Closed
Bug 1548538
Opened 5 years ago
Closed 5 years ago
Assertion failure: getter.isInterpretedLazy(), at js/src/jit/CacheIR.cpp:449
Categories
(Core :: JavaScript Engine: JIT, defect, P1)
Tracking
()
RESOLVED
FIXED
mozilla68
Tracking | Status | |
---|---|---|
firefox-esr60 | --- | unaffected |
firefox67 | --- | unaffected |
firefox68 | --- | fixed |
People
(Reporter: decoder, Assigned: iain)
Details
(4 keywords, Whiteboard: [jsbugmon:update,bisect])
Attachments
(1 file)
The following testcase crashes on mozilla-central revision e8766f96041a (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off --baseline-eager):
function __f_19() {
"use asm";
return {}
}
var sym = Symbol();
var o = {};
o.__defineGetter__(sym, __f_19);
o[sym];
Backtrace:
received signal SIGSEGV, Segmentation fault.
IsCacheableGetPropCallScripted (obj=0x1101f0d891c0, holder=<optimized out>, shape=<optimized out>, isTemporarilyUnoptimizable=0x7fffffffc127) at js/src/jit/CacheIR.cpp:449
#0 IsCacheableGetPropCallScripted (obj=0x1101f0d891c0, holder=<optimized out>, shape=<optimized out>, isTemporarilyUnoptimizable=0x7fffffffc127) at js/src/jit/CacheIR.cpp:449
#1 0x00005555561aa66e in CanAttachNativeGetProp (cx=0x7ffff5f19000, obj=..., id=..., holder=holder@entry=..., shape=shape@entry=..., pc=0x7ffff5ffb6ec "7Q\231Ш\005\235\n\270\260Ӡ\235\b\270\260ˠ\270\260֘\002\260\244\270\260̠\260", resultFlags=js::jit::GetPropertyResultFlags::All) at js/src/jit/CacheIR.cpp:591
#2 0x00005555561da081 in js::jit::GetPropIRGenerator::tryAttachNative (this=this@entry=0x7fffffffc320, obj=obj@entry=..., objId=..., objId@entry=..., id=id@entry=...) at js/src/jit/CacheIR.cpp:1037
#3 0x00005555561e17e6 in js::jit::GetPropIRGenerator::tryAttachStub (this=this@entry=0x7fffffffc320) at js/src/jit/CacheIR.cpp:266
#4 0x000055555608dee8 in js::jit::TryAttachGetPropStub (name=name@entry=0x555556b2af46 "GetElem", cx=<optimized out>, frame=frame@entry=0x7fffffffc750, stub=stub@entry=0x7ffff58f13f0, kind=kind@entry=<incomplete type>, val=..., idVal=..., receiver=...) at js/src/jit/BaselineIC.cpp:2060
#5 0x00005555560b4597 in js::jit::DoGetElemFallback (cx=<optimized out>, frame=0x7fffffffc750, stub=0x7ffff58f13f0, lhs=..., rhs=..., res=...) at js/src/jit/BaselineIC.cpp:2121
#6 0x000017638f863af3 in ?? ()
[...]
#20 0x0000000000000000 in ?? ()
rax 0x555557c9d9a0 93825033427360
rbx 0x137c5f8005a8 21424899098024
rcx 0x7ffff6c1c2dd 140737333281501
rdx 0x555556c2a748 93825016178504
rsi 0x7ffff6eeb770 140737336227696
rdi 0x7ffff6eea540 140737336223040
rbp 0x7fffffffc0f0 140737488339184
rsp 0x7fffffffc0c0 140737488339136
r8 0x7ffff6eeb770 140737336227696
r9 0x7ffff7fe6cc0 140737354034368
r10 0x58 88
r11 0x7ffff6b927a0 140737332717472
r12 0x1101f0d891c0 18700033364416
r13 0x7fffffffc127 140737488339239
r14 0x7fffffffc0c0 140737488339136
r15 0x7fffffffc1b0 140737488339376
rip 0x5555561a758d <IsCacheableGetPropCallScripted(JSObject*, JSObject*, js::Shape*, bool*)+317>
=> 0x5555561a758d <IsCacheableGetPropCallScripted(JSObject*, JSObject*, js::Shape*, bool*)+317>: movl $0x0,0x0
0x5555561a7598 <IsCacheableGetPropCallScripted(JSObject*, JSObject*, js::Shape*, bool*)+328>: ud2
Marking s-s until investigated because the test involves Symbol and is a JIT assertion.
Assignee | ||
Comment 1•5 years ago
|
||
Not a sec bug. I added an assertion while refactoring some of the GetProp IC code, and did not realize that asm.js functions could reach that point. It should be a one-line fix. Patch coming shortly.
Assignee: nobody → iireland
Group: javascript-core-security
Updated•5 years ago
|
Priority: -- → P1
Assignee | ||
Comment 2•5 years ago
|
||
Cleaning some stuff up while we're touching this code.
Pushed by iireland@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/87ead560a269 Refactor IsCacheableGetPropCall r=tcampbell
Comment 4•5 years ago
|
||
bugherder |
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla68
Updated•5 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•