Closed
Bug 1514835
Opened 5 years ago
Closed 5 years ago
Assertion failure: s_.payload_.why_ == why, at /builds/worker/workspace/build/src/obj-firefox/dist/include/js/Value.h:658
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1511538
| Tracking | Status | |
|---|---|---|
| firefox66 | --- | affected |
People
(Reporter: nils, Unassigned)
Details
(Keywords: sec-high)
The following testcase crashes the latest debug build of the jsshell. It requires the --ion-offthread-compile=off --ion-eager flags.
Testcase:
o0=new Array(100);
o1=[1.1,2.2,3.3];
o4=new Array(100);
o4['flat'](o4,o0);
try{o0['some'](undefined,undefined)}catch(e){};
o4.flat(NaN);
o1.flatMap(fun0,true);
function fun0() {
}
Debugger output:
lldb-6.0 -- ./build/js --ion-offthread-compile=off --ion-eager bug1.js
(lldb) target create "./build/js"
Current executable set to './build/js' (x86_64).
(lldb) settings set -- target.run-args "--ion-offthread-compile=off" "--ion-eager" "bug1.js"
(lldb) r
Process 26198 launched: './build/js' (x86_64)
Assertion failure: s_.payload_.why_ == why, at /builds/worker/workspace/build/src/obj-firefox/dist/include/js/Value.h:658
Process 26198 stopped
* thread #1, name = 'js', stop reason = signal SIGSEGV: invalid address (fault address: 0x0)
frame #0: 0x00005555561ab26b js`js::jit::GetPropIRGenerator::tryAttachMagicArgumentsName(js::jit::ValOperandId, JS::Handle<JS::PropertyKey>) + 891
js`js::jit::GetPropIRGenerator::tryAttachMagicArgumentsName:
-> 0x5555561ab26b <+891>: movl $0x292, 0x0 ; imm = 0x292
0x5555561ab276 <+902>: callq 0x5555557655f2 ; abort
0x5555561ab27b <+907>: leaq 0x922885(%rip), %rdi
0x5555561ab282 <+914>: leaq 0x921f52(%rip), %rsi
(lldb) bt 16
* thread #1, name = 'js', stop reason = signal SIGSEGV: invalid address (fault address: 0x0)
* frame #0: 0x00005555561ab26b js`js::jit::GetPropIRGenerator::tryAttachMagicArgumentsName(js::jit::ValOperandId, JS::Handle<JS::PropertyKey>) + 891
frame #1: 0x00005555561a43d2 js`js::jit::GetPropIRGenerator::tryAttachStub() + 994
frame #2: 0x000055555609c88f js`js::jit::DoGetPropFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICGetProp_Fallback*, JS::MutableHandle<JS::Value>, JS::MutableHandle<JS::Value>) + 687
frame #3: 0x00001543e1bacd2f
(lldb)
|
||
Comment 1•5 years ago
|
||
This could be a duplicate of bug 1511538, :jandem can you verify that? Thanks!
Flags: needinfo?(jdemooij)
|
||
Updated•5 years ago
|
Group: core-security → javascript-core-security
|
||
Comment 3•5 years ago
|
||
Sorry for the late reply. Yeah it's probably a duplicate of bug 1511538, but let's wait until we have a fix for that so we can make sure.
Flags: needinfo?(jdemooij) → needinfo?(nicolas.b.pierron)
|
||
Comment 4•5 years ago
|
||
Nicolas, since 1511538 seems to now be fixed, does it make sense to validate that is is a duplicate (as suggested by Jan in comment 3).
|
||
Comment 5•5 years ago
|
||
After verification, the test case from comment 0 is indeed fixed by the patch provided in Bug 1511538.
Status: NEW → RESOLVED
Closed: 5 years ago
Flags: needinfo?(nicolas.b.pierron)
Resolution: --- → DUPLICATE
|
||
Comment 6•4 years ago
|
||
Removing employee no longer with company from CC list of private bugs.
|
||
Updated•11 months ago
|
Group: javascript-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•