Crash [@ ??] with BigInt64Array and --no-ggc
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr68 | --- | unaffected |
firefox72 | --- | unaffected |
firefox73 | --- | unaffected |
firefox74 | + | fixed |
People
(Reporter: gkw, Assigned: anba)
References
(Regression)
Details
(5 keywords, Whiteboard: [fuzzblocker][jsbugmon:update][post-critsmash-triage])
Crash Data
Attachments
(2 files)
The following testcase crashes on mozilla-central revision e728bf01a2b6 (build with --enable-debug --disable-optimize, run with --fuzzing-safe --no-threads --no-baseline --no-ion --no-ggc):
+new BigInt64Array(12);
Backtrace:
#0 0x0000200d8f31149a in ?? ()
#1 0x0000200d8f305503 in ?? ()
#2 0xfffe30c327f7b2e0 in ?? ()
#3 0xfffb30c327f00640 in ?? ()
#4 0xfffcb0c327fa60d0 in ?? ()
#5 0xfffb30c327fa70e0 in ?? ()
#6 0xfff880000000000b in ?? ()
/snip
For detailed crash information, see attachment.
This involves BigInt64Array, a fairly new feature, so setting s-s as a start though I think this can be opened up quickly. Also setting [fuzzblocker] as this is happening frequently.
Reporter | ||
Comment 1•4 years ago
|
||
Reporter | ||
Updated•4 years ago
|
Reporter | ||
Comment 2•4 years ago
|
||
autobisectjs shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/a0d1fb0a86b0
user: André Bargull
date: Mon Jan 06 12:49:45 2020 +0000
summary: Bug 1530372 - Part 4: Support nursery allocation for BigInt. r=sfink,jandem
Andre, is bug 1530372 a likely regressor?
Updated•4 years ago
|
Assignee | ||
Comment 3•4 years ago
|
||
Updated•4 years ago
|
Assignee | ||
Updated•4 years ago
|
Updated•4 years ago
|
Comment 4•4 years ago
|
||
Comment 5•4 years ago
|
||
Updated•4 years ago
|
Updated•4 years ago
|
Updated•4 years ago
|
Description
•