Closed
Bug 1864412
Opened 2 years ago
Closed 2 years ago
Hit MOZ_CRASH(Invalid object. Dead wrapper?) at js/src/vm/JSObject.h:649 with evalStencil
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1864246
| Tracking | Status | |
|---|---|---|
| firefox121 | --- | affected |
People
(Reporter: decoder, Unassigned)
Details
(4 keywords, Whiteboard: [bugmon:update,bisect][fuzzblocker])
Attachments
(2 files)
The following testcase crashes on mozilla-central revision 20231111-03298dc094d1 (debug build, run with --fuzzing-safe --ion-offthread-compile=off test.js):
evalStencil([])
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 0x5843b890 in js::StencilObject* JSObject::maybeUnwrapAs<js::StencilObject>() ()
#1 0x5842fc16 in EvalStencil(JSContext*, unsigned int, JS::Value*) ()
#2 0x57ec97b4 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
[...]
#15 0x57cff157 in main ()
eax 0x56847499 1451521177
ebx 0x5980c9e8 1501612520
ecx 0x5980e614 1501619732
edx 0xf7b6acc7 -139023161
esi 0xf2a40070 -224133008
edi 0x597c3a50 1501313616
ebp 0xff85cc48 4286958664
esp 0xff85cc30 4286958640
eip 0x5843b890 <js::StencilObject* JSObject::maybeUnwrapAs<js::StencilObject>()+256>
=> 0x5843b890 <_ZN8JSObject13maybeUnwrapAsIN2js13StencilObjectEEEPT_v+256>: movl $0x289,0x0
0x5843b89a <_ZN8JSObject13maybeUnwrapAsIN2js13StencilObjectEEEPT_v+266>: call 0x57d970b0 <abort>
Likely shell-only but happening so frequently that it blocks all JS fuzzing.
|
Reporter | |
Comment 1•2 years ago
|
||
|
|
Reporter | |
Comment 2•2 years ago
|
||
|
||
Updated•2 years ago
|
|
||
Comment 4•2 years ago
|
||
No valid actions for resolution (DUPLICATE).
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Keywords: bugmon
You need to log in
before you can comment on or make changes to this bug.
Description
•