1842847 - Crash [@ ??] with GC and JIT

Status: RESOLVED DUPLICATE of bug 1842617

(Core :: JavaScript Engine: JIT, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 20230710-aaa3698312c5 (debug build, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off --baseline-eager --ion-warmup-threshold=5):

See attachment.

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x00003d6072caa873 in ?? ()
[...]
#30 0x0000000000000000 in ?? ()
rax	0x30	48
rbx	0xfffe2d89e5000470	-512879677668240
rcx	0x2d89e5000440	50070275753024
rdx	0x55555590bca0	93824996129952
rsi	0x7ffff3e18410	140737285030928
rdi	0x7ffff3e85990	140737285478800
rbp	0x7fffffffc7f0	140737488340976
rsp	0x7fffffffc780	140737488340864
r8	0x0	0
r9	0x1f	31
r10	0x7ffff39a6180	140737280369024
r11	0x7ffff39dc010	140737280589840
r12	0x0	0
r13	0x7fffffffd0d8	140737488343256
r14	0x7ffff3982afc	140737280223996
r15	0x0	0
rip	0x3d6072caa873	67484452038771
=> 0x3d6072caa873:	mov    %rbx,(%rdx,%rax,1)
   0x3d6072caa877:	mov    %rbx,%r11

I was not able to reduce this test further and couldn't decouple it from the fuzzer parts. Do not land this test and keep it secret once this bug is opened.

Marking s-s since this is likely another sec-high.

Comment 1

[Christian Holler (:decoder)]

Attachment: Detailed Crash Information

Comment 2

[Christian Holler (:decoder)]

Attachment: Testcase

Comment 4

[Bugmon [:jkratzer for issues]]

Unable to reproduce bug 1842847 using build mozilla-central 20230710094014-aaa3698312c5. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Comment 5

[Iain Ireland [:iain]]

This is a duplicate of bug 1842617. My patch for that bug also fixes this test. Quickly checking in rr, it looks like we incorrectly skip the shape guard and then try to store a value in the static emptyObjectSlots object, which is mapped read-only.