Closed Bug 1654472 Opened 4 years ago Closed 4 years ago

Crash [@ js::GetOwnPropertyDescriptor] or Assertion failure: expando, at proxy/BaseProxyHandler.cpp:98

Categories

(Core :: JavaScript Engine, defect, P2)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla80
Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox-esr78 --- unaffected
firefox78 --- unaffected
firefox79 --- unaffected
firefox80 --- verified

People

(Reporter: decoder, Assigned: mgaudet)

References

(Regression)

Details

(4 keywords, Whiteboard: [bugmon:update,bisected,confirmed])

Crash Data

Attachments

(2 files)

Testcase
110 bytes, text/plain
Details
Bug 1654472 - Remove newPrivateName testing function r?anba
47 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 20200722-6dfc866efa7a (opt build, run with --fuzzing-safe --ion-offthread-compile=off):

lfSomeFunc = 42;
o = new Proxy({}, { set: lfSomeFunc });
var privateName = newPrivateName('');
o[privateName];

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x0000555555968ed3 in js::GetOwnPropertyDescriptor(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::PropertyDescriptor>) ()
#1  0x0000555555841166 in js::BaseProxyHandler::getPrivate(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) const ()
#2  0x0000555555860fb5 in js::Proxy::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) ()
#3  0x000055555579a1b9 in Interpret(JSContext*, js::RunState&) ()
#4  0x0000555555792844 in js::RunScript(JSContext*, js::RunState&) ()
#5  0x00005555557a3b75 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) ()
#6  0x00005555558a8043 in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) ()
#7  0x00005555556b5d7c in RunFile(JSContext*, char const*, _IO_FILE*, CompileUtf8, bool) ()
#8  0x00005555556b5885 in Process(JSContext*, char const*, bool, FileKind) ()
#9  0x000055555568ed47 in Shell(JSContext*, js::cli::OptionParser*, char**) ()
#10 0x000055555568a2c4 in main ()
rax	0x0	0
rbx	0x7ffff4a350a0	140737297731744
rcx	0x7fffffffbe20	140737488338464
rdx	0x7fffffffc238	140737488339512
rsi	0x7fffffffbe58	140737488338520
rdi	0x7ffff6023000	140737320726528
rbp	0x7fffffffbe70	140737488338544
rsp	0x7fffffffbdf8	140737488338424
r8	0x7fffffffc238	140737488339512
r9	0x7ffff4a350a0	140737297731744
r10	0x7fffffffbeb8	140737488338616
r11	0x1b	27
r12	0x7fffffffc2a8	140737488339624
r13	0x55555762ed50	93825026682192
r14	0x7ffff6023000	140737320726528
r15	0x7fffffffc238	140737488339512
rip	0x555555968ed3 <js::GetOwnPropertyDescriptor(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::PropertyDescriptor>)+3>
=> 0x555555968ed3 <_ZN2js24GetOwnPropertyDescriptorEP9JSContextN2JS6HandleIP8JSObjectEENS3_INS2_11PropertyKeyEEENS2_13MutableHandleINS2_18PropertyDescriptorEEE+3>:	mov    (%rax),%rax
   0x555555968ed6 <_ZN2js24GetOwnPropertyDescriptorEP9JSContextN2JS6HandleIP8JSObjectEENS3_INS2_11PropertyKeyEEENS2_13MutableHandleINS2_18PropertyDescriptorEEE+6>:	mov    (%rax),%rax
Attached file Testcase 
Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]

    
    

    
  
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200722043241-6dfc866efa7a.
The bug appears to have been introduced in the following build range:
> Start: 2f2cb7c9bcced2ec48d8fba6a369af03d1b46f64 (20200720214226)
> End: ab9768a4a9f3fedceb7ef9906343b26c44fafc20 (20200720201312)
> Pushlog: https://hg.mozilla.org/mozilla-unified/pushloghtml?fromchange=2f2cb7c9bcced2ec48d8fba6a369af03d1b46f64&tochange=ab9768a4a9f3fedceb7ef9906343b26c44fafc20

    
    

    
  
Ah: this is a semantics problem revealed by the (fuzzing unsafe now that I see this) newPrivateName operation.


Assertion failure: expando, at /home/matthew/unified/js/src/proxy/BaseProxyHandler.cpp:98



We get this failure because we never did the initialization of the expando.


I'm going to probably remove newPrivateName for this.


Assignee: nobody → mgaudet

    
    

    
  


  
A useful function during development, it no longer maintains the required

invariants and can be replaced with real private fields now that parser support

is implemented


Severity: -- → S3
Priority: -- → P2

    
    

    
  
Pushed by mgaudet@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/1d71a3780a4f
Remove newPrivateName testing function r=anba

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/1d71a3780a4f


Status: NEW → RESOLVED
Closed: 4 years ago

          status-firefox80:
          fix-optionalfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla80

    
  
Has Regression Range: --- → yes
Status: RESOLVED → VERIFIED

          status-firefox80:
          fixedverified
Keywords: bugmon

    
    

    
  
Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20200722215545-1600e73bdd90.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: