Closed Bug 1700576 Opened 4 years ago Closed 4 years ago

Assertion failure: propShape.isDataProperty(), at vm/PlainObject.cpp:75

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1700525
Tracking Flags:
Tracking Status
firefox88 --- affected

People

(Reporter: decoder, Unassigned)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected])

Attachments

(1 file)

Testcase
123 bytes, text/plain
Details

The following testcase crashes on mozilla-central revision 20210324-768e04aaea52 (debug build, run with --fuzzing-safe --ion-offthread-compile=off):

a = {
  set() {}
};
Object.defineProperty(Object.prototype, "propertyIsEnumerable", a);
b = { c: 0 };
Object.assign({}, b);

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x0000555556f04d0d in js::PlainObject::assertHasNoNonWritableOrAccessorPropExclProto() const ()
#1  0x0000555556c40049 in JS_AssignObject(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>) ()
#2  0x0000555556c5afb1 in obj_assign(JSContext*, unsigned int, JS::Value*) ()
#3  0x0000555556b88791 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
#4  0x0000555556b87ed0 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) ()
#5  0x0000555556b892f1 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) ()
#6  0x0000555556b7cb5d in Interpret(JSContext*, js::RunState&) ()
[...]
#14 0x00005555569ffa66 in Shell(JSContext*, js::cli::OptionParser*, char**) ()
#15 0x00005555569f7972 in main ()
rax	0x55555587847a	93824995525754
rbx	0x1df625a28790	32943030568848
rcx	0x555557fff3b8	93825036972984
rdx	0x0	0
rsi	0x7ffff7105770	140737338431344
rdi	0x7ffff7104540	140737338426688
rbp	0x7fffffffbc00	140737488337920
rsp	0x7fffffffbbc0	140737488337856
r8	0x7ffff7105770	140737338431344
r9	0x7ffff7f99840	140737353717824
r10	0x0	0
r11	0x0	0
r12	0x5	5
r13	0x1df625a9b180	32943031038336
r14	0x7fffffffbbc8	140737488337864
r15	0x1df625a2afc0	32943030579136
rip	0x555556f04d0d <js::PlainObject::assertHasNoNonWritableOrAccessorPropExclProto() const+477>
=> 0x555556f04d0d <_ZNK2js11PlainObject45assertHasNoNonWritableOrAccessorPropExclProtoEv+477>:	movl   $0x4b,0x0
   0x555556f04d18 <_ZNK2js11PlainObject45assertHasNoNonWritableOrAccessorPropExclProtoEv+488>:	callq  0x555556a8180f <abort>

Marking s-s until investigated.

Attached file Testcase

Same issue as bug 1700525.

Group: javascript-core-security
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → DUPLICATE

Bugmon Analysis:
No valid actions for resolution (DUPLICATE)
The bug appears to have been fixed in the following build range:

Start: 75b000d18d036c37d4a59f9fc83be9da8a27bcbe (20210324065751)
End: 3be60f42358afa252f4e8fba01baba156dbd7ffe (20210324065830)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=75b000d18d036c37d4a59f9fc83be9da8a27bcbe&tochange=3be60f42358afa252f4e8fba01baba156dbd7ffe
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: