Assertion failure: isInt32(), at js/Value.h:724 with FakeDOMObject and transplanting
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr78 | --- | unaffected |
| firefox81 | --- | unaffected |
| firefox82 | --- | wontfix |
| firefox83 | --- | verified |
People
(Reporter: decoder, Assigned: evilpie)
References
(Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])
Attachments
(2 files)
The following testcase crashes on mozilla-central revision 20201011-725180017480 (debug build, run with --fuzzing-safe --ion-offthread-compile=off):
function it(obj) {
for (i20 in obj)
obj[i20]
}
let {object: source, transplant} = transplantableObject({object: new FakeDOMObject()});
transplant(this);
for (i20 in source)
source[i20]
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 0x0000555556be6c9d in dom_get_slot(JSContext*, JS::Handle<JSObject*>, void*, JSJitGetterCallArgs) ()
#1 0x0000555556be61d9 in dom_genericGetter(JSContext*, unsigned int, JS::Value*) ()
#2 0x0000555556d1b4d2 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
#3 0x0000555556d1abac in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) ()
#4 0x0000555556d1c3d4 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) ()
#5 0x0000555556d1d421 in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) ()
#6 0x00005555570a6241 in bool GetExistingProperty<(js::AllowGC)1>(JSContext*, js::MaybeRooted<JS::Value, (js::AllowGC)1>::HandleType, js::MaybeRooted<js::NativeObject*, (js::AllowGC)1>::HandleType, js::MaybeRooted<js::Shape*, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::Value, (js::AllowGC)1>::MutableHandleType) ()
#7 0x00005555570a7010 in bool NativeGetPropertyInline<(js::AllowGC)1>(JSContext*, js::MaybeRooted<js::NativeObject*, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::Value, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::PropertyKey, (js::AllowGC)1>::HandleType, IsNameLookup, js::MaybeRooted<JS::Value, (js::AllowGC)1>::MutableHandleType) ()
#8 0x0000555556d31fd0 in js::GetObjectElementOperation(JSContext*, JSOp, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) ()
#9 0x0000555556d0e898 in Interpret(JSContext*, js::RunState&) ()
[...]
#18 0x0000555556b8293d in main ()
rax 0x555555926dec 93824996240876
rbx 0x7fffffffb9b8 140737488337336
rcx 0x55555855b0f0 93825042591984
rdx 0x0 0
rsi 0x7ffff7105770 140737338431344
rdi 0x7ffff7104540 140737338426688
rbp 0x7fffffffb7a0 140737488336800
rsp 0x7fffffffb7a0 140737488336800
r8 0x7ffff7105770 140737338431344
r9 0x7ffff7f99e00 140737353719296
r10 0x58 88
r11 0x7ffff6dac7a0 140737334921120
r12 0x7fffffffb7b0 140737488336816
r13 0x7fffffffb990 140737488337296
r14 0x7ffff6027000 140737320742912
r15 0x1234 4660
rip 0x555556be6c9d <dom_get_slot(JSContext*, JS::Handle<JSObject*>, void*, JSJitGetterCallArgs)+285>
=> 0x555556be6c9d <_ZL12dom_get_slotP9JSContextN2JS6HandleIP8JSObjectEEPv19JSJitGetterCallArgs+285>: movl $0x2d4,0x0
0x555556be6ca8 <_ZL12dom_get_slotP9JSContextN2JS6HandleIP8JSObjectEEPv19JSJitGetterCallArgs+296>: callq 0x555556c11c36 <abort>
Marking s-s as it might indicate a type confusion.
|
Reporter | |
Comment 1•4 years ago
|
||
|
||
Comment 2•4 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20201011093320-725180017480.
The bug appears to have been introduced in the following build range:
Start: d281ed9906a8f0e143239e31a1afad48f6c96617 (20200916153738)
End: 5f3283738794b92abcb827bdbb1fbb6b5d56e307 (20200917100940)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=d281ed9906a8f0e143239e31a1afad48f6c96617&tochange=5f3283738794b92abcb827bdbb1fbb6b5d56e307
|
|
||
Comment 3•4 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20201011093320-725180017480.
The bug appears to have been introduced in the following build range:
Start: d281ed9906a8f0e143239e31a1afad48f6c96617 (20200916153738)
End: 5f3283738794b92abcb827bdbb1fbb6b5d56e307 (20200917100940)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=d281ed9906a8f0e143239e31a1afad48f6c96617&tochange=5f3283738794b92abcb827bdbb1fbb6b5d56e307
|
||
Comment 4•4 years ago
|
||
Tom, I presume these error might be related to Bug 1664617.
|
||
Updated•4 years ago
|
|
Assignee | |
Comment 5•4 years ago
|
||
Seems like we need to transplant the new slot DOM_OBJECT_SLOT2 as well. This should be shell only.
|
|
Assignee | |
Comment 6•4 years ago
|
||
|
||
Updated•4 years ago
|
|
||
Comment 7•4 years ago
|
||
Set release status flags based on info from the regressing bug 1664617
|
||
Updated•4 years ago
|
|
||
Updated•4 years ago
|
Pushed by evilpies@gmail.com: https://hg.mozilla.org/integration/autoland/rev/9215211fa102 Transplant DOM_OBJECT_SLOT2 in shell. r=jandem
|
||
Comment 9•4 years ago
|
||
| bugherder | ||
|
|
||
Comment 10•4 years ago
|
||
Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20201013214351-d95aab08e480.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
Description
•