Bug 1891598 Comment 0 Edit History

Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.

Original comment by

Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)

on 2024-04-15 14:00:33 PDT

```
var x = registerModule("1", parseModule("await 1"));
moduleLink(x);
moduleEvaluate(x);
var y = newGlobal({ newCompartment: true });
y.parent = this;
y.eval(
  "Debugger(parent).onEnterFrame = function () { \
    __proto__.return = 0; \
    return function () {}; \
  }; "
);
```

```
(gdb) bt
#0  js::InterpreterFrame::callee (this=<optimized out>) at /home/genxps15/trees/mozilla-central/js/src/vm/Stack.h:588
#1  0x0000555557293626 in js::Interpret (cx=0x7ffff6739100, state=...) at /home/genxps15/trees/mozilla-central/js/src/vm/Interpreter.cpp:4144
#2  0x0000555557279129 in MaybeEnterInterpreterTrampoline (cx=0x7ffff7bd3700 <_IO_stdfile_2_lock>, cx@entry=0x7ffff6739100, state=...)
    at /home/genxps15/trees/mozilla-central/js/src/vm/Interpreter.cpp:393
#3  0x0000555557278ddf in js::RunScript (cx=cx@entry=0x7ffff6739100, state=...) at /home/genxps15/trees/mozilla-central/js/src/vm/Interpreter.cpp:451
#4  0x0000555557279770 in js::InternalCallOrConstruct (cx=0x7ffff6739100, args=..., construct=construct@entry=js::NO_CONSTRUCT, reason=js::CallReason::Call)
    at /home/genxps15/trees/mozilla-central/js/src/vm/Interpreter.cpp:605
#5  0x000055555727a5cd in InternalCall (cx=0x7ffff7bd3700 <_IO_stdfile_2_lock>, cx@entry=0x7ffff6739100, args=..., reason=1489488160,
    reason@entry=js::CallReason::Call) at /home/genxps15/trees/mozilla-central/js/src/vm/Interpreter.cpp:640
/snip
```

```
The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/10f63f093070
user:        Jon Coppeard
date:        Tue Jul 05 13:04:55 2022 +0000
summary:     Bug 1778076 - Part 5: Replace ModuleObject methods with shell functions r=arai
```

Run with `--fuzzing-safe --no-threads --no-baseline --no-ion`, compile with `AR=ar sh ../configure --enable-debug --enable-debug-symbols --with-ccache --enable-nspr-build --enable-ctypes --enable-gczeal --enable-rust-simd --disable-tests`, tested on m-c rev fcfbb607fde2.

Setting s-s as a start. Jon, is bug 1778076 a likely regressor?

Revision 1 by

Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)

on 2024-04-15 14:01:50 PDT

```
var x = registerModule("1", parseModule("await 1"));
moduleLink(x);
moduleEvaluate(x);
var y = newGlobal({ newCompartment: true });
y.parent = this;
y.eval(
  "Debugger(parent).onEnterFrame = function () { \
    __proto__.return = 0; \
    return function () {}; \
  }; "
);
```

```
(gdb) bt
#0  js::InterpreterFrame::callee (this=<optimized out>) at /home/genxps15/trees/mozilla-central/js/src/vm/Stack.h:588
#1  0x0000555557293626 in js::Interpret (cx=0x7ffff6739100, state=...) at /home/genxps15/trees/mozilla-central/js/src/vm/Interpreter.cpp:4144
#2  0x0000555557279129 in MaybeEnterInterpreterTrampoline (cx=0x7ffff7bd3700 <_IO_stdfile_2_lock>, cx@entry=0x7ffff6739100, state=...)
    at /home/genxps15/trees/mozilla-central/js/src/vm/Interpreter.cpp:393
#3  0x0000555557278ddf in js::RunScript (cx=cx@entry=0x7ffff6739100, state=...) at /home/genxps15/trees/mozilla-central/js/src/vm/Interpreter.cpp:451
#4  0x0000555557279770 in js::InternalCallOrConstruct (cx=0x7ffff6739100, args=..., construct=construct@entry=js::NO_CONSTRUCT, reason=js::CallReason::Call)
    at /home/genxps15/trees/mozilla-central/js/src/vm/Interpreter.cpp:605
#5  0x000055555727a5cd in InternalCall (cx=0x7ffff7bd3700 <_IO_stdfile_2_lock>, cx@entry=0x7ffff6739100, args=..., reason=1489488160,
    reason@entry=js::CallReason::Call) at /home/genxps15/trees/mozilla-central/js/src/vm/Interpreter.cpp:640
/snip
```

```
The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/10f63f093070
user:        Jon Coppeard
date:        Tue Jul 05 13:04:55 2022 +0000
summary:     Bug 1778076 - Part 5: Replace ModuleObject methods with shell functions r=arai
```

Run with `--fuzzing-safe --no-threads --no-baseline --no-ion`, compile with `AR=ar sh ../configure --enable-debug --enable-debug-symbols --with-ccache --enable-nspr-build --enable-ctypes --enable-gczeal --enable-rust-simd --disable-tests`, tested on m-c rev fcfbb607fde2.

Setting s-s as a start, especially previous bug 1681256 also involving Debugger with a virtually similar assertion failure was marked sec-moderate. Jon, is bug 1778076 a likely regressor?

Revision 2 by

Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)

on 2024-04-15 14:02:22 PDT

```
var x = registerModule("1", parseModule("await 1"));
moduleLink(x);
moduleEvaluate(x);
var y = newGlobal({ newCompartment: true });
y.parent = this;
y.eval(
  "Debugger(parent).onEnterFrame = function () { \
    __proto__.return = 0; \
    return function () {}; \
  }; "
);
```

```
(gdb) bt
#0  js::InterpreterFrame::callee (this=<optimized out>) at /home/genxps15/trees/mozilla-central/js/src/vm/Stack.h:588
#1  0x0000555557293626 in js::Interpret (cx=0x7ffff6739100, state=...) at /home/genxps15/trees/mozilla-central/js/src/vm/Interpreter.cpp:4144
#2  0x0000555557279129 in MaybeEnterInterpreterTrampoline (cx=0x7ffff7bd3700 <_IO_stdfile_2_lock>, cx@entry=0x7ffff6739100, state=...)
    at /home/genxps15/trees/mozilla-central/js/src/vm/Interpreter.cpp:393
#3  0x0000555557278ddf in js::RunScript (cx=cx@entry=0x7ffff6739100, state=...) at /home/genxps15/trees/mozilla-central/js/src/vm/Interpreter.cpp:451
#4  0x0000555557279770 in js::InternalCallOrConstruct (cx=0x7ffff6739100, args=..., construct=construct@entry=js::NO_CONSTRUCT, reason=js::CallReason::Call)
    at /home/genxps15/trees/mozilla-central/js/src/vm/Interpreter.cpp:605
#5  0x000055555727a5cd in InternalCall (cx=0x7ffff7bd3700 <_IO_stdfile_2_lock>, cx@entry=0x7ffff6739100, args=..., reason=1489488160,
    reason@entry=js::CallReason::Call) at /home/genxps15/trees/mozilla-central/js/src/vm/Interpreter.cpp:640
/snip
```

```
The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/10f63f093070
user:        Jon Coppeard
date:        Tue Jul 05 13:04:55 2022 +0000
summary:     Bug 1778076 - Part 5: Replace ModuleObject methods with shell functions r=arai
```

Run with `--fuzzing-safe --no-threads --no-baseline --no-ion`, compile with `AR=ar sh ../configure --enable-debug --enable-debug-symbols --with-ccache --enable-nspr-build --enable-ctypes --enable-gczeal --enable-rust-simd --disable-tests`, tested on m-c rev fcfbb607fde2.

Setting s-s as a start, especially since previous bug 1681256 also involving Debugger with a virtually similar assertion failure was marked sec-moderate.

Jon, is bug 1778076 a likely regressor?

Back to Bug 1891598 Comment 0