Closed
Bug 1514835
Opened 5 years ago
Closed 5 years ago
Assertion failure: s_.payload_.why_ == why, at /builds/worker/workspace/build/src/obj-firefox/dist/include/js/Value.h:658
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1511538
Tracking | Status | |
---|---|---|
firefox66 | --- | affected |
People
(Reporter: nils, Unassigned)
Details
(Keywords: sec-high)
The following testcase crashes the latest debug build of the jsshell. It requires the --ion-offthread-compile=off --ion-eager flags. Testcase: o0=new Array(100); o1=[1.1,2.2,3.3]; o4=new Array(100); o4['flat'](o4,o0); try{o0['some'](undefined,undefined)}catch(e){}; o4.flat(NaN); o1.flatMap(fun0,true); function fun0() { } Debugger output: lldb-6.0 -- ./build/js --ion-offthread-compile=off --ion-eager bug1.js (lldb) target create "./build/js" Current executable set to './build/js' (x86_64). (lldb) settings set -- target.run-args "--ion-offthread-compile=off" "--ion-eager" "bug1.js" (lldb) r Process 26198 launched: './build/js' (x86_64) Assertion failure: s_.payload_.why_ == why, at /builds/worker/workspace/build/src/obj-firefox/dist/include/js/Value.h:658 Process 26198 stopped * thread #1, name = 'js', stop reason = signal SIGSEGV: invalid address (fault address: 0x0) frame #0: 0x00005555561ab26b js`js::jit::GetPropIRGenerator::tryAttachMagicArgumentsName(js::jit::ValOperandId, JS::Handle<JS::PropertyKey>) + 891 js`js::jit::GetPropIRGenerator::tryAttachMagicArgumentsName: -> 0x5555561ab26b <+891>: movl $0x292, 0x0 ; imm = 0x292 0x5555561ab276 <+902>: callq 0x5555557655f2 ; abort 0x5555561ab27b <+907>: leaq 0x922885(%rip), %rdi 0x5555561ab282 <+914>: leaq 0x921f52(%rip), %rsi (lldb) bt 16 * thread #1, name = 'js', stop reason = signal SIGSEGV: invalid address (fault address: 0x0) * frame #0: 0x00005555561ab26b js`js::jit::GetPropIRGenerator::tryAttachMagicArgumentsName(js::jit::ValOperandId, JS::Handle<JS::PropertyKey>) + 891 frame #1: 0x00005555561a43d2 js`js::jit::GetPropIRGenerator::tryAttachStub() + 994 frame #2: 0x000055555609c88f js`js::jit::DoGetPropFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICGetProp_Fallback*, JS::MutableHandle<JS::Value>, JS::MutableHandle<JS::Value>) + 687 frame #3: 0x00001543e1bacd2f (lldb)
Comment 1•5 years ago
|
||
This could be a duplicate of bug 1511538, :jandem can you verify that? Thanks!
Flags: needinfo?(jdemooij)
Updated•5 years ago
|
Group: core-security → javascript-core-security
Comment 3•5 years ago
|
||
Sorry for the late reply. Yeah it's probably a duplicate of bug 1511538, but let's wait until we have a fix for that so we can make sure.
Flags: needinfo?(jdemooij) → needinfo?(nicolas.b.pierron)
Comment 4•5 years ago
|
||
Nicolas, since 1511538 seems to now be fixed, does it make sense to validate that is is a duplicate (as suggested by Jan in comment 3).
Comment 5•5 years ago
|
||
After verification, the test case from comment 0 is indeed fixed by the patch provided in Bug 1511538.
Status: NEW → RESOLVED
Closed: 5 years ago
Flags: needinfo?(nicolas.b.pierron)
Resolution: --- → DUPLICATE
Comment 6•4 years ago
|
||
Removing employee no longer with company from CC list of private bugs.
Updated•11 months ago
|
Group: javascript-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•