Closed Bug 1124616 Opened 10 years ago Closed 10 years ago

Crash [@ js::DirectProxyHandler::objectClassIs]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1100936
Tracking Flags:
Tracking Status
firefox38 --- affected

People

(Reporter: decoder, Unassigned)

Details

(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update,ignore])

Crash Data

The following testcase crashes on mozilla-central revision 540077a30866 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-debug, run with --fuzzing-safe --thread-count=2): var r = Proxy.revocable({}, {}); r.revoke("debugger = true;"); serialize(r) instanceof Object; Backtrace: Program received signal SIGSEGV, Segmentation fault. js::DirectProxyHandler::objectClassIs (this=<optimized out>, proxy=..., classValue=js::ESClass_RegExp, cx=0x16e0d60) at js/src/proxy/DirectProxyHandler.cpp:156 156 return ObjectClassIs(target, classValue, cx); #0 js::DirectProxyHandler::objectClassIs (this=<optimized out>, proxy=..., classValue=js::ESClass_RegExp, cx=0x16e0d60) at js/src/proxy/DirectProxyHandler.cpp:156 #1 0x00000000008f9ca8 in JSStructuredCloneWriter::startWrite (this=0x7fffffffd0b0, v=...) at js/src/vm/StructuredClone.cpp:1036 #2 0x00000000008fa95c in JSStructuredCloneWriter::write (this=0x7fffffffd0b0, v=...) at js/src/vm/StructuredClone.cpp:1249 #3 0x00000000008fad41 in WriteStructuredClone (cx=<optimized out>, v=$jsval((JSObject *) 0x7ffff5700060 [object Object]), bufp=0x7fffffffd370, nbytesp=0x7fffffffd378, cb=0x0, cbClosure=0x0, transferable=JSVAL_VOID) at js/src/vm/StructuredClone.cpp:368 #4 0x00000000008fae83 in JSAutoStructuredCloneBuffer::write (this=0x7fffffffd370, cx=0x16e0d60, value=$jsval((JSObject *) 0x7ffff5700060 [object Object]), transferable=JSVAL_VOID, optionalCallbacks=<optimized out>, closure=<optimized out>) at js/src/vm/StructuredClone.cpp:2075 #5 0x00000000004b0916 in Serialize (cx=0x16e0d60, argc=<optimized out>, vp=0x1756cb0) at js/src/builtin/TestingFunctions.cpp:1618 #6 0x00000000008a1862 in CallJSNative (args=..., native=0x4b08a0 <Serialize(JSContext*, unsigned int, jsval*)>, cx=0x16e0d60) at js/src/jscntxtinlines.h:226 #7 js::Invoke (cx=0x16e0d60, args=..., construct=<optimized out>) at js/src/vm/Interpreter.cpp:498 #8 0x000000000089bfa1 in Interpret (cx=0x16e0d60, state=...) at js/src/vm/Interpreter.cpp:2561 #9 0x00000000008a12b8 in js::RunScript (cx=0x16e0d60, state=...) at js/src/vm/Interpreter.cpp:448 #10 0x00000000008aa169 in ExecuteKernel (result=0x0, evalInFrame=..., thisv=<synthetic pointer>, scopeChainArg=(JSObject &) @0x7ffff5659060 [object global] delegate, script=0x7ffff565d128, cx=0x16e0d60, type=<optimized out>) at js/src/vm/Interpreter.cpp:657 #11 js::Execute (cx=0x16e0d60, script=0x7ffff565d128, scopeChainArg=..., rval=0x0) at js/src/vm/Interpreter.cpp:694 #12 0x000000000077b8f9 in ExecuteScript (cx=<optimized out>, obj=..., scriptArg=..., rval=<optimized out>) at js/src/jsapi.cpp:4352 #13 0x0000000000413257 in RunFile (compileOnly=false, file=0x1702bf0, filename=0x7fffffffebdb "min.js", obj=..., cx=0x16e0d60) at js/src/shell/js.cpp:451 #14 Process (cx=0x16e0d60, obj_=<optimized out>, filename=0x7fffffffebdb "min.js", forceTTY=<optimized out>) at js/src/shell/js.cpp:584 #15 0x00000000004166cc in ProcessArgs (op=0x7fffffffe5c0, obj_=<optimized out>, cx=0x16e0d60) at js/src/shell/js.cpp:5496 #16 Shell (op=0x7fffffffe5c0, cx=0x16e0d60, envp=<optimized out>) at js/src/shell/js.cpp:5735 #17 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:6075 rax 0x5 5 rbx 0x7fffffffd0b0 140737488343216 rcx 0x16e0d60 23989600 rdx 0x16e0d78 23989624 rsi 0x0 0 rdi 0x7fffffffced0 140737488342736 rbp 0x7fffffffced0 140737488342736 rsp 0x7fffffffce70 140737488342640 r8 0x7fffffffce70 140737488342640 r9 0x1 1 r10 0x1 1 r11 0x7ffff565a080 140737310466176 r12 0x7fffffffcee0 140737488342752 r13 0x7fffffffcfe0 140737488343008 r14 0x1 1 r15 0x7fffffffcfd0 140737488342992 rip 0x83f038 <js::DirectProxyHandler::objectClassIs(JS::Handle<JSObject*>, js::ESClassValue, JSContext*) const+56> => 0x83f038 <js::DirectProxyHandler::objectClassIs(JS::Handle<JSObject*>, js::ESClassValue, JSContext*) const+56>: mov 0x8(%rsi),%rsi 0x83f03c <js::DirectProxyHandler::objectClassIs(JS::Handle<JSObject*>, js::ESClassValue, JSContext*) const+60>: mov (%rsi),%rsi
Group: core-security
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/a3761879135a user: Bobby Holley date: Mon Aug 18 14:18:38 2014 -0700 summary: Bug 1050340 - Access regexp guts generically. r=luke This iteration took 316.832 seconds to run.
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 95c76c3b0172).
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.