Assertion failure: getSlotRef(EVAL).isUndefined(), at js/src/vm/GlobalObject.h:147

RESOLVED DUPLICATE of bug 1192401

Status

()

defect
--
critical
RESOLVED DUPLICATE of bug 1192401
4 years ago
4 years ago

People

(Reporter: decoder, Unassigned)

Tracking

(Blocks 1 bug, {assertion, regression, testcase})

Trunk
x86_64
Linux
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox42 affected)

Details

(Whiteboard: [jsbugmon:update])

Reporter

Description

4 years ago
The following testcase crashes on mozilla-central revision f34a7120f46b (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2 --ion-check-range-analysis):

const dbg = new Debugger();
const root3 = evalcx('lazy');
dbg.addDebuggee(root3);
dbg.memory.trackingAllocationSites = true;
root3.eval("this.alloc = {}");


Backtrace:

Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x0000000000597185 in setOriginalEval (evalobj=0x7f510c994480, 
    this=0x7f510c983060)
    at js/src/vm/GlobalObject.h:147
To enable execution of this file add
	add-auto-load-safe-path /home/ubuntu/mozilla-central/js/src/debug64/dist/bin/js-gdb.py
line to your configuration file "/home/ubuntu/.gdbinit".
To completely disable this security protection add
	set auto-load safe-path /
line to your configuration file "/home/ubuntu/.gdbinit".
For more information about this security protection see the
"Auto-loading safe path" section in the GDB manual.  E.g., run from the shell:
	info "(gdb)Auto-loading safe path"
#0  0x0000000000597185 in setOriginalEval (evalobj=0x7f510c994480, this=0x7f510c983060) at js/src/vm/GlobalObject.h:147
#1  FinishObjectClassInit (cx=0x7f510ef1b330, ctor=..., proto=...) at js/src/builtin/Object.cpp:1139
#2  0x0000000000688e0d in js::GlobalObject::resolveConstructor (cx=cx@entry=0x7f510ef1b330, global=..., key=JSProto_Object) at js/src/vm/GlobalObject.cpp:204
#3  0x000000000068905c in js::GlobalObject::ensureConstructor (cx=cx@entry=0x7f510ef1b330, global=..., global@entry=..., key=<optimized out>) at js/src/vm/GlobalObject.cpp:99
#4  0x0000000000ab674b in JS_ResolveStandardClass (cx=cx@entry=0x7f510ef1b330, obj=..., obj@entry=..., id=..., id@entry=..., resolved=resolved@entry=0x7fffd52281b0) at js/src/jsapi.cpp:1276
#5  0x00000000004811e4 in sandbox_resolve (cx=0x7f510ef1b330, obj=..., id=..., resolvedp=0x7fffd52281b0) at js/src/shell/js.cpp:2524
#6  0x00000000006ef275 in CallResolveOp (recursedp=<synthetic pointer>, propp=..., id=..., obj=..., cx=0x7f510ef1b330) at js/src/vm/NativeObject-inl.h:388
#7  js::LookupOwnPropertyInline<(js::AllowGC)1> (cx=cx@entry=0x7f510ef1b330, obj=..., id=id@entry=..., propp=propp@entry=..., donep=donep@entry=0x7fffd52282a0) at js/src/vm/NativeObject-inl.h:481
#8  0x000000000071a6cc in NativeGetPropertyInline<(js::AllowGC)1> (cx=cx@entry=0x7f510ef1b330, obj=..., receiver=..., id=..., nameLookup=nameLookup@entry=NotNameLookup, vp=...) at js/src/vm/NativeObject.cpp:1909
#9  0x000000000071ac80 in js::NativeGetProperty (cx=cx@entry=0x7f510ef1b330, obj=..., receiver=..., receiver@entry=..., id=..., id@entry=..., vp=..., vp@entry=...) at js/src/vm/NativeObject.cpp:1953
#10 0x0000000000bbc46f in GetProperty (vp=..., id=..., receiver=..., obj=..., cx=0x7f510ef1b330) at js/src/vm/NativeObject.h:1417
#11 js::DirectProxyHandler::get (this=this@entry=0x1b0fee0 <js::CrossCompartmentWrapper::singleton>, cx=cx@entry=0x7f510ef1b330, proxy=..., proxy@entry=..., receiver=receiver@entry=..., id=id@entry=..., vp=vp@entry=...) at js/src/proxy/DirectProxyHandler.cpp:215
#12 0x0000000000bc58b3 in js::CrossCompartmentWrapper::get (this=0x1b0fee0 <js::CrossCompartmentWrapper::singleton>, cx=0x7f510ef1b330, wrapper=..., receiver=..., id=..., vp=...) at js/src/proxy/CrossCompartmentWrapper.cpp:165
#13 0x0000000000bd1fe7 in js::Proxy::get (cx=0x7f510ef1b330, proxy=..., receiver=..., id=..., vp=...) at js/src/proxy/Proxy.cpp:286
#14 0x00000000005ba56d in GetProperty (vp=..., id=..., receiver=..., obj=..., cx=0x7f510ef1b330) at js/src/vm/NativeObject.h:1416
#15 js::GetProperty (cx=0x7f510ef1b330, obj=..., receiver=..., name=<optimized out>, vp=...) at js/src/jsobj.h:828
#16 0x000000000068ba0b in js::GetProperty (cx=cx@entry=0x7f510ef1b330, v=..., v@entry=..., name=name@entry=..., vp=vp@entry=...) at js/src/vm/Interpreter.cpp:4097
#17 0x000000000068bbc7 in js::CallProperty (cx=cx@entry=0x7f510ef1b330, v=..., v@entry=..., name=..., name@entry=..., vp=..., vp@entry=...) at js/src/vm/Interpreter.cpp:4106
#18 0x000000000069b94f in GetPropertyOperation (vp=..., lval=..., pc=<optimized out>, script=..., fp=0x7f510d0ee0e0, cx=0x7f510ef1b330) at js/src/vm/Interpreter.cpp:257
#19 Interpret (cx=cx@entry=0x7f510ef1b330, state=...) at js/src/vm/Interpreter.cpp:2685
#20 0x00000000006a2343 in js::RunScript (cx=cx@entry=0x7f510ef1b330, state=...) at js/src/vm/Interpreter.cpp:655
#21 0x00000000006a2afb in js::Invoke (cx=cx@entry=0x7f510ef1b330, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:731
#22 0x00000000006a47d6 in js::Invoke (cx=cx@entry=0x7f510ef1b330, thisv=..., fval=..., argc=argc@entry=0, argv=argv@entry=0x7fffd5229b88, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:768
#23 0x00000000008d022a in js::jit::DoCallFallback (cx=0x7f510ef1b330, frame=0x7fffd5229bb8, stub_=<optimized out>, argc=<optimized out>, vp=0x7fffd5229b78, res=...) at js/src/jit/BaselineIC.cpp:9859
#24 0x00007f51103a0bdf in ?? ()
#25 0x00007f510c93bb80 in ?? ()
#26 0x00007fffd5229b30 in ?? ()
#27 0xfff9000000000000 in ?? ()
#28 0x0000000001b26ee0 in js::jit::DoSpreadCallFallbackInfo ()
#29 0x00007f510d153a90 in ?? ()
#30 0x00007f51103a4283 in ?? ()
#31 0x0000000000000402 in ?? ()
#32 0x00007fffd5229bb8 in ?? ()
#33 0x00007f510d03f020 in ?? ()
#34 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x7fffd5227f40	140736769195840
rcx	0x7f510f1ef88d	139986122766477
rdx	0x0	0
rsi	0x7f510f4c49d0	139986125736400
rdi	0x7f510f4c31c0	139986125730240
rbp	0x7fffd5227f90	140736769195920
rsp	0x7fffd5227e70	140736769195632
r8	0x7f5110534780	139986142971776
r9	0x6372732f736a2f6c	7165916604736876396
r10	0x7f510f4c0be0	139986125720544
r11	0x0	0
r12	0x7f510ef1b330	139986119799600
r13	0x7fffd5227ee0	140736769195744
r14	0x7f510c983060	139986080378976
r15	0x7f510c994480	139986080449664
rip	0x597185 <FinishObjectClassInit(JSContext*, JS::HandleObject, JS::HandleObject)+1141>
=> 0x597185 <FinishObjectClassInit(JSContext*, JS::HandleObject, JS::HandleObject)+1141>:	movl   $0x93,0x0
   0x597190 <FinishObjectClassInit(JSContext*, JS::HandleObject, JS::HandleObject)+1152>:	callq  0x499110 <abort()>
Reporter

Updated

4 years ago
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Reporter

Comment 1

4 years ago
JSBugMon: Bisection requested, result:
Due to skipped revisions, the first bad revision could be any of:
changeset:   https://hg.mozilla.org/mozilla-central/rev/a0dd5a83ba36
user:        Jan de Mooij
date:        Thu Jul 24 11:56:43 2014 +0200
summary:     Bug 1031529 part 2 - Remove JS_THREADSAFE #ifdefs everywhere. r=bhackett

changeset:   https://hg.mozilla.org/mozilla-central/rev/6426fef52f51
user:        Jan de Mooij
date:        Thu Jul 24 11:56:45 2014 +0200
summary:     Bug 1031529 part 3 - Step defining JS_THREADSAFE, remove --disable-threadsafe. r=glandium

This iteration took 0.320 seconds to run.
This bisect is incorrect - it goes back way before that, but the build harness (all of fuzzing, m-c and OS) since then has changed so much that it might just be faster to get some eyes on this testcase instead of trying to make bisect work.

Needinfo? from :fitzgen and :jimb since this seems to involve Debugger.
Flags: needinfo?(nfitzgerald)
Flags: needinfo?(jimb)
Seems to be the exact same as bug 1192401.
Status: NEW → RESOLVED
Closed: 4 years ago
Flags: needinfo?(nfitzgerald)
Flags: needinfo?(jimb)
Resolution: --- → DUPLICATE
Duplicate of bug: CVE-2015-4507
You need to log in before you can comment on or make changes to this bug.