Closed Bug 1700525 Opened 4 years ago Closed 4 years ago

Crash in [@ JS_AssignObject]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
89 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- unaffected
firefox86 --- unaffected
firefox87 --- unaffected
firefox88 --- unaffected
firefox89 blocking fixed

People

(Reporter: jan, Assigned: jandem)

References

(Regression,
URL
)

Details

(Keywords: crash, nightly-community, regression)

Crash Data

Attachments

(1 file)

Bug 1700525 - Set object flags on the last property's shape instead of on the property's shape. r?iain!
48 bytes, text/x-phabricator-request
Details | Review

Instant tab crash:
mozregression --good 2021-03-22 --bad 20210323214359 -a https://www.indiegogo.com/projects/the-star-trek-voyager-documentary/x/26254931

3:54.77 INFO: Last good revision: 6b83fb4ef43ec7b9ec8a8a30aae66dbccc14b4bd
3:54.77 INFO: First bad revision: ecf43b0add7373185d91e04d2aeadb809ed0c2c5
3:54.77 INFO: Pushlog:
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=6b83fb4ef43ec7b9ec8a8a30aae66dbccc14b4bd&tochange=ecf43b0add7373185d91e04d2aeadb809ed0c2c5

ecf43b0add7373185d91e04d2aeadb809ed0c2c5 Jan de Mooij — Bug 1696178 part 8 - Use initSlot instead of setSlot in a few places. r=jonco
c9bb3660abd368a4f5e04b582827059436c0b1e1 Jan de Mooij — Bug 1696178 part 7 - Add a faster path for when the shape can be reused directly. r=jonco
f16ed78f5471ba66efbc48f53fb2dd51c3fdee4e Jan de Mooij — Bug 1696178 part 6 - Add a fast path for Object.assign with plain objects. r=anba
bad57461dcc4c6c52064bf985ee737d8abbc183b Jan de Mooij — Bug 1696178 part 5 - Add ObjectFlag::HasNonWritableOrAccessorExcludingProto. r=jonco
12574c8b209d51965201890abdcbd40b553e1190 Jan de Mooij — Bug 1696178 part 4 - Add NativeObject::setLastPropertyForNewDataProperty. r=jonco
aa7ea7bda43e13da23f3d2215be5d0b452a53b6e Jan de Mooij — Bug 1696178 part 3 - Remove Shape::slotSpan overload with JSClass argument. r=jonco
4ca97ae7f9ce3a02adb31104ebbc79be66454d37 Jan de Mooij — Bug 1696178 part 2 - Don't handle proxies in Shape::slotSpan. r=jonco
6b91b2e87f1874e84530ff302adea418045d9ab1 Jan de Mooij — Bug 1696178 part 1 - Simplify/optimize shape check in TryAssignNative and TryEnumerableOwnPropertiesNative. r=anba

Maybe Fission related. (DOMFissionEnabled=1)

Crash report: https://crash-stats.mozilla.org/report/index/932ba460-f624-4cbe-8630-307e80210324

Reason: SIGSEGV /SEGV_ACCERR

Top 10 frames of crashing thread:

0 libxul.so JS_AssignObject js/src/builtin/Object.cpp:1079
1 libxul.so obj_assign js/src/builtin/Object.cpp:1125
2 libxul.so js::InternalCallOrConstruct js/src/vm/Interpreter.cpp:520
3 libxul.so Interpret js/src/vm/Interpreter.cpp:3244
4 libxul.so js::InternalCallOrConstruct js/src/vm/Interpreter.cpp:552
5 libxul.so js::fun_call js/src/vm/JSFunction.cpp:1097
6 libxul.so js::InternalCallOrConstruct js/src/vm/Interpreter.cpp:520
7 libxul.so Interpret js/src/vm/Interpreter.cpp:3244
8 libxul.so js::InternalCallOrConstruct js/src/vm/Interpreter.cpp:552
9 libxul.so js::jit::InvokeFromInterpreterStub js/src/jit/VMFunctions.cpp:767
Flags: needinfo?(jdemooij)

Repros consistently by visiting https://www.chess.com/play/online. With and without Fission enabled.

Repooduces on visiting https://quad9.net

Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Pushed by jdemooij@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/3be60f42358a Set object flags on the last property's shape instead of on the property's shape. r=iain
Flags: needinfo?(jdemooij)

https://hg.mozilla.org/mozilla-central/rev/3be60f42358a

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox89: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 89 Branch
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: