Assertion failure: !JS_IsDeadWrapper(origTarget) (We don't want a dead proxy in the wrapper map), at js/src/proxy/CrossCompartmentWrapper.cpp:549
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr60 | --- | unaffected |
| firefox66 | --- | wontfix |
| firefox67 | --- | wontfix |
| firefox68 | --- | fixed |
People
(Reporter: gkw, Assigned: jandem)
References
Details
(4 keywords, Whiteboard: [jsbugmon:])
Attachments
(2 files)
The following testcase crashes on mozilla-central revision 9067457d7dcf (build with --enable-debug, run with --fuzzing-safe --no-threads --no-baseline --no-ion --more-compartments):
// Adapted from randomly chosen test: js/src/jit-test/tests/realms/nuking.js
evalcx("var x = newGlobal({ sameCompartmentAs: newGlobal({ newCompartment: true }) });" +
'x.evaluate("(" + function () { nukeAllCCWs(); } + ")()"); x;',
newGlobal()
);
// jsfunfuzz-generated
recomputeWrappers();
Backtrace:
#0 js::RemapWrapper (cx=0x7f0d3ea17000, wobjArg=<optimized out>, newTargetArg=<optimized out>) at js/src/proxy/CrossCompartmentWrapper.cpp:548
#1 0x00005611229e4d41 in js::RecomputeWrappers (cx=0x7f0d3ea17000, sourceFilter=..., targetFilter=warning: RTTI symbol not found for class 'RecomputeWrappers(JSContext*, unsigned int, JS::Value*)::SingleOrAllCompartments'
...) at js/src/proxy/CrossCompartmentWrapper.cpp:676
#2 0x0000561122335478 in RecomputeWrappers (cx=0x7f0d3ea17000, argc=<optimized out>, vp=<optimized out>) at js/src/shell/js.cpp:6286
#3 0x00005611223d4285 in CallJSNative (cx=0x7f0d3ea17000, native=0x5611223352d0 <RecomputeWrappers(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/Interpreter.cpp:442
/snip
For detailed crash information, see attachment.
Setting s-s as a start as this involves compartments.
|
Reporter | |
Comment 1•5 years ago
|
||
|
|
Reporter | |
Comment 2•5 years ago
|
||
autobisectjs shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/343c194c1a08
user: Jan de Mooij
date: Wed Sep 19 11:42:45 2018 +0200
summary: Bug 1492406 - Add a recomputeWrappers function to the JS shell for js::RecomputeWrappers. r=jonco
Jan, is bug 1492406 a likely regressor?
|
||
Comment 3•5 years ago
|
||
Is ObjectValue() on a dead wrapper going to be anything questionable?
|
||
Updated•5 years ago
|
|
|
||
Comment 4•5 years ago
|
||
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
|
||
Comment 5•5 years ago
|
||
Is this something web content could even do? New compartment (iframe?) and then nuke wrappers?
|
Assignee | |
Comment 6•5 years ago
|
||
This should be safe and it actually can't happen in the browser, because XPConnect's PreWrap callback refuses to create a CCW for dead wrappers:
Moving that check into the JS engine fixes this and it has been on my list for a while to get consistent behavior everywhere.
|
|
Assignee | |
Updated•5 years ago
|
|
|
Assignee | |
Comment 7•5 years ago
|
||
This ensures the JS shell and browser behave the same way and it's nice for fuzzing.
|
||
Updated•5 years ago
|
Pushed by jdemooij@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/116b9cd070f2 Move more of XPConnect's PreWrap code into the JS engine. r=kmag
|
||
Comment 9•5 years ago
|
||
| bugherder | ||
|
||
Updated•5 years ago
|
|
||
Updated•5 years ago
|
Description
•