Closed Bug 1634845 Opened 4 years ago Closed 4 years ago

Assertion failure: cx->runtime()->getElementCallback, at vm/JSScript.cpp:1761 or Crash [@ js::ScriptSourceObject::unwrappedElement] with Debugger

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla77
Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox75 --- unaffected
firefox76 --- unaffected
firefox77 --- verified

People

(Reporter: decoder, Assigned: denispal)

References

(Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisect][fuzzblocker])

Crash Data

Attachments

(1 file)

Testcase
306 bytes, text/plain
Details

The following testcase crashes on mozilla-central revision 20200501-0f9c5a59e45d (debug build, run with --fuzzing-safe --ion-offthread-compile=off):

evalInWorker(`
  var g94 = newGlobal({newCompartment: true});
  var dbg = new Debugger;
  var gw = dbg.addDebuggee(g94);
  g94.evaluate("function f(x) { return 2*x; }", {element: { foo: "bar" }});
  var fw = gw.getOwnPropertyDescriptor('f').value;
  assertEq(typeof fw.script.source.element, "object");
`);

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x0000555555ca81d5 in js::ScriptSourceObject::unwrappedElement(JSContext*) const ()
#1  0x00005555560ad499 in js::DebuggerSource::CallData::getElement() ()
#2  0x00005555560afc91 in bool js::DebuggerSource::CallData::ToNative<&js::DebuggerSource::CallData::getElement>(JSContext*, unsigned int, JS::Value*) ()
#3  0x000055555591a712 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
#4  0x0000555555919fe9 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) ()
#5  0x000055555591c636 in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) ()
#6  0x0000555555cf93cc in bool GetExistingProperty<(js::AllowGC)1>(JSContext*, js::MaybeRooted<JS::Value, (js::AllowGC)1>::HandleType, js::MaybeRooted<js::NativeObject*, (js::AllowGC)1>::HandleType, js::MaybeRooted<js::Shape*, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::Value, (js::AllowGC)1>::MutableHandleType) ()
#7  0x0000555555cfa163 in bool NativeGetPropertyInline<(js::AllowGC)1>(JSContext*, js::MaybeRooted<js::NativeObject*, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::Value, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::PropertyKey, (js::AllowGC)1>::HandleType, IsNameLookup, js::MaybeRooted<JS::Value, (js::AllowGC)1>::MutableHandleType) ()
#8  0x00005555557f7e28 in js::GetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::PropertyName*, JS::MutableHandle<JS::Value>) ()
#9  0x000055555592092f in js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) ()
#10 0x000055555590c0f9 in Interpret(JSContext*, js::RunState&) ()
[...]
#19 0x00007ffff6c3e41d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109
rax	0x555556f739bc	93825019623868
rbx	0x7ffff4be1000	140737299484672
rcx	0x555557fdb908	93825036826888
rdx	0x0	0
rsi	0x7ffff6efd770	140737336301424
rdi	0x7ffff6efc540	140737336296768
rbp	0x7ffff6765ac0	140737328339648
rsp	0x7ffff6765a70	140737328339568
r8	0x7ffff6efd770	140737336301424
r9	0x7ffff6767700	140737328346880
r10	0x58	88
r11	0x7ffff6ba47a0	140737332791200
r12	0xfff9800000000000	-1829587348619264
r13	0x7ffff6765a70	140737328339568
r14	0x7ffff6765a80	140737328339584
r15	0x7ffff4be7000	140737299509248
rip	0x555555ca81d5 <js::ScriptSourceObject::unwrappedElement(JSContext*) const+501>
=> 0x555555ca81d5 <_ZNK2js18ScriptSourceObject16unwrappedElementEP9JSContext+501>:	movl   $0x6e1,0x0
   0x555555ca81e0 <_ZNK2js18ScriptSourceObject16unwrappedElementEP9JSContext+512>:	callq  0x555555824c96 <abort>
Attached file Testcase 

    
    

    
  
This also crashes and it is fairly frequent, marking as fuzzblocker.


Crash Signature: [@ js::ScriptSourceObject::unwrappedElement]
Summary: Assertion failure: cx->runtime()->getElementCallback, at vm/JSScript.cpp:1761 with Debugger → Assertion failure: cx->runtime()->getElementCallback, at vm/JSScript.cpp:1761 or Crash [@ js::ScriptSourceObject::unwrappedElement] with Debugger
Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisect][fuzzblocker]

    
  
Regressed by: 1501608

    
  
Has Regression Range: --- → yes

    
  
Assignee: nobody → dpalmeiro

    
    

    
  
I did not realize the JS shell can create more than 1 runtime.  I have a fix for this that will be pushed as part of the original patch.



    
    

    
  
Hi Denis, since it looks like 1501608 was backed out can we close this one out?


Flags: needinfo?(dpalmeiro)

    
    

    
  
Yes, a fix for this should also be in next time I push 1501608 .


Status: NEW → RESOLVED
Closed: 4 years ago
Flags: needinfo?(dpalmeiro)
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED

          status-firefox77:
          fixedverified
Keywords: bugmon

    
    

    
  
Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20200518152416-a627b6676824.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: