Closed Bug 1509420 Opened 6 years ago Closed 5 years ago

Assertion failure: this->is<T>(), at js/src/vm/JSObject.h:529 with bindToAsyncStack

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla66
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox64 --- wontfix
firefox65 --- wontfix
firefox66 --- fixed

People

(Reporter: decoder, Assigned: jimb)

References

Details

(4 keywords, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

Bug 1509420: Handle CCWs of functions properly in bindToAsyncStack shell function. r?jorendorff
47 bytes, text/x-phabricator-request
Details | Review 
The following testcase crashes on mozilla-central revision eeddcefcdad8 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off):

var g = newGlobal();
g.evaluate("function h() { f(); }");
for ([f, n] of [
  [g.f, 20]
  , [g.h, 5]
]) try {} catch (e) {}
function bindAndExpect(options, expected) {
  return bindToAsyncStack(f, options);
}
bindAndExpect({},)()


Backtrace:

received signal SIGSEGV, Segmentation fault.
JSObject::as<JSFunction> (this=<optimized out>) at js/src/vm/JSObject.h:529
#0  JSObject::as<JSFunction> (this=<optimized out>) at js/src/vm/JSObject.h:529
#1  BoundToAsyncStack (cx=<optimized out>, cx@entry=0x7ffff5f18000, argc=<optimized out>, vp=<optimized out>) at js/src/shell/js.cpp:1145
#2  0x00005555558c7271 in CallJSNative (cx=0x7ffff5f18000, native=0x5555558207f0 <BoundToAsyncStack(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/Interpreter.cpp:468
[...]
#16 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:11420
rax	0x555557b4f480	93825032057984
rbx	0x7fffffffcc00	140737488342016
rcx	0x7ffff6c1c2dd	140737333281501
rdx	0x0	0
rsi	0x555556a50850	93825014237264
rdi	0x7ffff6eea540	140737336223040
rbp	0x7fffffffc8d0	140737488341200
rsp	0x7fffffffc730	140737488340784
r8	0x7ffff6eeb770	140737336227696
r9	0x7ffff7fe6cc0	140737354034368
r10	0x58	88
r11	0x7ffff6b927a0	140737332717472
r12	0x7ffff5f18000	140737319632896
r13	0x7fffffffc8f0	140737488341232
r14	0x7ffff5f81800	140737320065024
r15	0x7ffff5f81800	140737320065024
rip	0x555555820cf9 <BoundToAsyncStack(JSContext*, unsigned int, JS::Value*)+1289>
=> 0x555555820cf9 <BoundToAsyncStack(JSContext*, unsigned int, JS::Value*)+1289>:	movl   $0x0,0x0
   0x555555820d04 <BoundToAsyncStack(JSContext*, unsigned int, JS::Value*)+1300>:	ud2
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, failed due to error (try manually).
Probably a regression from bug 1438121 where this shell function was added.
Flags: needinfo?(jimb)
I can reproduce this.
Assignee: nobody → jimb
Flags: needinfo?(jimb)
Reduced test case:

var g = newGlobal();
g.evaluate("function h() { f(); }");
bindToAsyncStack(g.h, {})();

A CCW of a function is callable, but not a JSFunction.
In js.cpp, BindToAsyncStack used JSObject::isCallable to check the type of its
argument, and then BoundToAsyncStack (the native for the function returned)
assumed that it could call JSObject::as<JSFunction> on that value.

However, there are many things that are isCallable but not is<JSFunction>, two
examples being CCWs and function proxies.
Pushed by jblandy@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/606d75702c5c
Handle CCWs of functions properly in bindToAsyncStack shell function. r=jorendorff
https://hg.mozilla.org/mozilla-central/rev/606d75702c5c
Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox66: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla66
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: