Closed
Bug 1654472
Opened 4 years ago
Closed 4 years ago
Crash [@ js::GetOwnPropertyDescriptor] or Assertion failure: expando, at proxy/BaseProxyHandler.cpp:98
Categories
(Core :: JavaScript Engine, defect, P2)
Tracking
()
VERIFIED
FIXED
mozilla80
Tracking | Status | |
---|---|---|
firefox-esr68 | --- | unaffected |
firefox-esr78 | --- | unaffected |
firefox78 | --- | unaffected |
firefox79 | --- | unaffected |
firefox80 | --- | verified |
People
(Reporter: decoder, Assigned: mgaudet)
References
(Regression)
Details
(4 keywords, Whiteboard: [bugmon:update,bisected,confirmed])
Crash Data
Attachments
(2 files)
The following testcase crashes on mozilla-central revision 20200722-6dfc866efa7a (opt build, run with --fuzzing-safe --ion-offthread-compile=off):
lfSomeFunc = 42;
o = new Proxy({}, { set: lfSomeFunc });
var privateName = newPrivateName('');
o[privateName];
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 0x0000555555968ed3 in js::GetOwnPropertyDescriptor(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::PropertyDescriptor>) ()
#1 0x0000555555841166 in js::BaseProxyHandler::getPrivate(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) const ()
#2 0x0000555555860fb5 in js::Proxy::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) ()
#3 0x000055555579a1b9 in Interpret(JSContext*, js::RunState&) ()
#4 0x0000555555792844 in js::RunScript(JSContext*, js::RunState&) ()
#5 0x00005555557a3b75 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) ()
#6 0x00005555558a8043 in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) ()
#7 0x00005555556b5d7c in RunFile(JSContext*, char const*, _IO_FILE*, CompileUtf8, bool) ()
#8 0x00005555556b5885 in Process(JSContext*, char const*, bool, FileKind) ()
#9 0x000055555568ed47 in Shell(JSContext*, js::cli::OptionParser*, char**) ()
#10 0x000055555568a2c4 in main ()
rax 0x0 0
rbx 0x7ffff4a350a0 140737297731744
rcx 0x7fffffffbe20 140737488338464
rdx 0x7fffffffc238 140737488339512
rsi 0x7fffffffbe58 140737488338520
rdi 0x7ffff6023000 140737320726528
rbp 0x7fffffffbe70 140737488338544
rsp 0x7fffffffbdf8 140737488338424
r8 0x7fffffffc238 140737488339512
r9 0x7ffff4a350a0 140737297731744
r10 0x7fffffffbeb8 140737488338616
r11 0x1b 27
r12 0x7fffffffc2a8 140737488339624
r13 0x55555762ed50 93825026682192
r14 0x7ffff6023000 140737320726528
r15 0x7fffffffc238 140737488339512
rip 0x555555968ed3 <js::GetOwnPropertyDescriptor(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::PropertyDescriptor>)+3>
=> 0x555555968ed3 <_ZN2js24GetOwnPropertyDescriptorEP9JSContextN2JS6HandleIP8JSObjectEENS3_INS2_11PropertyKeyEEENS2_13MutableHandleINS2_18PropertyDescriptorEEE+3>: mov (%rax),%rax
0x555555968ed6 <_ZN2js24GetOwnPropertyDescriptorEP9JSContextN2JS6HandleIP8JSObjectEENS3_INS2_11PropertyKeyEEENS2_13MutableHandleINS2_18PropertyDescriptorEEE+6>: mov (%rax),%rax
Reporter | ||
Comment 1•4 years ago
|
||
Updated•4 years ago
|
Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]
Comment 2•4 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200722043241-6dfc866efa7a.
The bug appears to have been introduced in the following build range:
> Start: 2f2cb7c9bcced2ec48d8fba6a369af03d1b46f64 (20200720214226)
> End: ab9768a4a9f3fedceb7ef9906343b26c44fafc20 (20200720201312)
> Pushlog: https://hg.mozilla.org/mozilla-unified/pushloghtml?fromchange=2f2cb7c9bcced2ec48d8fba6a369af03d1b46f64&tochange=ab9768a4a9f3fedceb7ef9906343b26c44fafc20
Updated•4 years ago
|
status-firefox78:
--- → wontfix
status-firefox79:
--- → wontfix
status-firefox-esr78:
--- → affected
Assignee | ||
Comment 3•4 years ago
|
||
Ah: this is a semantics problem revealed by the (fuzzing unsafe now that I see this) newPrivateName
operation.
Assertion failure: expando, at /home/matthew/unified/js/src/proxy/BaseProxyHandler.cpp:98
We get this failure because we never did the initialization of the expando.
I'm going to probably remove newPrivateName for this.
Assignee: nobody → mgaudet
Assignee | ||
Comment 4•4 years ago
|
||
A useful function during development, it no longer maintains the required
invariants and can be replaced with real private fields now that parser support
is implemented
Updated•4 years ago
|
Severity: -- → S3
Priority: -- → P2
Pushed by mgaudet@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/1d71a3780a4f Remove newPrivateName testing function r=anba
Comment 6•4 years ago
|
||
bugherder |
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla80
Updated•4 years ago
|
status-firefox-esr68:
--- → unaffected
Regressed by: 1644160
Updated•4 years ago
|
Has Regression Range: --- → yes
Updated•4 years ago
|
Comment 7•4 years ago
|
||
Bugmon Analysis: Verified bug as fixed on rev mozilla-central 20200722215545-1600e73bdd90. Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
You need to log in
before you can comment on or make changes to this bug.
Description
•