Closed
Bug 1646302
Opened 5 years ago
Closed 5 years ago
[warp] Crash [@ js::jit::CacheIRWriter::copyStubData] or Crash [@ void js::TenuringTracer::traverse] or Assertion failure: isObject(), at js/Value.h:745
Categories
(Core :: JavaScript Engine: JIT, defect, P1)
Tracking
()
VERIFIED
FIXED
mozilla79
Tracking | Status | |
---|---|---|
firefox-esr68 | --- | unaffected |
firefox-esr78 | --- | unaffected |
firefox77 | --- | unaffected |
firefox78 | --- | unaffected |
firefox79 | --- | disabled |
People
(Reporter: decoder, Assigned: jandem)
References
(Regression)
Details
(4 keywords, Whiteboard: [bugmon:update,bisected,confirmed])
Crash Data
Attachments
(2 files)
The following testcase crashes on mozilla-central revision 20200617-0e023da23571 (opt build, run with --fuzzing-safe --ion-offthread-compile=off --warp):
function foo() {
function fnc() {}
fnc.prototype = 3;
new fnc;
new new.target;
}
new foo();
Backtrace:
received signal SIGSEGV, Segmentation fault.
0x0000555555e9e3cf in js::jit::CacheIRWriter::copyStubData(unsigned char*) const ()
#0 0x0000555555e9e3cf in js::jit::CacheIRWriter::copyStubData(unsigned char*) const ()
#1 0x000055555624fe49 in js::jit::AttachBaselineCacheIRStub(JSContext*, js::jit::CacheIRWriter const&, js::jit::CacheKind, js::jit::BaselineCacheIRStubKind, JSScript*, js::jit::ICFallbackStub*, bool*) ()
#2 0x0000555555db212d in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) ()
#3 0x0000348eb727abc8 in ?? ()
[...]
#12 0x0000000000000000 in ?? ()
rax 0x6800000000000 1829587348619264
rbx 0x7fffffffb248 140737488335432
rcx 0x79af565122c9b000 8768321905989627904
rdx 0x18 24
rsi 0x7ffff60289f8 140737320749560
rdi 0x7ffff60289e0 140737320749536
rbp 0x7fffffffa2f0 140737488331504
rsp 0x7fffffffa2b0 140737488331440
r8 0x7ffff60289f8 140737320749560
r9 0x7ffff4dfd100 140737301696768
r10 0x1b 27
r11 0xb2b4de7a 2998197882
r12 0x7fffffffb288 140737488335496
r13 0x7ffff4dfd158 140737301696856
r14 0x555556633484 93825009923204
r15 0x7ffff6028928 140737320749352
rip 0x555555e9e3cf <js::jit::CacheIRWriter::copyStubData(unsigned char*) const+191>
=> 0x555555e9e3cf <_ZNK2js3jit13CacheIRWriter12copyStubDataEPh+191>: mov 0xffff0(%rax),%r15
0x555555e9e3d6 <_ZNK2js3jit13CacheIRWriter12copyStubDataEPh+198>: test %r15,%r15
Reporter | ||
Comment 1•5 years ago
|
||
Reporter | ||
Updated•5 years ago
|
Crash Signature: [@ js::jit::CacheIRWriter::copyStubData(unsigned char*) const] → [@ js::jit::CacheIRWriter::copyStubData]
[@ js::TenuringTracer::traverse]
Summary: [warp] Crash [@ js::jit::CacheIRWriter::copyStubData(unsigned char*) const] or Assertion failure: isObject(), at js/Value.h:745 → [warp] Crash [@ js::jit::CacheIRWriter::copyStubData] or Crash [@ void js::TenuringTracer::traverse] or Assertion failure: isObject(), at js/Value.h:745
Assignee | ||
Updated•5 years ago
|
Flags: needinfo?(jdemooij)
Updated•5 years ago
|
Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]
Comment 2•5 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200617093637-3155ffead6ae.
The bug appears to have been introduced in the following build range:
> Start: 73c8aa87664eb00bd8596896fe2c7c25767ceeeb (20200616121226)
> End: 89a54069f124b175a0069affaaa1f55ff83214de (20200616121333)
> Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=73c8aa87664eb00bd8596896fe2c7c25767ceeeb&tochange=89a54069f124b175a0069affaaa1f55ff83214de
Updated•5 years ago
|
status-firefox77:
--- → unaffected
status-firefox78:
--- → unaffected
status-firefox-esr68:
--- → unaffected
status-firefox-esr78:
--- → unaffected
Regressed by: 1645353
Updated•5 years ago
|
Has Regression Range: --- → yes
Updated•5 years ago
|
Severity: -- → S3
Priority: -- → P1
Assignee | ||
Comment 3•5 years ago
|
||
Updated•5 years ago
|
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Assignee | ||
Updated•5 years ago
|
Flags: needinfo?(jdemooij)
Pushed by jdemooij@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/704d04e6bc76
Only create a template object if prototype is an object in getTemplateObjectForScripted. r=evilpie
Comment 5•5 years ago
|
||
bugherder |
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla79
Comment 6•5 years ago
|
||
Bugmon Analysis:
Bug appears to be fixed on mozilla-central 20200624093107-e858eb7ffeba but BugMon was unable to reproduce using mozilla-central 20200617034156-0e023da23571.
Comment 7•5 years ago
|
||
Bugmon Analysis:
Bug appears to be fixed on mozilla-central 20200624093107-e858eb7ffeba but BugMon was unable to reproduce using mozilla-central 20200617034156-0e023da23571.
Comment 8•5 years ago
|
||
Bugmon Analysis:
Bug appears to be fixed on mozilla-central 20200624093107-e858eb7ffeba but BugMon was unable to reproduce using mozilla-central 20200617034156-0e023da23571.
Comment 9•5 years ago
|
||
Bugmon Analysis:
Bug appears to be fixed on mozilla-central 20200624093107-e858eb7ffeba but BugMon was unable to reproduce using mozilla-central 20200617034156-0e023da23571.
Comment 10•5 years ago
|
||
Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20200624162433-992822684324.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
You need to log in
before you can comment on or make changes to this bug.
Description
•