Crash [@ js::DirectProxyHandler::objectClassIs]

RESOLVED DUPLICATE of bug 1100936

Status

()

Core
JavaScript Engine
--
critical
RESOLVED DUPLICATE of bug 1100936
3 years ago
3 years ago

People

(Reporter: decoder, Unassigned)

Tracking

(Blocks: 1 bug, {crash, regression, testcase})

Trunk
x86_64
Linux
crash, regression, testcase
Points:
---

Firefox Tracking Flags

(firefox38 affected)

Details

(Whiteboard: [jsbugmon:update,ignore], crash signature)

(Reporter)

Description

3 years ago
The following testcase crashes on mozilla-central revision 540077a30866 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-debug, run with --fuzzing-safe --thread-count=2):

var r = Proxy.revocable({}, {});
r.revoke("debugger = true;");
serialize(r) instanceof Object;



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
js::DirectProxyHandler::objectClassIs (this=<optimized out>, proxy=..., classValue=js::ESClass_RegExp, cx=0x16e0d60) at js/src/proxy/DirectProxyHandler.cpp:156
156	    return ObjectClassIs(target, classValue, cx);
#0  js::DirectProxyHandler::objectClassIs (this=<optimized out>, proxy=..., classValue=js::ESClass_RegExp, cx=0x16e0d60) at js/src/proxy/DirectProxyHandler.cpp:156
#1  0x00000000008f9ca8 in JSStructuredCloneWriter::startWrite (this=0x7fffffffd0b0, v=...) at js/src/vm/StructuredClone.cpp:1036
#2  0x00000000008fa95c in JSStructuredCloneWriter::write (this=0x7fffffffd0b0, v=...) at js/src/vm/StructuredClone.cpp:1249
#3  0x00000000008fad41 in WriteStructuredClone (cx=<optimized out>, v=$jsval((JSObject *) 0x7ffff5700060 [object Object]), bufp=0x7fffffffd370, nbytesp=0x7fffffffd378, cb=0x0, cbClosure=0x0, transferable=JSVAL_VOID) at js/src/vm/StructuredClone.cpp:368
#4  0x00000000008fae83 in JSAutoStructuredCloneBuffer::write (this=0x7fffffffd370, cx=0x16e0d60, value=$jsval((JSObject *) 0x7ffff5700060 [object Object]), transferable=JSVAL_VOID, optionalCallbacks=<optimized out>, closure=<optimized out>) at js/src/vm/StructuredClone.cpp:2075
#5  0x00000000004b0916 in Serialize (cx=0x16e0d60, argc=<optimized out>, vp=0x1756cb0) at js/src/builtin/TestingFunctions.cpp:1618
#6  0x00000000008a1862 in CallJSNative (args=..., native=0x4b08a0 <Serialize(JSContext*, unsigned int, jsval*)>, cx=0x16e0d60) at js/src/jscntxtinlines.h:226
#7  js::Invoke (cx=0x16e0d60, args=..., construct=<optimized out>) at js/src/vm/Interpreter.cpp:498
#8  0x000000000089bfa1 in Interpret (cx=0x16e0d60, state=...) at js/src/vm/Interpreter.cpp:2561
#9  0x00000000008a12b8 in js::RunScript (cx=0x16e0d60, state=...) at js/src/vm/Interpreter.cpp:448
#10 0x00000000008aa169 in ExecuteKernel (result=0x0, evalInFrame=..., thisv=<synthetic pointer>, scopeChainArg=(JSObject &) @0x7ffff5659060 [object global] delegate, script=0x7ffff565d128, cx=0x16e0d60, type=<optimized out>) at js/src/vm/Interpreter.cpp:657
#11 js::Execute (cx=0x16e0d60, script=0x7ffff565d128, scopeChainArg=..., rval=0x0) at js/src/vm/Interpreter.cpp:694
#12 0x000000000077b8f9 in ExecuteScript (cx=<optimized out>, obj=..., scriptArg=..., rval=<optimized out>) at js/src/jsapi.cpp:4352
#13 0x0000000000413257 in RunFile (compileOnly=false, file=0x1702bf0, filename=0x7fffffffebdb "min.js", obj=..., cx=0x16e0d60) at js/src/shell/js.cpp:451
#14 Process (cx=0x16e0d60, obj_=<optimized out>, filename=0x7fffffffebdb "min.js", forceTTY=<optimized out>) at js/src/shell/js.cpp:584
#15 0x00000000004166cc in ProcessArgs (op=0x7fffffffe5c0, obj_=<optimized out>, cx=0x16e0d60) at js/src/shell/js.cpp:5496
#16 Shell (op=0x7fffffffe5c0, cx=0x16e0d60, envp=<optimized out>) at js/src/shell/js.cpp:5735
#17 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:6075
rax	0x5	5
rbx	0x7fffffffd0b0	140737488343216
rcx	0x16e0d60	23989600
rdx	0x16e0d78	23989624
rsi	0x0	0
rdi	0x7fffffffced0	140737488342736
rbp	0x7fffffffced0	140737488342736
rsp	0x7fffffffce70	140737488342640
r8	0x7fffffffce70	140737488342640
r9	0x1	1
r10	0x1	1
r11	0x7ffff565a080	140737310466176
r12	0x7fffffffcee0	140737488342752
r13	0x7fffffffcfe0	140737488343008
r14	0x1	1
r15	0x7fffffffcfd0	140737488342992
rip	0x83f038 <js::DirectProxyHandler::objectClassIs(JS::Handle<JSObject*>, js::ESClassValue, JSContext*) const+56>
=> 0x83f038 <js::DirectProxyHandler::objectClassIs(JS::Handle<JSObject*>, js::ESClassValue, JSContext*) const+56>:	mov    0x8(%rsi),%rsi
   0x83f03c <js::DirectProxyHandler::objectClassIs(JS::Handle<JSObject*>, js::ESClassValue, JSContext*) const+60>:	mov    (%rsi),%rsi
(Reporter)

Updated

3 years ago
Group: core-security
(Reporter)

Updated

3 years ago
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
(Reporter)

Comment 1

3 years ago
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/a3761879135a
user:        Bobby Holley
date:        Mon Aug 18 14:18:38 2014 -0700
summary:     Bug 1050340 - Access regexp guts generically. r=luke

This iteration took 316.832 seconds to run.
(Reporter)

Updated

3 years ago
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
(Reporter)

Comment 2

3 years ago
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 95c76c3b0172).
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1100936
You need to log in before you can comment on or make changes to this bug.