Closed Bug 1546233 Opened 5 years ago Closed 5 years ago

Crash [@ js::ContextChecks::check] with evalcx and transplant

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1544364
Tracking Flags:
Tracking Status
firefox68 --- fix-optional

People

(Reporter: decoder, Unassigned)

Details

(4 keywords, Whiteboard: [jsbugmon:update,bisect])

Crash Data

The following testcase crashes on mozilla-central revision b783cd5203ea (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --disable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off --ion-offthread-compile=off):

x = evalcx('');
let { transplant } = transplantableObject({ object: new FakeDOMObject() });
transplant(x);

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  js::ContextChecks::check (argIndex=0, obj=0x7800000000000, this=0x7fffffffc890) at js/src/vm/JSContext-inl.h:73
#1  JSContext::checkImpl<JS::Handle<JSObject*>>(int, JS::Handle<JSObject*> const&) (head=<synthetic pointer>, argIndex=0, this=0x7ffff5f27000) at js/src/vm/JSContext-inl.h:184
#2  JSContext::check<JS::Handle<JSObject*> > (this=0x7ffff5f27000) at js/src/vm/JSContext-inl.h:192
#3  JS_CloneObject (cx=0x7ffff5f27000, obj=..., protoArg=...) at js/src/jsfriendapi.cpp:575
#4  0x0000555555813876 in TransplantObject (cx=0x7ffff5f27000, argc=<optimized out>, vp=0x7ffff4ddf0a0) at js/src/shell/js.cpp:8240
#5  0x000055555588bad1 in CallJSNative (args=..., native=0x5555558135b0 <TransplantObject(JSContext*, unsigned int, JS::Value*)>, cx=0x7ffff5f27000) at js/src/vm/Interpreter.cpp:442
[...]
#18 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:11369
rax	0x7800000000000	2111062325329920
rbx	0x7ffff4ddf0a0	140737301573792
rcx	0x7ffff4ea5000	140737302384640
rdx	0x7fffffffc9a0	140737488341408
rsi	0x7fffffffc960	140737488341344
rdi	0x7ffff5f27000	140737319694336
rbp	0x7ffff5f27020	140737319694368
rsp	0x7fffffffc890	140737488341136
r8	0xfffdffffffffffff	-562949953421313
r9	0xfffe000000000000	-562949953421312
r10	0x7ffff4ddf0b0	140737301573808
r11	0xfffc800000000000	-985162418487296
r12	0x7fffffffc950	140737488341328
r13	0x7ffff5f27000	140737319694336
r14	0x1	1
r15	0x7fffffffc9b0	140737488341424
rip	0x555555c50125 <JS_CloneObject(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>)+53>
=> 0x555555c50125 <JS_CloneObject(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>)+53>:	mov    (%rax),%rdx
   0x555555c50128 <JS_CloneObject(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>)+56>:	mov    0x10(%rdx),%rdx

This is likely some kind of bad interaction between transplant and evalcx and hence shell-only.

If this is shell-only I'll treat it as fix-optional for 68.

status-firefox68: affectedfix-optional

Duplicate of bug 1544364.

Test case now throws an error instead of crashing:

/tmp/k.js:3:1 Error: Can't get FakeDOMObject prototype in sandbox
Stack:
  @/tmp/k.js:3:1
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.