Closed Bug 1827373 Opened 2 years ago Closed 2 years ago

Assertion failure: nbytes > 0, at /js/src/gc/Nursery.cpp:1643

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1827072
Tracking Flags:
Tracking Status
firefox113 --- affected

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisect][fuzzblocker])

Attachments

(2 files)

Detailed Crash Information
2.41 KB, text/plain
Details
Testcase
32 bytes, text/plain
Details

The following testcase crashes on mozilla-central revision 20230411-948cf466f3f2 (debug build, run with --fuzzing-safe --ion-offthread-compile=off):

newString("", { capacity: 80 });

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x000055555764276e in js::Nursery::registerMallocedBuffer(void*, unsigned long) ()
#1  0x00005555570f6285 in JSLinearString* JSLinearString::newValidLength<(js::AllowGC)1, unsigned char>(JSContext*, mozilla::UniquePtr<unsigned char [], JS::FreePolicy>, unsigned long, js::gc::InitialHeap) ()
#2  0x00005555571f5ee3 in NewString(JSContext*, unsigned int, JS::Value*) ()
#3  0x0000555556d25e57 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
[...]
#15 0x0000555556b8f557 in main ()
rax	0x5555557ad27f	93824994693759
rbx	0x0	0
rcx	0x555558303178	93825040134520
rdx	0x0	0
rsi	0x7ffff7105770	140737338431344
rdi	0x7ffff7104540	140737338426688
rbp	0x7fffffffceb0	140737488342704
rsp	0x7fffffffce80	140737488342656
r8	0x7ffff7105770	140737338431344
r9	0x7ffff7f99840	140737353717824
r10	0x0	0
r11	0x0	0
r12	0x0	0
r13	0x7ffff3e26158	140737285087576
r14	0x7fffffffcf38	140737488342840
r15	0x7ffff3e30100	140737285128448
rip	0x55555764276e <js::Nursery::registerMallocedBuffer(void*, unsigned long)+238>
=> 0x55555764276e <_ZN2js7Nursery22registerMallocedBufferEPvm+238>:	movl   $0x66b,0x0
   0x555557642779 <_ZN2js7Nursery22registerMallocedBufferEPvm+249>:	callq  0x555556c25fac <abort>

Likely a shell-only issue but easy to trigger in fuzzing.

Attached file Testcase
See Also: → 1827072
Status: NEW → RESOLVED
Closed: 2 years ago
Duplicate of bug: 1827072
Resolution: --- → DUPLICATE

No valid actions for resolution (DUPLICATE).
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: