Closed
Bug 1685690
Opened 5 years ago
Closed 5 years ago
Assertion failure: !env->hasUncacheableProto(), at jit/CacheIR.cpp:2821
Categories
(Core :: JavaScript Engine: JIT, defect)
Core
JavaScript Engine: JIT
Tracking
()
RESOLVED
DUPLICATE
of bug 1685684
| Tracking | Status | |
|---|---|---|
| firefox86 | --- | affected |
People
(Reporter: gkw, Unassigned)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: regression, testcase)
evalcx("__proto__ = []; eval(\"\\\"use strict\\\"; f = function () {};\")", eval());
Assertion failure: !env->hasUncacheableProto(), at /home/skygentoo/trees/mozilla-central/js/src/jit/CacheIR.cpp:2821
Thread 1 "js-dbg-64-linux" received signal SIGSEGV, Segmentation fault.
js::jit::BindNameIRGenerator::tryAttachEnvironmentName (this=this@entry=0x7fffffff97f0, objId=objId@entry=..., id=id@entry=...)
at /home/skygentoo/trees/mozilla-central/js/src/jit/CacheIR.cpp:2821
2821 MOZ_ASSERT(!env->hasUncacheableProto());
(gdb) bt
#0 js::jit::BindNameIRGenerator::tryAttachEnvironmentName (this=this@entry=0x7fffffff97f0, objId=objId@entry=..., id=id@entry=...)
at /home/skygentoo/trees/mozilla-central/js/src/jit/CacheIR.cpp:2821
#1 0x00005555577c02fc in js::jit::BindNameIRGenerator::tryAttachStub (this=0x7fffffff97f0)
at /home/skygentoo/trees/mozilla-central/js/src/jit/CacheIR.cpp:2756
#2 0x000055555762a1bb in js::jit::TryAttachStub<js::jit::BindNameIRGenerator, JS::Handle<JSObject*>&, JS::Rooted<js::PropertyName*>&> (
name=<optimized out>, cx=0x7ffff6924000, frame=0x7fffffff9a50, stub=0x7ffff675c020, args=..., args=...)
at /home/skygentoo/trees/mozilla-central/js/src/jit/BaselineIC.cpp:665
#3 js::jit::DoBindNameFallback (cx=0x7ffff6924000, frame=0x7fffffff9a50, stub=0x7ffff675c020, envChain=..., res=...)
at /home/skygentoo/trees/mozilla-central/js/src/jit/BaselineIC.cpp:1362
#4 0x0000134616fe7f1f in ?? ()
#5 0x00007fffffff9a98 in ?? ()
#6 0x00007fffffff9a18 in ?? ()
#7 0x00007fffffff9a40 in ?? ()
#8 0xfff9800000000000 in ?? ()
#9 0x0000555558120b30 in js::jit::tailCallVMFunctions ()
#10 0x0000134616ff7b1a in ?? ()
#11 0x0000000000006821 in ?? ()
#12 0x00007fffffff9a50 in ?? ()
#13 0x00007ffff675c020 in ?? ()
#14 0x000028e59d9005d0 in ?? ()
#15 0x00002799bd89b1a0 in ?? ()
#16 0x00007ffff676930c in ?? ()
#17 0x00007ffff675b718 in ?? ()
#18 0x000028e59d9005d0 in ?? ()
#19 0x00007ffff675b6f8 in ?? ()
#20 0x00007ffff6924000 in ?? ()
#21 0x00007fffffff9ab0 in ?? ()
#22 0x0000005000000007 in ?? ()
#23 0xfffb2799bd827d00 in ?? ()
#24 0x00007fffffff9af0 in ?? ()
#25 0x0000134616fcee54 in ?? ()
#26 0x0000000000001043 in ?? ()
#27 0x00002799bd89b1a2 in ?? ()
#28 0x0000000000000000 in ?? ()
(gdb)
Run with --fuzzing-safe --no-threads --no-baseline --no-ion --blinterp-warmup-threshold=0, compile with AR=ar sh ./configure --enable-debug --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests, tested on m-c rev 2405ffdc136d.
Not sure if this is s-s yet.
Flags: sec-bounty?
|
Reporter | |
Comment 1•5 years ago
|
||
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/50e1543242f6
user: Jan de Mooij
date: Wed Jan 06 18:36:22 2021 +0000
summary: Bug 1682767 part 36 - Stop allocating the global object as a singleton. r=iain
Probably related to bug 1682767?
Flags: needinfo?(jdemooij)
|
||
Updated•5 years ago
|
Status: NEW → RESOLVED
Closed: 5 years ago
Flags: sec-bounty?
Flags: needinfo?(jdemooij)
Resolution: --- → DUPLICATE
|
||
Updated•5 years ago
|
Has Regression Range: --- → yes
Keywords: regression
|
|
Reporter | |
Updated•1 year ago
|
Blocks: gkw-js-fuzzing
|
||
Updated•1 year ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•