Closed Bug 1761607 Opened 3 years ago Closed 3 years ago

Crash [@ js::jit::SnapshotIterator::allocationValue] or Assertion failure: IsInvokeOp(op_), at jit/BaselineBailouts.cpp:771

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1761492
Tracking Flags:
Tracking Status
firefox100 --- affected

People

(Reporter: decoder, Unassigned)

Details

(4 keywords, Whiteboard: [bugmon:update,bisect])

Crash Data

Attachments

(2 files)

Detailed Crash Information
2.39 KB, text/plain
Details
Testcase
177 bytes, text/plain
Details

The following testcase crashes on mozilla-central revision 20220325-b94d53ba65d2 (opt build, run with --fuzzing-safe --no-threads --fast-warmup):

a0=[];
Object.defineProperty(a0,5,{
  get:(function() {
    try { 
      Array.prototype.sort.call(a0,function() {});
    } catch(e) {}
  })
})
Array.prototype.reverse.call(a0);

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x0000555555fce806 in js::jit::SnapshotIterator::allocationValue(js::jit::RValueAllocation const&, js::jit::SnapshotIterator::ReadMethod) ()
#1  0x000055555602427a in BaselineStackBuilder::buildOneFrame() ()
#2  0x00005555560213a3 in js::jit::BailoutIonToBaseline(JSContext*, js::jit::JitActivation*, js::jit::JSJitFrameIter const&, js::jit::BaselineBailoutInfo**, js::jit::ExceptionBailoutInfo const*) ()
#3  0x0000555555b5ea75 in js::jit::ExceptionHandlerBailout(JSContext*, js::jit::InlineFrameIterator const&, js::jit::ResumeFromException*, js::jit::ExceptionBailoutInfo const&) ()
#4  0x00005555562d7717 in js::jit::HandleException(js::jit::ResumeFromException*) ()
#5  0x000020e5ecf8eebb in ?? ()
[...]
#24 0x0000000000000000 in ?? ()
rax	0x101	257
rbx	0x7fffffefd730	140737487296304
rcx	0x7fffffefd898	140737487296664
rdx	0x1	1
rsi	0x7fffffefd4f8	140737487295736
rdi	0x7fffffefd730	140737487296304
rbp	0x7fffffefd4a0	140737487295648
rsp	0x7fffffefd4a0	140737487295648
r8	0x55555652a614	93825008838164
r9	0x0	0
r10	0x1	1
r11	0x7ffff5e9d465	140737319130213
r12	0x7	7
r13	0x5555565815a0	93825009194400
r14	0xfffffff1	4294967281
r15	0x7fffffefd608	140737487296008
rip	0x555555fce806 <js::jit::SnapshotIterator::allocationValue(js::jit::RValueAllocation const&, js::jit::SnapshotIterator::ReadMethod)+118>
=> 0x555555fce806 <_ZN2js3jit16SnapshotIterator15allocationValueERKNS0_16RValueAllocationENS1_10ReadMethodE+118>:	mov    (%rax),%rax
   0x555555fce809 <_ZN2js3jit16SnapshotIterator15allocationValueERKNS0_16RValueAllocationENS1_10ReadMethodE+121>:	jmp    0x555555fce7cd <_ZN2js3jit16SnapshotIterator15allocationValueERKNS0_16RValueAllocationENS1_10ReadMethodE+61>

Marking s-s until triaged due to JIT assert/crash.

Attached file Testcase

Stack is closely related to bug 1761492 but assert and crash are different, so filing this one separately to be sure.

Confirmed fixed by bug 1761492.

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → DUPLICATE

No valid actions for resolution (DUPLICATE).
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
Group: javascript-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: