Closed Bug 1755873 Opened 3 years ago Closed 3 years ago

Assertion failure: maybeGcOptions == Nothing(), at gc/GC.cpp:3962

Categories

(Core :: JavaScript: GC, defect)

Product:
Core
Component:
JavaScript: GC
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1755693
Tracking Flags:
Tracking Status
firefox99 --- affected

People

(Reporter: decoder, Unassigned)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisect][fuzzblocker])

Attachments

(2 files)

Detailed Crash Information
1.04 KB, text/plain
Details
Testcase
111 bytes, text/plain
Details

The following testcase crashes on mozilla-central revision 20220217-430986e11fd2 (debug build, run with --fuzzing-safe --ion-offthread-compile=off --baseline-eager --ion-warmup-threshold=0):

function a() {
    "use asm";
    var b;
    function c() {
        b;
    }
}
new ArrayBuffer(207222809);
a();

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x00005555574d36eb in js::gc::GCRuntime::gc(JS::GCOptions, JS::GCReason) ()
#1  0x0000555556feb29c in JSRuntime::destroyRuntime() ()
#2  0x0000555556e64f76 in js::DestroyContext(JSContext*) ()
#3  0x0000555556ad492f in main ()
rax	0x5555558b8faf	93824995790767
rbx	0x7ffff60187a8	140737320683432
rcx	0x5555581a7898	93825038710936
rdx	0x0	0
rsi	0x7ffff7105770	140737338431344
rdi	0x7ffff7104540	140737338426688
rbp	0x7fffffffdca0	140737488346272
rsp	0x7fffffffdc40	140737488346176
r8	0x7ffff7105770	140737338431344
r9	0x7ffff7f99840	140737353717824
r10	0x0	0
r11	0x0	0
r12	0x7ffff6018000	140737320681472
r13	0x7ffff602a200	140737320755712
r14	0x2	2
r15	0x2	2
rip	0x5555574d36eb <js::gc::GCRuntime::gc(JS::GCOptions, JS::GCReason)+283>
=> 0x5555574d36eb <_ZN2js2gc9GCRuntime2gcEN2JS9GCOptionsENS2_8GCReasonE+283>:	movl   $0xf7a,0x0
   0x5555574d36f6 <_ZN2js2gc9GCRuntime2gcEN2JS9GCOptionsENS2_8GCReasonE+294>:	callq  0x555556b6b1f7 <abort>

This is a highly frequent fuzzblocker, further JS fuzzing is likely entirely blocked by this, given the frequency. It triggers through all sorts of tests, including enableTrackAllocations and other shell functions in addition to this test.

Attached file Testcase
Flags: needinfo?(jcoppeard)
Status: NEW → RESOLVED
Closed: 3 years ago
Flags: needinfo?(jcoppeard)
Resolution: --- → DUPLICATE

No valid actions for resolution (DUPLICATE).
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: