Closed Bug 1143921 Opened 7 years ago Closed 7 years ago

Crash [@ js::Debugger::unwrapDebuggeeObject]

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla40
Tracking Status
firefox39 --- affected
firefox40 --- fixed

People

(Reporter: decoder, Assigned: jorendorff)

Details

(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(1 file)

The following testcase crashes on mozilla-central revision 436686833af0 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2):

var g = newGlobal();
var dbg = new Debugger;
var gw = dbg.addDebuggee(g);
gw.defineProperty("p", {get: undefined});



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
js::Debugger::unwrapDebuggeeObject (this=this@entry=0x1af47f0, cx=cx@entry=0x1a05e00, obj=obj@entry=...) at js/src/jsobj.h:128
#0  js::Debugger::unwrapDebuggeeObject (this=this@entry=0x1af47f0, cx=cx@entry=0x1a05e00, obj=obj@entry=...) at js/src/jsobj.h:128
#1  0x00000000005f5d18 in js::Debugger::unwrapPropertyDescriptor (this=this@entry=0x1af47f0, cx=0x1a05e00, obj=obj@entry=..., desc=desc@entry=...) at js/src/vm/Debugger.cpp:944
#2  0x00000000005f83f0 in DebuggerObject_defineProperty (cx=0x1a05e00, argc=<optimized out>, vp=<optimized out>) at js/src/vm/Debugger.cpp:6746
#3  0x000000000063c6b2 in js::CallJSNative (cx=0x1a05e00, native=0x5f8190 <DebuggerObject_defineProperty(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#4  0x000000000062be73 in js::Invoke (cx=cx@entry=0x1a05e00, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:502
#5  0x000000000062690d in Interpret (cx=cx@entry=0x1a05e00, state=...) at js/src/vm/Interpreter.cpp:2597
#6  0x000000000062bbd8 in js::RunScript (cx=cx@entry=0x1a05e00, state=...) at js/src/vm/Interpreter.cpp:452
#7  0x000000000063264f in js::ExecuteKernel (cx=cx@entry=0x1a05e00, script=..., script@entry=..., scopeChainArg=..., thisv=..., type=type@entry=js::EXECUTE_GLOBAL, evalInFrame=evalInFrame@entry=..., result=result@entry=0x0) at js/src/vm/Interpreter.cpp:655
#8  0x00000000006347d5 in js::Execute (cx=cx@entry=0x1a05e00, script=..., script@entry=..., scopeChainArg=..., rval=rval@entry=0x0) at js/src/vm/Interpreter.cpp:692
#9  0x0000000000a06b57 in ExecuteScript (cx=cx@entry=0x1a05e00, obj=..., scriptArg=..., rval=rval@entry=0x0) at js/src/jsapi.cpp:4101
#10 0x0000000000a06c8b in JS_ExecuteScript (cx=cx@entry=0x1a05e00, scriptArg=..., scriptArg@entry=...) at js/src/jsapi.cpp:4123
#11 0x00000000004068b2 in RunFile (compileOnly=false, file=0x1a76cb0, filename=0x7fffffffdf39 "min.js", cx=0x1a05e00) at js/src/shell/js.cpp:466
#12 Process (cx=cx@entry=0x1a05e00, filename=0x7fffffffdf39 "min.js", forceTTY=forceTTY@entry=false) at js/src/shell/js.cpp:597
#13 0x0000000000453d96 in ProcessArgs (op=0x7fffffffd9d0, cx=0x1a05e00) at js/src/shell/js.cpp:5743
#14 Shell (envp=<optimized out>, op=0x7fffffffd9d0, cx=0x1a05e00) at js/src/shell/js.cpp:6006
#15 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:6346
rax	0x7fffffffc540	140737488340288
rbx	0x0	0
rcx	0x7fffffffc590	140737488340368
rdx	0x19803c0	26739648
rsi	0x1a05e00	27287040
rdi	0x1af47f0	28264432
rbp	0x7fffffffc440	140737488340032
rsp	0x7fffffffc3f0	140737488339952
r8	0x7fffffffc340	140737488339776
r9	0x1	1
r10	0x1b	27
r11	0x7fffffffd2a0	140737488343712
r12	0x7fffffffc480	140737488340096
r13	0x7fffffffc550	140737488340304
r14	0x1a05e00	27287040
r15	0x7fffffffc590	140737488340368
rip	0x5e4161 <js::Debugger::unwrapDebuggeeObject(JSContext*, JS::MutableHandle<JSObject*>)+33>
=> 0x5e4161 <js::Debugger::unwrapDebuggeeObject(JSContext*, JS::MutableHandle<JSObject*>)+33>:	mov    (%rbx),%rax
   0x5e4164 <js::Debugger::unwrapDebuggeeObject(JSContext*, JS::MutableHandle<JSObject*>)+36>:	mov    (%rax),%rax
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20150313014418" and the hash "e76c33c4d452".
The "bad" changeset has the timestamp "20150313025420" and the hash "c78a9d1273c5".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=e76c33c4d452&tochange=c78a9d1273c5
Needinfo from Jason based on the regression range in comment 1.
Flags: needinfo?(jorendorff)
Yep, you can see the bug clear as day in
  https://hg.mozilla.org/integration/mozilla-inbound/diff/2a96f2eed5c9/js/src/vm/Debugger.cpp

I rewrote some code from using the Value type to using JSObject pointers, but forgot to replace the .isObject() check with a null check. D'oh.
Flags: needinfo?(jorendorff)
Assignee: nobody → jorendorff
Status: NEW → ASSIGNED
Comment on attachment 8591814 [details] [diff] [review]
Fix crash in Debugger.defineProperty when the descriptor contains {get: undefined}

Review of attachment 8591814 [details] [diff] [review]:
-----------------------------------------------------------------

Yep.
Attachment #8591814 - Flags: review?(efaustbmo) → review+
https://hg.mozilla.org/mozilla-central/rev/b40115b4c476
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla40
You need to log in before you can comment on or make changes to this bug.