1538542 - Assertion failure: wrapper->is<WrapperObject>(), at js/src/proxy/Wrapper.cpp:292

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect, P1)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 59e55930dc0f (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off):

var lfOffThreadGlobal = newGlobal();
nukeAllCCWs();
const thisGlobal = this;
const otherGlobalNewCompartment = newGlobal({
    newCompartment: true
});
let { transplant } = transplantableObject();
transplant(otherGlobalNewCompartment);
transplant(thisGlobal);

Backtrace:

received signal SIGSEGV, Segmentation fault.
js::Wrapper::wrappedObject (wrapper=<optimized out>) at js/src/proxy/Wrapper.cpp:292
#0  js::Wrapper::wrappedObject (wrapper=<optimized out>) at js/src/proxy/Wrapper.cpp:292
#1  0x0000555555e0e882 in JS_TransplantObject (cx=<optimized out>, origobj=..., target=...) at js/src/jsapi.cpp:740
#2  0x0000555555842410 in TransplantObject (cx=<optimized out>, cx@entry=0x7ffff5f17000, argc=<optimized out>, vp=<optimized out>) at js/src/shell/js.cpp:8201
#3  0x00005555558ef239 in CallJSNative (cx=0x7ffff5f17000, native=0x555555841d20 <TransplantObject(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/Interpreter.cpp:442
[...]
#17 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:11260
rax	0x555557c20240	93825032913472
rbx	0x30c02e8df040	53601972908096
rcx	0x555556b88ed8	93825015516888
rdx	0x0	0
rsi	0x7ffff6eeb770	140737336227696
rdi	0x7ffff6eea540	140737336223040
rbp	0x7fffffffc2e0	140737488339680
rsp	0x7fffffffc2a0	140737488339616
r8	0x7ffff6eeb770	140737336227696
r9	0x7ffff7fe6cc0	140737354034368
r10	0x58	88
r11	0x7ffff6b927a0	140737332717472
r12	0x7fffffffc5c0	140737488340416
r13	0x555556c44368	93825016284008
r14	0x7fffffffc3c0	140737488339904
r15	0x7ffff5f17000	140737319628800
rip	0x555555e492d3 <js::Wrapper::wrappedObject(JSObject*)+83>
=> 0x555555e492d3 <js::Wrapper::wrappedObject(JSObject*)+83>:	movl   $0x0,0x0
   0x555555e492de <js::Wrapper::wrappedObject(JSObject*)+94>:	ud2

This could be shell-only if it is a problem with the new transplant native itself, but I'm marking it s-s just to be sure, since nukeCCWs is involved as well.

Comment 1

[Fuzzing Team]

JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/ac1601914ac5
parent:      463359:b486ad6d8c06
user:        André Bargull
date:        Fri Oct 20 11:32:22 2017 +0100
summary:     Bug 1403679: Provide a shell testing function for JS_TransplantObject. r=jandem

This iteration took 515.866 seconds to run.

Comment 2

[André Bargull [:anba]]

Attachment: Bug 1538542: Report an error in the transplant testing function when new wrappers can't be created. r=jandem!

And also assert this case can't happen in the browser case.

Comment 3

[André Bargull [:anba]]

Try: https://treeherder.mozilla.org/#/jobs?repo=try&revision=6ecbfb8a70a49283b05b77f74278e959ac942e54

Comment 4

[Pulsebot]

Pushed by nbeleuzu@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/6eb87c9264c1
Report an error in the transplant testing function when new wrappers can't be created. r=jandem

Comment 5

[Natalia Csoregi [:nataliaCs]]

https://hg.mozilla.org/mozilla-central/rev/6eb87c9264c1