1368737 - Hit MOZ_CRASH(shouldn't be possible to access the prototype chain of a DebugEnvironmentProxyHandler) at js/src/vm/EnvironmentObject.cpp:1867

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision ebad93e11770 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe):

var evalInFrame = (function (global) {
  var dbgGlobal = newGlobal();
  var dbg = new dbgGlobal.Debugger();
  return function evalInFrame(upCount, code) {
    dbg.addDebuggee(global);
    var frame = dbg.getNewestFrame().older;
    var completion = frame.eval(code);
  };
})(this);
var lfLogBuffer = `
  function i(save) {
    isFinite.__proto__ = this;
  }
  evalInFrame(0, "i(true)", true);
`;
loadFile(lfLogBuffer);
function loadFile(lfVarx) {
  eval(lfVarx);
}



Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x0000000000acb8bc in (anonymous namespace)::DebugEnvironmentProxyHandler::getPrototypeIfOrdinary (this=<optimized out>, cx=<optimized out>, proxy=..., isOrdinary=<optimized out>, protop=...) at js/src/vm/EnvironmentObject.cpp:1867
#0  0x0000000000acb8bc in (anonymous namespace)::DebugEnvironmentProxyHandler::getPrototypeIfOrdinary (this=<optimized out>, cx=<optimized out>, proxy=..., isOrdinary=<optimized out>, protop=...) at js/src/vm/EnvironmentObject.cpp:1867
#1  0x00000000009978c2 in js::SetPrototype (cx=cx@entry=0x7ffff6924000, obj=..., proto=..., result=...) at js/src/jsobj.cpp:2726
#2  0x0000000000997ba8 in js::SetPrototype (cx=cx@entry=0x7ffff6924000, obj=..., obj@entry=..., proto=..., proto@entry=...) at js/src/jsobj.cpp:2748
#3  0x0000000000591d33 in ProtoSetter (cx=0x7ffff6924000, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/Object.cpp:1261
#4  0x000000000053e1df in js::CallJSNative (cx=cx@entry=0x7ffff6924000, native=0x591be0 <ProtoSetter(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:293
#5  0x0000000000532f83 in js::InternalCallOrConstruct (cx=cx@entry=0x7ffff6924000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:470
#6  0x0000000000533398 in InternalCall (cx=cx@entry=0x7ffff6924000, args=...) at js/src/vm/Interpreter.cpp:515
#7  0x00000000005334cd in js::Call (cx=cx@entry=0x7ffff6924000, fval=..., fval@entry=..., thisv=..., thisv@entry=..., args=..., rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:534
#8  0x00000000005339f0 in js::CallSetter (cx=cx@entry=0x7ffff6924000, thisv=..., thisv@entry=..., setter=..., setter@entry=..., v=v@entry=...) at js/src/vm/Interpreter.cpp:663
#9  0x0000000000b8dcad in SetExistingProperty (result=..., prop=..., pobj=..., receiver=..., v=..., id=..., obj=..., cx=0x7ffff6924000) at js/src/vm/NativeObject.cpp:2556
#10 js::NativeSetProperty (cx=0x7ffff6924000, obj=..., id=..., value=..., receiver=..., qualified=qualified@entry=js::Qualified, result=...) at js/src/vm/NativeObject.cpp:2591
#11 0x00000000005368b0 in js::SetProperty (cx=<optimized out>, obj=..., id=..., v=..., receiver=..., result=...) at js/src/vm/NativeObject.h:1544
#12 0x000000000052704a in SetPropertyOperation (rval=..., id=..., lval=..., op=<optimized out>, cx=<optimized out>) at js/src/vm/Interpreter.cpp:244
#13 Interpret (cx=0x7ffff6924000, state=...) at js/src/vm/Interpreter.cpp:2819
#14 0x0000000000532b32 in js::RunScript (cx=0x7ffff6924000, state=...) at js/src/vm/Interpreter.cpp:410
#15 0x0000000000535951 in js::ExecuteKernel (cx=cx@entry=0x7ffff6924000, script=..., script@entry=..., envChainArg=..., newTargetValue=..., evalInFrame=..., result=result@entry=0x7fffffffac50) at js/src/vm/Interpreter.cpp:699
#16 0x0000000000b1155e in EvaluateInEnv (rval=..., lineno=<optimized out>, filename=<optimized out>, pc=<optimized out>, frame=..., env=..., cx=0x7ffff6924000, chars=...) at js/src/vm/Debugger.cpp:8173
#17 DebuggerGenericEval (cx=cx@entry=0x7ffff6924000, bindings=..., bindings@entry=..., options=..., status=@0x7fffffffb4ec: JSTRAP_ERROR, value=..., dbg=0x7ffff6938800, envArg=..., iter=0x7fffffffafe0, chars=...) at js/src/vm/Debugger.cpp:8260
#18 0x0000000000b1225d in js::DebuggerFrame::eval (cx=cx@entry=0x7ffff6924000, frame=..., frame@entry=..., chars=..., bindings=..., bindings@entry=..., options=..., status=@0x7fffffffb4ec: JSTRAP_ERROR, value=value@entry=...) at js/src/vm/Debugger.cpp:8284
#19 0x0000000000b124f9 in js::DebuggerFrame::evalMethod (cx=0x7ffff6924000, argc=<optimized out>, vp=<optimized out>) at js/src/vm/Debugger.cpp:8940
#20 0x000000000053e1df in js::CallJSNative (cx=cx@entry=0x7ffff6924000, native=0xb122a0 <js::DebuggerFrame::evalMethod(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:293
#21 0x0000000000532f83 in js::InternalCallOrConstruct (cx=cx@entry=0x7ffff6924000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:470
#22 0x0000000000533398 in InternalCall (cx=cx@entry=0x7ffff6924000, args=...) at js/src/vm/Interpreter.cpp:515
#23 0x00000000005334cd in js::Call (cx=cx@entry=0x7ffff6924000, fval=..., fval@entry=..., thisv=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:534
#24 0x0000000000a660dd in js::Wrapper::call (this=this@entry=0x1eb7630 <js::CrossCompartmentWrapper::singleton>, cx=cx@entry=0x7ffff6924000, proxy=..., proxy@entry=..., args=...) at js/src/proxy/Wrapper.cpp:166
#25 0x0000000000a538e2 in js::CrossCompartmentWrapper::call (this=0x1eb7630 <js::CrossCompartmentWrapper::singleton>, cx=0x7ffff6924000, wrapper=..., args=...) at js/src/proxy/CrossCompartmentWrapper.cpp:353
#26 0x0000000000a5de1b in js::Proxy::call (cx=cx@entry=0x7ffff6924000, proxy=proxy@entry=..., args=...) at js/src/proxy/Proxy.cpp:479
#27 0x0000000000a5df2c in js::proxy_Call (cx=0x7ffff6924000, argc=<optimized out>, vp=<optimized out>) at js/src/proxy/Proxy.cpp:739
#28 0x000000000053e1df in js::CallJSNative (cx=cx@entry=0x7ffff6924000, native=0xa5deb0 <js::proxy_Call(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:293
[...]
#35 0x000000000056c5be in js::DirectEval (cx=0x7ffff6924000, v=..., vp=...) at js/src/builtin/Eval.cpp:438
#36 0x0000000000526a48 in Interpret (cx=0x7ffff6924000, state=...) at js/src/vm/Interpreter.cpp:2941
[...]
#45 Shell (envp=<optimized out>, op=0x7fffffffda50, cx=0x7ffff6924000) at js/src/shell/js.cpp:8068
#46 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:8464
rax	0x0	0
rbx	0x7ffff6924000	140737330167808
rcx	0x7ffff6c28a2d	140737333332525
rdx	0x0	0
rsi	0x7ffff6ef7770	140737336276848
rdi	0x7ffff6ef6540	140737336272192
rbp	0x7fffffff9db0	140737488330160
rsp	0x7fffffff9db0	140737488330160
r8	0x7ffff6ef7770	140737336276848
r9	0x7ffff7fe4740	140737354024768
r10	0x58	88
r11	0x7ffff6b9f750	140737332770640
r12	0x7fffffff9f40	140737488330560
r13	0x7fffffff9eb0	140737488330416
r14	0x7fffffff9e30	140737488330288
r15	0xf4689100	4100493568
rip	0xacb8bc <(anonymous namespace)::DebugEnvironmentProxyHandler::getPrototypeIfOrdinary(JSContext*, JS::HandleObject, bool*, JS::MutableHandleObject) const+28>
=> 0xacb8bc <(anonymous namespace)::DebugEnvironmentProxyHandler::getPrototypeIfOrdinary(JSContext*, JS::HandleObject, bool*, JS::MutableHandleObject) const+28>:	movl   $0x0,0x0
   0xacb8c7 <(anonymous namespace)::DebugEnvironmentProxyHandler::getPrototypeIfOrdinary(JSContext*, JS::HandleObject, bool*, JS::MutableHandleObject) const+39>:	ud2

Comment 1

[Fuzzing Team]

JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20160503153842" and the hash "242bab2c3b069e0c0b0aa16eea73d11157556b95".
The "bad" changeset has the timestamp "20160503155741" and the hash "1c286374a5183f6407a9fef085e9e930fee16ffe".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=242bab2c3b069e0c0b0aa16eea73d11157556b95&tochange=1c286374a5183f6407a9fef085e9e930fee16ffe

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Since Waldo is out for quite some time, Shu-yu, do you mind taking a look at the regression range in comment 1 and see which one is a possible regressor?

Comment 3

[Shu-yu Guo [:shu]]

Attachment: Generate "[sourceless code]" for class constructors when sourceIsLazy and no source hook is set.

Comment 4

[Shu-yu Guo [:shu]]

Comment on attachment 8873184 [details] [diff] [review]
Generate "[sourceless code]" for class constructors when sourceIsLazy and no source hook is set.

Oops, posted to wrong bug

Comment 5

[Shu-yu Guo [:shu]]

Attachment: Fix 'this' computation for Debugger.Frame.eval.

Comment 6

[Hsin-Yi Tsai (she/her) [:hsinyi]]

Hi Shu-yu, assigning this bug to you as you've been working on this. Feel free to reassign. :)

Comment 7

[Mike Taylor [:miketaylr]]

This patch has been up for review for quite some time. Is there someone else that can review?

Comment 8

[Mike Taylor [:miketaylr]]

(In reply to Mike Taylor [:miketaylr] (55 Regression Engineering Owner) from comment #7)
> This patch has been up for review for quite some time. Is there someone else
> that can review?

Comment 9

[Pulsebot]

Pushed by shu@rfrn.org:
https://hg.mozilla.org/integration/mozilla-inbound/rev/d8bb41f2028b
Fix 'this' computation for Debugger.Frame.eval. (r=jimb)

Comment 10

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/mozilla-central/rev/d8bb41f2028b

Comment 11

[Ryan VanderMeulen [:RyanVM]]

Is this something we should nominate for Beta backport or let ride the trains? Please nominate if it's the former :)

Comment 12

[Jim Blandy :jimb]

Letting it ride the trains should be fine.