Closed Bug 1843280 Opened 2 years ago Closed 2 years ago

Hit MOZ_CRASH(unexpected type) at jit/CacheIR.cpp:2375

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1842617
Tracking Flags:
Tracking Status
firefox117 --- affected

People

(Reporter: decoder, Unassigned)

Details

(4 keywords, Whiteboard: [bugmon:update,bisect])

Attachments

(2 files)

Detailed Crash Information
2.14 KB, text/plain
Details
Testcase
446 bytes, text/plain
Details

The following testcase crashes on mozilla-central revision 20230711-c3ebb7d6ba52 (debug build, run with --fuzzing-safe --no-threads --baseline-eager):

var realEval = eval;
function tryItOut(code) {
  try {
    eval(code);
  } catch (exc) {}
  delete this.eval;
  this.eval = realEval;
}
tryItOut(`
  Object.defineProperty(this,'g0',{ get:function() { g2.e } })
  g2 = this;
  eval('',g0)
`);
g = g0;
tryItOut("g0.g[v]");
tryItOut("g0.g");
tryItOut("g0.g[1]");
tryItOut("g0");
tryItOut("g0");
tryItOut("gc();");
g0;
Object.defineProperty(this, 'g2',{ get:function() {} });
gc();
tryItOut("");
g0.p;

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x0000555557b42f25 in js::jit::GetPropIRGenerator::tryAttachPrimitive(js::jit::ValOperandId, JS::Handle<JS::PropertyKey>) ()
#1  0x0000555557b3b045 in js::jit::GetPropIRGenerator::tryAttachStub() ()
#2  0x0000555557925814 in void js::jit::TryAttachStub<js::jit::GetPropIRGenerator, js::jit::CacheKind, JS::MutableHandle<JS::Value>&, JS::Rooted<JS::Value>&>(char const*, JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, js::jit::CacheKind&&, JS::MutableHandle<JS::Value>&, JS::Rooted<JS::Value>&) ()
#3  0x00005555579250e7 in js::jit::DoGetPropFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, JS::MutableHandle<JS::Value>, JS::MutableHandle<JS::Value>) ()
#4  0x000039516f98c8c3 in ?? ()
[...]
#17 0x0000000000000000 in ?? ()
rax	0x55555579a505	93824994616581
rbx	0x7fffffffc328	140737488339752
rcx	0x5555585a9ba8	93825042914216
rdx	0x0	0
rsi	0x7ffff7105770	140737338431344
rdi	0x7ffff7104540	140737338426688
rbp	0x7fffffffc250	140737488339536
rsp	0x7fffffffc1e0	140737488339424
r8	0x7ffff7105770	140737338431344
r9	0x7ffff7f9a840	140737353721920
r10	0x2	2
r11	0x0	0
r12	0x0	0
r13	0x7fffffffc288	140737488339592
r14	0x7fffffffc288	140737488339592
r15	0x0	0
rip	0x555557b42f25 <js::jit::GetPropIRGenerator::tryAttachPrimitive(js::jit::ValOperandId, JS::Handle<JS::PropertyKey>)+2373>
=> 0x555557b42f25 <_ZN2js3jit18GetPropIRGenerator18tryAttachPrimitiveENS0_12ValOperandIdEN2JS6HandleINS3_11PropertyKeyEEE+2373>:	movl   $0x947,0x0
   0x555557b42f30 <_ZN2js3jit18GetPropIRGenerator18tryAttachPrimitiveENS0_12ValOperandIdEN2JS6HandleINS3_11PropertyKeyEEE+2384>:	callq  0x555556ca7667 <abort>

Marking s-s until triaged, since this is a JIT related crash.

Attached file Testcase

This is another duplicate of bug 1842617. It's fixed in the latest mozilla-central.

Status: NEW → RESOLVED
Closed: 2 years ago
Duplicate of bug: 1842617
Resolution: --- → DUPLICATE

No valid actions for resolution (DUPLICATE).
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
Group: javascript-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: