Closed
Bug 1494146
Opened 6 years ago
Closed 5 years ago
Assertion failure: !realm->creationOptions().invisibleToDebugger(), at js/src/vm/Debugger.cpp:12644
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1482215
| Tracking | Status | |
|---|---|---|
| firefox64 | --- | unaffected |
People
(Reporter: gkw, Unassigned)
References
Details
(4 keywords, Whiteboard: [jsbugmon:update])
Attachments
(1 file)
|
10.16 KB,
text/plain
|
Details |
The following testcase crashes on mozilla-central revision 2e3e89c9c68c (build with --enable-debug, run with --fuzzing-safe --no-threads --no-baseline --no-ion):
// Adapted from randomly chosen test: js/src/jit-test/tests/debug/prologueFailure-01.js
f = newGlobal();
f.parent = this;
f.eval("Debugger(parent).onExceptionUnwind=function(){}");
// jsfunfuzz-generated
g = newGlobal({
sameCompartmentAs: [],
invisibleToDebugger: true
});
g.offThreadCompileScript();
Backtrace:
#0 0x00005628007f9257 in CheckDebuggeeThingRealm (realm=<optimized out>, invisibleOk=false) at js/src/vm/Debugger.cpp:12644
#1 js::CheckDebuggeeThing (obj=<optimized out>, invisibleOk=false) at js/src/vm/Debugger.cpp:12663
#2 js::DebuggerWeakMap<JSObject*, false>::relookupOrAdd<JS::Handle<JSObject*>, JS::Rooted<js::DebuggerObject*> > (this=0x7fe851564b68, p=..., k=..., v=...) at js/src/vm/Debugger.h:171
#3 0x0000562800781088 in js::DependentAddPtr<js::DebuggerWeakMap<JSObject*, false> >::add<JS::Handle<JSObject*>, JS::Rooted<js::DebuggerObject*> > (this=0x0, cx=<optimized out>, table=..., key=..., value=...) at js/src/gc/HashUtil.h:40
/snip
For detailed crash information, see attachment.
|
Reporter | |
Comment 1•6 years ago
|
||
|
|
Reporter | |
Comment 2•6 years ago
|
||
autobisectjs shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/d473e8b25db6 user: Jan de Mooij date: Mon Jul 02 18:34:37 2018 +0200 summary: Bug 1472130 part 2 - Allow creating same-compartment realms in the shell with --fuzzing-safe. r=luke Jan, is bug 1472130 / are same-compartment realms likely regressors?
Blocks: 1472130
Flags: needinfo?(jdemooij)
|
|
Reporter | |
Comment 3•6 years ago
|
||
Recent updates to jsfunfuzz found this: https://github.com/MozillaSecurity/funfuzz/pull/211
|
||
Comment 4•6 years ago
|
||
Jim, didn't you have a patch to rejigger invisibleToDebugger?
Flags: needinfo?(jdemooij) → needinfo?(jimb)
|
||
Comment 6•6 years ago
|
||
I think Jan was waiting on answer to his question from Jimb. i.e. Comment 4. Jimb is already ni'd on the bug.
|
|
||
Comment 7•6 years ago
|
||
Also note that this requires same-compartment realms and that's not (yet) enabled in the browser.
Flags: needinfo?(sdetar)
|
||
Comment 8•5 years ago
|
||
With bug 1482215 landed, the test case just throws an error, rather than crashing.
Status: NEW → RESOLVED
Closed: 5 years ago
Flags: needinfo?(jimb)
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•