08:01:40 INFO - GECKO(4892) | Stack right redzone: f3 08:01:40 INFO - GECKO(4892) | Stack after return: f5 08:01:40 INFO - GECKO(4892) | Stack use after scope: f8 08:01:40 INFO - GECKO(4892) | Global redzone: f9 08:01:40 INFO - GECKO(4892) | Global init order: f6 08:01:40 INFO - GECKO(4892) | Poisoned by user: f7 08:01:40 INFO - GECKO(4892) | Container overflow: fc 08:01:40 INFO - GECKO(4892) | Array cookie: ac 08:01:40 INFO - GECKO(4892) | Intra object redzone: bb 08:01:40 INFO - GECKO(4892) | ASan internal: fe 08:01:40 INFO - GECKO(4892) | Left alloca redzone: ca 08:01:40 INFO - GECKO(4892) | Right alloca redzone: cb 08:01:40 INFO - GECKO(4892) | Shadow gap: cc 08:01:40 INFO - GECKO(4892) | ==7568==ABORTING 08:01:40 INFO - TEST-INFO | Main app process: exit 1 08:01:40 INFO - Buffered messages logged at 08:01:39 08:01:40 INFO - Entering test bound
Not sure if the Profiler being on the stack is relevant or not here.
Group: core-security → javascript-core-security
What's happening is: (1) We malloc a CacheIRStubInfo for a NewObject IC stub. This is then stored in baselineCacheIRStubCodes_ with the corresponding JitCode. (2) We free this stub under GCRuntime::sweepJitDataOnMainThread. Probably because we didn't mark the IC stub's JitCode. (3) Enabling the Gecko profiler releases all JIT code and we end up in ICScript::purgeOptimizedStubs where we access the freed CacheIRStubInfo under ICStub::makesGCCalls. Question is why we think the stub's JIT code is dead in (2) if there clearly is an IC stub using it.
decoder is also seeing this in fuzzing. I'm investigating.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
Group: javascript-core-security
You need to log in before you can comment on or make changes to this bug.