Closed Bug 1877835 Opened 1 year ago Closed 1 year ago

AddressSanitizer: SEGV on unknown address 0x000000000000 [@ js::jit::CacheRegisterAllocator::useRegister]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1877684
Tracking Flags:
Tracking Status
firefox124 --- fixed

People

(Reporter: gkw, Unassigned)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: regression, testcase)

Attachments

(1 file)

debug shell stack
1.37 KB, text/plain
Details
Attached file debug shell stack 
setJitCompilerOption("ion.forceinlineCaches", 1);
(function () {
  (new Int8Array())[0] = false;
})();

==16831==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x561242460694 bp 0x7ffcd603db10 sp 0x7ffcd603d9c0 T0)
==16831==The signal is caused by a WRITE memory access.
==16831==Hint: address points to the zero page.
    #0 0x561242460694 in js::jit::CacheRegisterAllocator::useRegister(js::jit::MacroAssembler&, js::jit::TypedOperandId) /home/gen32gx500/trees/mozilla-central/js/src/jit/CacheIRCompiler.cpp:360:9
    #1 0x561242472e18 in js::jit::CacheIRCompiler::emitGuardBooleanToInt32(js::jit::ValOperandId, js::jit::Int32OperandId) /home/gen32gx500/trees/mozilla-central/js/src/jit/CacheIRCompiler.cpp:1780:19
    #2 0x561242a0eee2 in js::jit::CacheIRCompiler::emitGuardBooleanToInt32(js::jit::CacheIRReader&) /home/gen32gx500/trees/mozilla-central/js/src/jit/CacheIRCompiler.h:869:3
    #3 0x561242a0eee2 in js::jit::IonCacheIRCompiler::compile(js::jit::IonICStub*) /home/gen32gx500/trees/mozilla-central/js/src/jit/IonCacheIRCompiler.cpp:600:7
    #4 0x561242a357e5 in js::jit::IonIC::attachCacheIRStub(JSContext*, js::jit::CacheIRWriter const&, js::jit::CacheKind, js::jit::IonScript*, bool*) /home/gen32gx500/trees/mozilla-central/js/src/jit/IonCacheIRCompiler.cpp:1983:28
    #5 0x561242a42f24 in js::jit::IonSetPropertyIC::update(JSContext*, JS::Handle<JSScript*>, js::jit::IonSetPropertyIC*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) /home/gen32gx500/trees/mozilla-central/js/src/jit/IonIC.cpp:253:13
    #6 0x7f73a141332a  (<unknown module>)

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/337ba87df12d
user:        André Bargull
date:        Sat Jan 27 09:51:34 2024 +0000
summary:     Bug 1876227: Support non-number inputs when assigning to TypedArray elements. r=jandem

Run with --fuzzing-safe --no-threads --ion-eager, compile with AR=ar sh ../configure --enable-address-sanitizer --enable-fuzzing --disable-jemalloc --disable-stdcxx-compat --without-sysroot --with-ccache --enable-nspr-build --enable-ctypes --enable-gczeal --enable-rust-simd --disable-tests, tested on m-c rev ad50a175a7c5.

:anba, is bug 1876227 a likely regressor? Setting s-s to be safe.

Flags: sec-bounty?
Flags: needinfo?(andrebargull)
Status: NEW → RESOLVED
Closed: 1 year ago
Duplicate of bug: 1877684
Flags: needinfo?(andrebargull)
Resolution: --- → DUPLICATE
Group: core-security
Flags: sec-bounty?
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: