Closed Bug 1646302 Opened 5 years ago Closed 5 years ago

[warp] Crash [@ js::jit::CacheIRWriter::copyStubData] or Crash [@ void js::TenuringTracer::traverse] or Assertion failure: isObject(), at js/Value.h:745

Categories

(Core :: JavaScript Engine: JIT, defect, P1)

x86_64
Linux
defect

Tracking

()

VERIFIED FIXED
mozilla79
Tracking Status
firefox-esr68 --- unaffected
firefox-esr78 --- unaffected
firefox77 --- unaffected
firefox78 --- unaffected
firefox79 --- disabled

People

(Reporter: decoder, Assigned: jandem)

References

(Regression)

Details

(4 keywords, Whiteboard: [bugmon:update,bisected,confirmed])

Crash Data

Attachments

(2 files)

The following testcase crashes on mozilla-central revision 20200617-0e023da23571 (opt build, run with --fuzzing-safe --ion-offthread-compile=off --warp):

function foo() {
  function fnc() {}
  fnc.prototype = 3;
  new fnc;
  new new.target;
}
new foo();

Backtrace:

received signal SIGSEGV, Segmentation fault.
0x0000555555e9e3cf in js::jit::CacheIRWriter::copyStubData(unsigned char*) const ()
#0  0x0000555555e9e3cf in js::jit::CacheIRWriter::copyStubData(unsigned char*) const ()
#1  0x000055555624fe49 in js::jit::AttachBaselineCacheIRStub(JSContext*, js::jit::CacheIRWriter const&, js::jit::CacheKind, js::jit::BaselineCacheIRStubKind, JSScript*, js::jit::ICFallbackStub*, bool*) ()
#2  0x0000555555db212d in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) ()
#3  0x0000348eb727abc8 in ?? ()
[...]
#12 0x0000000000000000 in ?? ()
rax	0x6800000000000	1829587348619264
rbx	0x7fffffffb248	140737488335432
rcx	0x79af565122c9b000	8768321905989627904
rdx	0x18	24
rsi	0x7ffff60289f8	140737320749560
rdi	0x7ffff60289e0	140737320749536
rbp	0x7fffffffa2f0	140737488331504
rsp	0x7fffffffa2b0	140737488331440
r8	0x7ffff60289f8	140737320749560
r9	0x7ffff4dfd100	140737301696768
r10	0x1b	27
r11	0xb2b4de7a	2998197882
r12	0x7fffffffb288	140737488335496
r13	0x7ffff4dfd158	140737301696856
r14	0x555556633484	93825009923204
r15	0x7ffff6028928	140737320749352
rip	0x555555e9e3cf <js::jit::CacheIRWriter::copyStubData(unsigned char*) const+191>
=> 0x555555e9e3cf <_ZNK2js3jit13CacheIRWriter12copyStubDataEPh+191>:	mov    0xffff0(%rax),%r15
   0x555555e9e3d6 <_ZNK2js3jit13CacheIRWriter12copyStubDataEPh+198>:	test   %r15,%r15
Attached file Testcase
Crash Signature: [@ js::jit::CacheIRWriter::copyStubData(unsigned char*) const] → [@ js::jit::CacheIRWriter::copyStubData] [@ js::TenuringTracer::traverse]
Summary: [warp] Crash [@ js::jit::CacheIRWriter::copyStubData(unsigned char*) const] or Assertion failure: isObject(), at js/Value.h:745 → [warp] Crash [@ js::jit::CacheIRWriter::copyStubData] or Crash [@ void js::TenuringTracer::traverse] or Assertion failure: isObject(), at js/Value.h:745
Flags: needinfo?(jdemooij)
Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]
Bugmon Analysis: Verified bug as reproducible on mozilla-central 20200617093637-3155ffead6ae. The bug appears to have been introduced in the following build range: > Start: 73c8aa87664eb00bd8596896fe2c7c25767ceeeb (20200616121226) > End: 89a54069f124b175a0069affaaa1f55ff83214de (20200616121333) > Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=73c8aa87664eb00bd8596896fe2c7c25767ceeeb&tochange=89a54069f124b175a0069affaaa1f55ff83214de
Has Regression Range: --- → yes
Severity: -- → S3
Priority: -- → P1
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Pushed by jdemooij@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/704d04e6bc76 Only create a template object if prototype is an object in getTemplateObjectForScripted. r=evilpie
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla79
Bugmon Analysis: Bug appears to be fixed on mozilla-central 20200624093107-e858eb7ffeba but BugMon was unable to reproduce using mozilla-central 20200617034156-0e023da23571.
Bugmon Analysis: Bug appears to be fixed on mozilla-central 20200624093107-e858eb7ffeba but BugMon was unable to reproduce using mozilla-central 20200617034156-0e023da23571.
Bugmon Analysis: Bug appears to be fixed on mozilla-central 20200624093107-e858eb7ffeba but BugMon was unable to reproduce using mozilla-central 20200617034156-0e023da23571.
Bugmon Analysis: Bug appears to be fixed on mozilla-central 20200624093107-e858eb7ffeba but BugMon was unable to reproduce using mozilla-central 20200617034156-0e023da23571.
Status: RESOLVED → VERIFIED
Keywords: bugmon
Bugmon Analysis: Verified bug as fixed on rev mozilla-central 20200624162433-992822684324. Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: