Closed Bug 1628836 Opened 5 years ago Closed 5 years ago

Hit MOZ_CRASH(Unhandled op in tryAttachStringInt32Arith) at jit/CacheIR.cpp:7040

Categories

(Core :: JavaScript Engine: JIT, defect, P1)

x86_64
Linux
defect

Tracking

()

VERIFIED FIXED
mozilla77
Tracking Status
firefox-esr68 --- unaffected
firefox75 --- unaffected
firefox76 --- unaffected
firefox77 --- verified

People

(Reporter: decoder, Assigned: anba)

References

(Regression)

Details

(4 keywords, Whiteboard: [bugmon:update,bisect][fuzzblocker])

Crash Data

Attachments

(2 files)

The following testcase crashes on mozilla-central revision 20200409-33d2485721c6 (build with --enable-debug, run with --fuzzing-safe --no-threads --baseline-warmup-threshold=0 test.js):

trace = "";
trace ** 2;

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x00005571a53c6a87 in js::jit::BinaryArithIRGenerator::tryAttachStringInt32Arith() ()
#1  0x00005571a53c516c in js::jit::BinaryArithIRGenerator::tryAttachStub() ()
#2  0x00005571a5274d3a in js::jit::DoBinaryArithFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICBinaryArith_Fallback*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) ()
#3  0x00001c0a4b54bb43 in ?? ()
[...]
#18 0x0000000000000000 in ?? ()
rax	0x5571a5e50b2d	93946602916653
rbx	0x7ffc343526c8	140721184384712
rcx	0x5571a6dee850	93946619291728
rdx	0x0	0
rsi	0x7fcf7f659770	140529172322160
rdi	0x7fcf7f658540	140529172317504
rbp	0x7ffc343525e0	140721184384480
rsp	0x7ffc343525a0	140721184384416
r8	0x7fcf7f659770	140529172322160
r9	0x7fcf80752d00	140529190120704
r10	0x58	88
r11	0x7fcf7f3007a0	140529168811936
r12	0xfff8800000000000	-2111062325329920
r13	0xfffb000000000000	-1407374883553280
r14	0x2	2
r15	0x3	3
rip	0x5571a53c6a87 <js::jit::BinaryArithIRGenerator::tryAttachStringInt32Arith()+839>
=> 0x5571a53c6a87 <_ZN2js3jit22BinaryArithIRGenerator25tryAttachStringInt32ArithEv+839>:	movl   $0x1b80,0x0
   0x5571a53c6a92 <_ZN2js3jit22BinaryArithIRGenerator25tryAttachStringInt32ArithEv+850>:	callq  0x5571a46bf706 <abort>

Marking as fuzzblocker because this is so trivial and hit quite often. S-s because it is a JIT assertion.

Attached file Testcase

André, just guessing this is from your changes maybe?

Flags: needinfo?(andrebargull)

Yes, it's caused by bug 1620997. The report probably doesn't need to be hidden, because we're reliably MOZ_CRASH here.

Assignee: nobody → andrebargull
Status: NEW → ASSIGNED
Flags: needinfo?(andrebargull)
Group: javascript-core-security
Crash Signature: [@ js::jit::BinaryArithIRGenerator::tryAttachStringInt32Arith]
Priority: -- → P1
Pushed by apavel@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/d21f8335baa0 Add missing JSOp::Pow case for string-int32 arithmetic in CacheIR. r=jandem
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla77
Flags: in-testsuite+
Regressed by: 1620997
Has Regression Range: --- → yes
Status: RESOLVED → VERIFIED
Keywords: bugmon
Bugmon Analysis: Verified bug as fixed on rev mozilla-central 20200423095248-47426d145e24. Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: