1544364 - Assertion failure: slot < (((GetObjectClass(obj))->flags >> JSCLASS_RESERVED_SLOTS_SHIFT) & JSCLASS_RESERVED_SLOTS_MASK), at js/src/jsfriendapi.h:749

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 412447b6149e (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off):

function testDOMObjectSlot(global) {
    let domObject = new FakeDOMObject();
    let {object, transplant} = transplantableObject({object: domObject});
    transplant(global);
}
testDOMObjectSlot(evalcx("lazy"));

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  js::GetReservedSlot (obj=<optimized out>, slot=<optimized out>) at js/src/jsfriendapi.h:749
#1  0x00005555558441b2 in GetDOMPrototype (global=0x2e40f1987240) at js/src/shell/js.cpp:9825
#2  TransplantObject (cx=<optimized out>, cx@entry=0x7ffff5f19000, argc=<optimized out>, vp=<optimized out>) at js/src/shell/js.cpp:8232
#3  0x00005555558ec249 in CallJSNative (cx=0x7ffff5f19000, native=native@entry=0x555555843b30 <TransplantObject(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/Interpreter.cpp:442
[...]
#17 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:11369
rax	0x555557c6f320	93825033237280
rbx	0x0	0
rcx	0x555556b3a528	93825015194920
rdx	0x0	0
rsi	0x7ffff6eeb770	140737336227696
rdi	0x7ffff6eea540	140737336223040
rbp	0x7fffffffc4f0	140737488340208
rsp	0x7fffffffc4f0	140737488340208
r8	0x7ffff6eeb770	140737336227696
r9	0x7ffff7fe6cc0	140737354034368
r10	0x58	88
r11	0x7ffff6b927a0	140737332717472
r12	0x7fffffffc680	140737488340608
r13	0x7fffffffc548	140737488340296
r14	0x7fffffffc560	140737488340320
r15	0x7fffffffc580	140737488340352
rip	0x55555585fa6d <js::GetReservedSlot(JSObject*, unsigned long)+109>
=> 0x55555585fa6d <js::GetReservedSlot(JSObject*, unsigned long)+109>:	movl   $0x0,0x0
   0x55555585fa78 <js::GetReservedSlot(JSObject*, unsigned long)+120>:	ud2

Comment 1

[Fuzzing Team]

JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/ac1601914ac5
parent:      463359:b486ad6d8c06
user:        André Bargull
date:        Fri Oct 20 11:32:22 2017 +0100
summary:     Bug 1403679: Provide a shell testing function for JS_TransplantObject. r=jandem

This iteration took 2.749 seconds to run.

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Andre, is bug 1403679 a likely regressor?

Comment 3

[André Bargull [:anba]]

(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #2)

Andre, is bug 1403679 a likely regressor?

Yes, I didn't handle the global-sandbox case correctly.

Comment 4

[André Bargull [:anba]]

Attachment: Bug 1544364: Throw an error when calling the transplant test-function on a sandbox global. r=jandem!

Comment 5

[André Bargull [:anba]]

Try: https://treeherder.mozilla.org/#/jobs?repo=try&revision=231137a3a8111c8235bfedfdf73b56585415aa51

Comment 6

[Pulsebot]

Pushed by csabou@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/4d2b87a7d2f9
Throw an error when calling the transplant test-function on a sandbox global. r=jandem

Comment 7

[Cristian Brindusan [:cbrindusan]]

https://hg.mozilla.org/mozilla-central/rev/4d2b87a7d2f9