Closed
Bug 1394496
Opened 7 years ago
Closed 7 years ago
Assertion failure: !chain[i]->is<GlobalObject>(), at js/src/vm/EnvironmentObject.cpp:3188
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla57
Tracking | Status | |
---|---|---|
firefox-esr52 | --- | unaffected |
firefox55 | --- | unaffected |
firefox56 | --- | unaffected |
firefox57 | --- | fixed |
People
(Reporter: decoder, Assigned: mccr8)
References
Details
(4 keywords, Whiteboard: [jsbugmon:update])
Attachments
(1 file)
The following testcase crashes on mozilla-central revision 31465a03c03d (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off min.js): var evalOpt = { envChainObject: 1 | (this) | (this) && (this) }; evaluate("assertEq(someVar, 1);", evalOpt); Backtrace: received signal SIGSEGV, Segmentation fault. 0x0000000000b29df0 in js::CreateObjectsForEnvironmentChain (cx=cx@entry=0x7ffff6955000, chain=..., terminatingEnv=..., terminatingEnv@entry=..., envObj=..., envObj@entry=...) at js/src/vm/EnvironmentObject.cpp:3188 #0 0x0000000000b29df0 in js::CreateObjectsForEnvironmentChain (cx=cx@entry=0x7ffff6955000, chain=..., terminatingEnv=..., terminatingEnv@entry=..., envObj=..., envObj@entry=...) at js/src/vm/EnvironmentObject.cpp:3188 #1 0x000000000096e9b9 in CreateNonSyntacticEnvironmentChain (cx=cx@entry=0x7ffff6955000, envChain=..., env=env@entry=..., scope=..., scope@entry=...) at js/src/jsapi.cpp:3572 #2 0x000000000097be34 in ExecuteScript (cx=cx@entry=0x7ffff6955000, envChain=..., scriptArg=..., rval=0x7ffff428e090) at js/src/jsapi.cpp:4637 #3 0x000000000097bf7a in JS_ExecuteScript (cx=cx@entry=0x7ffff6955000, envChain=..., scriptArg=..., scriptArg@entry=..., rval=...) at js/src/jsapi.cpp:4669 #4 0x00000000004687ba in Evaluate (cx=0x7ffff6955000, argc=<optimized out>, vp=<optimized out>) at js/src/shell/js.cpp:1714 #5 0x0000000000548c8b in js::CallJSNative (cx=cx@entry=0x7ffff6955000, native=0x467d80 <Evaluate(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:293 [...] #18 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:8592 rax 0x0 0 rbx 0x7fffffffd480 140737488344192 rcx 0x7ffff6c28a2d 140737333332525 rdx 0x0 0 rsi 0x7ffff6ef7770 140737336276848 rdi 0x7ffff6ef6540 140737336272192 rbp 0x7fffffffcfe0 140737488343008 rsp 0x7fffffffcf50 140737488342864 r8 0x7ffff6ef7770 140737336276848 r9 0x7ffff7fe4740 140737354024768 r10 0x58 88 r11 0x7ffff6b9f750 140737332770640 r12 0x7ffff6955000 140737330368512 r13 0x0 0 r14 0x7ffff6955340 140737330369344 r15 0x0 0 rip 0xb29df0 <js::CreateObjectsForEnvironmentChain(JSContext*, JS::AutoObjectVector&, JS::Handle<JSObject*>, JS::MutableHandle<JSObject*>)+592> => 0xb29df0 <js::CreateObjectsForEnvironmentChain(JSContext*, JS::AutoObjectVector&, JS::Handle<JSObject*>, JS::MutableHandle<JSObject*>)+592>: movl $0x0,0x0 0xb29dfb <js::CreateObjectsForEnvironmentChain(JSContext*, JS::AutoObjectVector&, JS::Handle<JSObject*>, JS::MutableHandle<JSObject*>)+603>: ud2
Updated•7 years ago
|
Updated•7 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Comment 1•7 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/40aafceb5e48 user: Andrew McCreight date: Mon Aug 07 16:35:43 2017 -0700 summary: Bug 1388191 - Add way to test evaluation with envChain in the shell. r=jorendorff This iteration took 270.292 seconds to run.
Andrew, is bug 1388191 a likely regressor?
Blocks: 1388191
Flags: needinfo?(continuation)
Assignee | ||
Comment 3•7 years ago
|
||
Yes, I added the envChainObject option in that bug. I think I need to throw an error if a global is passed in.
Assignee: nobody → continuation
Comment hidden (mozreview-request) |
Assignee | ||
Updated•7 years ago
|
Flags: needinfo?(continuation)
Comment 5•7 years ago
|
||
mozreview-review |
Comment on attachment 8904721 [details] Bug 1394496 - Evaluate's envChainObject should throw if passed a global. https://reviewboard.mozilla.org/r/176516/#review181490 Thanks for fixing. I guess this answers my question when I hit this last week of "Is this exposed to the fuzzers?"
Attachment #8904721 -
Flags: review?(tcampbell) → review+
Assignee | ||
Comment 6•7 years ago
|
||
(In reply to Ted Campbell [:tcampbell] from comment #5) > I guess this answers my question when I hit this last week of "Is this > exposed to the fuzzers?" One of the things the fuzzers do is mutate existing test cases, so if you write tests, they will give you at least some coverage.
Pushed by amccreight@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/0f3a0442c2ad Evaluate's envChainObject should throw if passed a global. r=tcampbell
Comment 8•7 years ago
|
||
I more was wondering if it was one of the APIs disabled during fuzzing. It was on a list of things to follow up, but you saved me the trouble ;)
Comment 9•7 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/0f3a0442c2ad
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla57
Updated•7 years ago
|
status-firefox55:
--- → unaffected
status-firefox56:
--- → unaffected
status-firefox-esr52:
--- → unaffected
You need to log in
before you can comment on or make changes to this bug.
Description
•