Hit MOZ_CRASH(Invalid object. Dead wrapper?) at js/src/vm/JSObject.h:652 with async

RESOLVED FIXED in Firefox 66

Status

()

defect
--
critical
RESOLVED FIXED
4 months ago
4 months ago

People

(Reporter: gkw, Assigned: arai)

Tracking

(Blocks 2 bugs, 4 keywords)

Trunk
mozilla67
x86_64
Linux
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox-esr60 unaffected, firefox65 unaffected, firefox66 fixed, firefox67 fixed)

Details

(Whiteboard: [jsbugmon:update])

Attachments

(3 attachments)

Reporter

Description

4 months ago

The following testcase crashes on mozilla-central revision 08f794a4928e (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-baseline --no-ion --more-compartments):

// Adapted from randomly chosen test: js/src/tests/test262/language/statements/for-await-of/async-func-dstr-let-async-obj-ptrn-rest-getter.js
async function fn() { e }
fn();
// jsfunfuzz-generated
s = newGlobal();
evalcx(`
	// Adapted from randomly chosen test: js/src/tests/test262/language/statements/for-await-of/async-func-dstr-var-obj-ptrn-empty.js
    async function fn() { e }
    fn()
	// Adapted from randomly chosen test: js/src/jit-test/tests/promise/bug1406463.js
    P = newGlobal().eval("(class extends Promise { function(){} })")
    Promise.all.call(P, [{ then() { nukeAllCCWs() } }])
`, s);

Backtrace:

#0 JSObject::maybeUnwrapAs<js::PromiseObject> (this=<optimized out>) at js/src/vm/JSObject.h:652
#1 ReportUnhandledRejections (cx=<optimized out>) at js/src/shell/js.cpp:10318
#2 Shell (cx=0x7f8490317000, op=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:10404
#3 0x00005638fcf20d9c in main (argc=7, argv=0x7ffef15c2168, envp=<optimized out>) at js/src/shell/js.cpp:10973
/snip

For detailed crash information, see attachment.

Setting s-s as a start because this seems to involve compartments, which may be scary.

Reporter

Comment 2

4 months ago

autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/e7dc5234c656
user: Jan de Mooij
date: Sun Feb 10 17:37:14 2019 +0000
summary: Bug 1521906 part 1 - Use obj->maybeUnwrapAs<T>() or obj->maybeUnwrapIf<T>() instead of CheckedUnwrap where possible. r=luke

Jan, is bug 1521906 a likely regressor?

Blocks: 1521906
Flags: needinfo?(jdemooij)

Hey Gary, I think this was just a signature change. It's now a safe crash but it should have asserted in debug builds before e7dc5234c656. Can you bisect based on that?

No longer blocks: 1521906
Flags: needinfo?(jdemooij) → needinfo?(nth10sd)
Reporter

Comment 4

4 months ago

https://hg.mozilla.org/mozilla-central/rev/39e1b87c1dec is the parent of e7dc5234c656 and while it doesn't seem to reproduce with the flags in comment 0, it does show:

Assertion failure: self->template is<U>(), at /home/ubuntu/trees/mozilla-central/js/src/vm/JSObject.h:573

when run with --fuzzing-safe --no-threads --no-baseline --no-ion --more-compartments.

Bisecting based on this, m-c rev 450b8f0cbb4e added --more-compartments and still shows the above assert, so bisecting more backwards on the parent of 450b8f0cbb4e...

Reporter

Comment 5

4 months ago

autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/c9f108854caa
user: Tooru Fujisawa
date: Tue Jan 08 02:34:57 2019 +0000
summary: Bug 1517868 - Report unhandled rejections in JS shell. r=jorendorff

Bingo! Arai-san, is bug 1517868 a likely regressor?

Blocks: 1517868
Flags: needinfo?(nth10sd) → needinfo?(arai.unmht)
Assignee

Comment 6

4 months ago

Thanks!
This is shell-only. feel free to open.

Assignee: nobody → arai.unmht
Status: NEW → ASSIGNED
Flags: needinfo?(arai.unmht)
Reporter

Comment 7

4 months ago

Opening up as per comment 6.

Group: javascript-core-security

Comment 9

4 months ago
Pushed by arai_a@mac.com:
https://hg.mozilla.org/integration/autoland/rev/dc7e72c71d3a
Report dead object in unhandled rejections set properly. r=jandem

Comment 10

4 months ago
bugherder
Status: ASSIGNED → RESOLVED
Closed: 4 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla67

Arai, did you want to nominate this for Beta uplift to help the fuzzers?

Flags: needinfo?(arai.unmht)
Flags: in-testsuite+
Assignee

Comment 12

4 months ago

Comment on attachment 9044070 [details]
Bug 1527768 - Report dead object in unhandled rejections set properly. r?jandem

Beta/Release Uplift Approval Request

  • Feature/Bug causing the regression: Bug 1517868
  • User impact if declined: Fuzzing team may hit this while testing on beta.
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): this is js-shell only fix. doesn't affect Firefox.
  • String changes made/needed:
Flags: needinfo?(arai.unmht)
Attachment #9044070 - Flags: approval-mozilla-beta?

Comment on attachment 9044070 [details]
Bug 1527768 - Report dead object in unhandled rejections set properly. r?jandem

Fix for potential crash, should help beta fuzzing.
OK for uplift to beta 12.

Attachment #9044070 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

Comment 14

4 months ago

Tried to uplift this but got an conflict here:

grafting 527895:dc7e72c71d3a "Bug 1527768 - Report dead object in unhandled rejections set properly. r=jandem"
merging js/src/shell/js.cpp
warning: conflicts while merging js/src/shell/js.cpp! (edit, then use 'hg resolve --mark')
abort: unresolved conflicts, can't continue

Flags: needinfo?(arai.unmht)
Assignee

Comment 15

4 months ago

here's rebased patch

Flags: needinfo?(arai.unmht)
You need to log in before you can comment on or make changes to this bug.