Closed Bug 1598973 Opened 5 years ago Closed 5 years ago

Crash [@ js::ToBooleanSlow] or Assertion failure: v.isObject(), at builtin/Boolean.cpp:155

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1598456
Tracking Flags:
Tracking Status
firefox72 --- fixed

People

(Reporter: decoder, Unassigned)

Details

(5 keywords, Whiteboard: [jsbugmon:update,bisect][fuzzblocker])

Crash Data

Attachments

(1 file)

Testcase
41 bytes, text/plain
Details

The following testcase crashes on mozilla-central revision 80ab213de5a9 (build with --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --disable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off test.js):

(function() {
    if (arguments) {}
})();

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  js::ToBooleanSlow (v=...) at js/src/builtin/Boolean.cpp:156
#1  0x000055fb9f87e0e0 in JS::ToBoolean (v=...) at dist/include/js/Conversions.h:128
#2  Interpret (cx=0x7f4c70122000, state=...) at js/src/vm/Interpreter.cpp:2172
#3  0x000055fb9f87f1f4 in js::RunScript (cx=cx@entry=0x7f4c70122000, state=...) at js/src/vm/Interpreter.cpp:423
#4  0x000055fb9f881f1a in js::RunScript (state=..., cx=0x7f4c70122000) at js/src/vm/JSContext.h:628
#5  js::ExecuteKernel (result=0x0, evalInFrame=..., newTargetValue=..., envChainArg=..., script=..., cx=0x7f4c70122000) at js/src/vm/Interpreter.cpp:810
#6  js::Execute (cx=cx@entry=0x7f4c70122000, script=..., envChainArg=..., rval=rval@entry=0x0) at js/src/vm/Interpreter.cpp:844
#7  0x000055fb9f98f270 in ExecuteScript (cx=cx@entry=0x7f4c70122000, scope=..., scope@entry=..., script=..., rval=rval@entry=0x0) at js/src/vm/CompilationAndEvaluation.cpp:453
#8  0x000055fb9f990698 in JS_ExecuteScript (cx=0x7f4c70122000, scriptArg=...) at js/src/vm/CompilationAndEvaluation.cpp:486
#9  0x000055fb9f7c8219 in RunFile (cx=0x7f4c70122000, filename=0x7ffd1f8fca1d "test.js", file=<optimized out>, compileMethod=<optimized out>, compileOnly=<optimized out>) at js/src/shell/js.cpp:900
#10 0x000055fb9f7c9acd in Process (cx=0x7f4c70122000, filename=0x7ffd1f8fca1d "test.js", forceTTY=<optimized out>, kind=FileScript) at js/src/shell/js.cpp:1513
#11 0x000055fb9f7ca6be in ProcessArgs (cx=0x7f4c70122000, op=0x7ffd1f8faaf0) at js/src/shell/js.cpp:10238
#12 0x000055fb9f7d26db in Shell (envp=<optimized out>, op=0x7ffd1f8faaf0, cx=0x7f4c70122000) at js/src/shell/js.cpp:10833
#13 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:11486
rax	0xfffe000000000000	-562949953421312
rbx	0x7f4c70122000	139966274478080
rcx	0xfffa800000000005	-1548112371908603
rdx	0xfffa800000000005	-1548112371908603
rsi	0xfff80000ffffffff	-2251795518717953
rdi	0x4800000000005	1266637395197957
rbp	0x7ffd1f8fa2f0	140725132960496
rsp	0x7ffd1f8f9cf8	140725132958968
r8	0x0	0
r9	0xffffffff	4294967295
r10	0x1	1
r11	0x0	0
r12	0x55fba16cace0	94539233406176
r13	0x7ffd1f8fa0f0	140725132959984
r14	0x7f4c70122020	139966274478112
r15	0x7ffd1f8fa0b0	140725132959920
rip	0x55fb9f8a3df7 <js::ToBooleanSlow(JS::Handle<JS::Value>)+39>
=> 0x55fb9f8a3df7 <js::ToBooleanSlow(JS::Handle<JS::Value>)+39>:	mov    (%rdi),%rax
   0x55fb9f8a3dfa <js::ToBooleanSlow(JS::Handle<JS::Value>)+42>:	mov    (%rax),%rax
Attached file Testcase 

    
    

    
  
Test case and signature is exactly the same as bug 1598456, so I'm going to call this a duplicate..


Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: