Crash [@ js::UnwrapOneCheckedStatic]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr78 | --- | unaffected |
| firefox-esr91 | --- | unaffected |
| firefox92 | --- | unaffected |
| firefox93 | --- | wontfix |
| firefox94 | --- | wontfix |
| firefox95 | --- | verified |
People
(Reporter: decoder, Assigned: sfink)
References
(Regression)
Details
(Keywords: crash, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed][fuzzblocker])
Crash Data
Attachments
(3 files)
The following testcase crashes on mozilla-central revision 20210915-8a9d97b273e7 (debug build, run with --fuzzing-safe --ion-offthread-compile=off):
encodeAsUtf8InBuffer("", "")
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 0x0000555556d86add in js::UnwrapOneCheckedStatic(JSObject*) ()
#1 0x0000555556d86a98 in js::CheckedUnwrapStatic(JSObject*) ()
#2 0x00005555570db5bb in JS::TypedArray<(JS::Scalar::Type)1>::unwrap(JSObject*) ()
#3 0x00005555571ab570 in EncodeAsUtf8InBuffer(JSContext*, unsigned int, JS::Value*) ()
#4 0x0000555556c22e01 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
[...]
#16 0x0000555556a7afce in main ()
rax 0x0 0
rbx 0x0 0
rcx 0x0 0
rdx 0x0 0
rsi 0x0 0
rdi 0x0 0
rbp 0x7fffffffbe50 140737488338512
rsp 0x7fffffffbe40 140737488338496
r8 0x7fffffffbe68 140737488338536
r9 0x17d5267005b0 26204240348592
r10 0x8 8
r11 0x7dffadb6b 33822530411
r12 0xffff800000000000 -140737488355328
r13 0x7ffff6019000 140737320685568
r14 0x7fffffffbf30 140737488338736
r15 0x7ffff4a5a0a8 140737297883304
rip 0x555556d86add <js::UnwrapOneCheckedStatic(JSObject*)+45>
=> 0x555556d86add <_ZN2js22UnwrapOneCheckedStaticEP8JSObject+45>: mov 0x8(%rax),%rdi
0x555556d86ae1 <_ZN2js22UnwrapOneCheckedStaticEP8JSObject+49>: callq 0x555556ff3940 <_ZN2js29CurrentThreadCanAccessRuntimeEPK9JSRuntime>
Likely an issue with the new shell function, but causing a major amount of crashes, so marking as fuzzblocker.
|
Reporter | |
Comment 1•4 years ago
|
||
|
|
Reporter | |
Comment 2•4 years ago
|
||
|
||
Comment 3•4 years ago
|
||
Bugmon Analysis
Verified bug as reproducible on mozilla-central 20210916125444-fd6f4fa5ed18.
The bug appears to have been introduced in the following build range:
Start: 3005e92c10a384ac7a1a59daf6885bd167e44045 (20210908234928)
End: 31caca93507efbaae11e89b7c2e52b6020a8bf52 (20210908235319)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=3005e92c10a384ac7a1a59daf6885bd167e44045&tochange=31caca93507efbaae11e89b7c2e52b6020a8bf52
|
||
Comment 4•4 years ago
|
||
Steve, could you take a look at this bug, it seems it might have been caused by you push identified in the push log in comment 3.
|
||
Updated•4 years ago
|
|
||
Updated•4 years ago
|
|
|
||
Updated•3 years ago
|
|
Assignee | |
Updated•3 years ago
|
|
|
Assignee | |
Comment 5•3 years ago
|
||
|
|
Assignee | |
Updated•3 years ago
|
|
||
Comment 6•3 years ago
|
||
:sfink, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.
|
||
Updated•3 years ago
|
|
||
Comment 8•3 years ago
|
||
| bugherder | ||
|
|
||
Comment 9•3 years ago
|
||
Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20211022030827-438a6427019c.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Description
•