Closed
Bug 1677371
Opened 4 years ago
Closed 4 years ago
Crash [@ js::frontend::DumpTaggedParserAtomIndex] with dumpStencil
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
85 Branch
Tracking | Status | |
---|---|---|
firefox-esr78 | --- | unaffected |
firefox83 | --- | unaffected |
firefox84 | --- | wontfix |
firefox85 | --- | verified |
People
(Reporter: decoder, Assigned: arai)
References
(Regression)
Details
(Keywords: crash, regression, testcase, Whiteboard: [bugmon:update,bisect])
Crash Data
Attachments
(2 files)
The following testcase crashes on mozilla-central revision 20201114-e05b71dfbc64 (debug build, run with --fuzzing-safe --ion-offthread-compile=off test.js):
dumpStencil(("ok"));
Backtrace:
received signal SIGSEGV, Segmentation fault.
0x58305ba3 in js::frontend::DumpTaggedParserAtomIndex(js::JSONPrinter&, js::frontend::TaggedParserAtomIndex, js::frontend::CompilationStencil*) ()
#0 0x58305ba3 in js::frontend::DumpTaggedParserAtomIndex(js::JSONPrinter&, js::frontend::TaggedParserAtomIndex, js::frontend::CompilationStencil*) ()
#1 0x58306e04 in js::frontend::ScriptStencil::dumpFields(js::JSONPrinter&, js::frontend::CompilationStencil*) ()
#2 0x5830751e in js::frontend::CompilationStencil::dump(js::JSONPrinter&) ()
#3 0x5830744e in js::frontend::CompilationStencil::dump() ()
#4 0x579b6abf in bool DumpStencil<mozilla::Utf8Unit>(JSContext*, JS::ReadOnlyCompileOptions const&, mozilla::Utf8Unit const*, unsigned int, js::frontend::ParseGoal) ()
#5 0x579b5c83 in FrontendTest(JSContext*, unsigned int, JS::Value*, char const*, DumpType) ()
#6 0x5799a3db in DumpStencil(JSContext*, unsigned int, JS::Value*) ()
#7 0x57afbcf9 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
[...]
#19 0x57970620 in main ()
eax 0x567696e8 1450612456
ebx 0x58fefb6c 1493105516
ecx 0x58ff146c 1493111916
edx 0x0 0
esi 0xffd5c0b8 -2768712
edi 0xffd5c0a8 -2768728
ebp 0xffd5c008 4292198408
esp 0xffd5bfe0 4292198368
eip 0x58305ba3 <js::frontend::DumpTaggedParserAtomIndex(js::JSONPrinter&, js::frontend::TaggedParserAtomIndex, js::frontend::CompilationStencil*)+19107>
=> 0x58305ba3 <_ZN2js8frontend25DumpTaggedParserAtomIndexERNS_11JSONPrinterENS0_21TaggedParserAtomIndexEPNS0_18CompilationStencilE+19107>: movl $0x3ec,0x0
0x58305bad <_ZN2js8frontend25DumpTaggedParserAtomIndexERNS_11JSONPrinterENS0_21TaggedParserAtomIndexEPNS0_18CompilationStencilE+19117>: call 0x579f549b <abort>
Might be that this function isn't fuzzing-safe anymore? It must have been a recent change though.
Reporter | ||
Comment 1•4 years ago
|
||
Assignee | ||
Updated•4 years ago
|
Assignee: nobody → arai.unmht
Status: NEW → ASSIGNED
Assignee | ||
Comment 2•4 years ago
|
||
This function should be fuzzing safe.
I just forgot return
Assignee | ||
Comment 3•4 years ago
|
||
Assignee | ||
Comment 4•4 years ago
|
||
This is shell-only testing function and doesn't affect browser.
Pushed by arai_a@mac.com: https://hg.mozilla.org/integration/autoland/rev/b1796f9dbc1e Add missing return. r=tcampbell
Comment 6•4 years ago
|
||
bugherder |
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox85:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 85 Branch
Updated•4 years ago
|
status-firefox83:
--- → unaffected
status-firefox-esr78:
--- → unaffected
Flags: in-testsuite+
Regressed by: 1675241
Updated•4 years ago
|
Has Regression Range: --- → yes
Comment 7•3 years ago
|
||
Bugmon Analysis:
Bug appears to be fixed on mozilla-central 20201117215529-9dd0b13d77b9 but BugMon was unable to reproduce using mozilla-central 20201114215126-e05b71dfbc64.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
Keywords: bugmon
You need to log in
before you can comment on or make changes to this bug.
Description
•