Closed
Bug 1628836
Opened 5 years ago
Closed 5 years ago
Hit MOZ_CRASH(Unhandled op in tryAttachStringInt32Arith) at jit/CacheIR.cpp:7040
Categories
(Core :: JavaScript Engine: JIT, defect, P1)
Tracking
()
VERIFIED
FIXED
mozilla77
Tracking | Status | |
---|---|---|
firefox-esr68 | --- | unaffected |
firefox75 | --- | unaffected |
firefox76 | --- | unaffected |
firefox77 | --- | verified |
People
(Reporter: decoder, Assigned: anba)
References
(Regression)
Details
(4 keywords, Whiteboard: [bugmon:update,bisect][fuzzblocker])
Crash Data
Attachments
(2 files)
The following testcase crashes on mozilla-central revision 20200409-33d2485721c6 (build with --enable-debug, run with --fuzzing-safe --no-threads --baseline-warmup-threshold=0 test.js):
trace = "";
trace ** 2;
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 0x00005571a53c6a87 in js::jit::BinaryArithIRGenerator::tryAttachStringInt32Arith() ()
#1 0x00005571a53c516c in js::jit::BinaryArithIRGenerator::tryAttachStub() ()
#2 0x00005571a5274d3a in js::jit::DoBinaryArithFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICBinaryArith_Fallback*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) ()
#3 0x00001c0a4b54bb43 in ?? ()
[...]
#18 0x0000000000000000 in ?? ()
rax 0x5571a5e50b2d 93946602916653
rbx 0x7ffc343526c8 140721184384712
rcx 0x5571a6dee850 93946619291728
rdx 0x0 0
rsi 0x7fcf7f659770 140529172322160
rdi 0x7fcf7f658540 140529172317504
rbp 0x7ffc343525e0 140721184384480
rsp 0x7ffc343525a0 140721184384416
r8 0x7fcf7f659770 140529172322160
r9 0x7fcf80752d00 140529190120704
r10 0x58 88
r11 0x7fcf7f3007a0 140529168811936
r12 0xfff8800000000000 -2111062325329920
r13 0xfffb000000000000 -1407374883553280
r14 0x2 2
r15 0x3 3
rip 0x5571a53c6a87 <js::jit::BinaryArithIRGenerator::tryAttachStringInt32Arith()+839>
=> 0x5571a53c6a87 <_ZN2js3jit22BinaryArithIRGenerator25tryAttachStringInt32ArithEv+839>: movl $0x1b80,0x0
0x5571a53c6a92 <_ZN2js3jit22BinaryArithIRGenerator25tryAttachStringInt32ArithEv+850>: callq 0x5571a46bf706 <abort>
Marking as fuzzblocker because this is so trivial and hit quite often. S-s because it is a JIT assertion.
Reporter | ||
Comment 1•5 years ago
|
||
Comment 2•5 years ago
|
||
André, just guessing this is from your changes maybe?
Flags: needinfo?(andrebargull)
Assignee | ||
Comment 3•5 years ago
|
||
Yes, it's caused by bug 1620997. The report probably doesn't need to be hidden, because we're reliably MOZ_CRASH
here.
Assignee: nobody → andrebargull
Status: NEW → ASSIGNED
Flags: needinfo?(andrebargull)
Updated•5 years ago
|
Group: javascript-core-security
Assignee | ||
Comment 4•5 years ago
|
||
Updated•5 years ago
|
Crash Signature: [@ js::jit::BinaryArithIRGenerator::tryAttachStringInt32Arith]
Updated•5 years ago
|
Priority: -- → P1
Pushed by apavel@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/d21f8335baa0
Add missing JSOp::Pow case for string-int32 arithmetic in CacheIR. r=jandem
Comment 7•5 years ago
|
||
bugherder |
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla77
Updated•5 years ago
|
status-firefox75:
--- → unaffected
status-firefox76:
--- → unaffected
status-firefox-esr68:
--- → unaffected
Flags: in-testsuite+
Regressed by: 1620997
Updated•5 years ago
|
Has Regression Range: --- → yes
Updated•5 years ago
|
Comment 8•5 years ago
|
||
Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20200423095248-47426d145e24.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
You need to log in
before you can comment on or make changes to this bug.
Description
•