Closed Bug 1688624 Opened 5 years ago Closed 5 years ago

Assertion failure: obj->is<NonSyntacticVariablesObject>() || !obj->is<EnvironmentObject>(), at vm/JSObject.cpp:3064 with evalReturningScope

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
87 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- wontfix
firefox85 --- wontfix
firefox86 --- wontfix
firefox87 --- verified

People

(Reporter: decoder, Assigned: tcampbell)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])

Attachments

(2 files)

Testcase
89 bytes, text/plain
Details
Bug 1688624 - Simplify evalReturningScope shell function. r?jandem!
48 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 20210124-63534c66d7b8 (debug build, run with --fuzzing-safe --no-threads):

function v1() {}
v10 = evalReturningScope(v1);
v11 = v10.lexicals.getOwnPropertySymbols()

Backtrace:

received signal SIGSEGV, Segmentation fault.
0x0000555556eab4ed in js::GetThisObject(JSObject*) ()
#0  0x0000555556eab4ed in js::GetThisObject(JSObject*) ()
#1  0x0000555556b97f6a in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) ()
#2  0x0000555556b8b4c4 in Interpret(JSContext*, js::RunState&) ()
#3  0x0000555556b82198 in js::RunScript(JSContext*, js::RunState&) ()
#4  0x0000555556b997b6 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) ()
#5  0x0000555556b99d9d in js::Execute(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>) ()
#6  0x0000555556d4b952 in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) ()
#7  0x0000555556d4bb0e in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) ()
#8  0x0000555556a6373c in RunFile(JSContext*, char const*, _IO_FILE*, CompileUtf8, bool) ()
#9  0x0000555556a62d12 in Process(JSContext*, char const*, bool, FileKind) ()
#10 0x0000555556a08a96 in Shell(JSContext*, js::cli::OptionParser*, char**) ()
#11 0x0000555556a00a7f in main ()
rax	0x555555827189	93824995193225
rbx	0xe5dbf87d160	15795808096608
rcx	0x555557fd5c18	93825036803096
rdx	0x0	0
rsi	0x7ffff7105770	140737338431344
rdi	0x7ffff7104540	140737338426688
rbp	0x7fffffffbb20	140737488337696
rsp	0x7fffffffbb10	140737488337680
r8	0x7ffff7105770	140737338431344
r9	0x7ffff7f998c0	140737353717952
r10	0x58	88
r11	0x7ffff6dac7a0	140737334921120
r12	0x7ffff60790b0	140737321078960
r13	0xffff800000000000	-140737488355328
r14	0x0	0
r15	0x7ffff6024000	140737320730624
rip	0x555556eab4ed <js::GetThisObject(JSObject*)+141>
=> 0x555556eab4ed <_ZN2js13GetThisObjectEP8JSObject+141>:	movl   $0xbf8,0x0
   0x555556eab4f8 <_ZN2js13GetThisObjectEP8JSObject+152>:	callq  0x555556a8ce80 <abort>

My guess is that this is a shell-only problem with the helper involved.

Attached file Testcase

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210125154208-130c2c4e36d6.
Failed to bisect testcase (Testcase reproduces on start build!):

Start: c0fa6d007c58437398cc06a97d221c42d41dcf9e (20200127093737)
End: 63534c66d7b813bf04d9753d942f59984c05b8a9 (20210124215058)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=False, coverage=False, valgrind=False)

Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]

Right, the bug is that the helper exposes a (non-syntactic) LexicalEnvironmentObject, and the script then tries to call a nonexistent method on that environment object.

Either the assertion or the helper is wrong. I feel like the helper shouldn't exist. These environments aren't exactly meant to be exposed to scripts.

Jan, what do you think?

Severity: -- → S4
Flags: needinfo?(jdemooij)
Priority: -- → P1

Forwarding to Ted who has been looking into these weird scope/environment chains more recently.

Maybe this just shouldn't be exposed to fuzzing.

Flags: needinfo?(jdemooij) → needinfo?(tcampbell)

I will fix this by removing the .lexical property because we should not be exposing this environment to script ever. The Gecko callers do not do anything with this out-param other than keep it alive.

Assignee: nobody → tcampbell
Flags: needinfo?(tcampbell)

Stop exposing the LexicalEnvironmentObject to script, as we disallow that
everywhere else in engine. The nsMessageManager code this test function
corresponds to does not expose it anywhere either.

Pushed by tcampbell@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/5f99ce4b6790 Simplify evalReturningScope shell function. r=jandem

https://hg.mozilla.org/mozilla-central/rev/5f99ce4b6790

Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox87: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 87 Branch

Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20210129095132-2610d2d33a73.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox87: fixedverified
Keywords: bugmon

:tcampbell, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.

Flags: needinfo?(tcampbell)

Sorry, wrong needinfo because of a bug in the bot.

Flags: needinfo?(tcampbell)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: