Closed
Bug 1703782
Opened 3 years ago
Closed 3 years ago
Assertion failure: this->is<T>(), at vm/JSObject.h:467
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
89 Branch
| Tracking | Status | |
|---|---|---|
| firefox-esr78 | --- | unaffected |
| firefox87 | --- | unaffected |
| firefox88 | --- | unaffected |
| firefox89 | --- | fixed |
People
(Reporter: decoder, Unassigned)
Details
(Keywords: assertion, testcase)
Attachments
(1 file)
|
214 bytes,
text/plain
|
Details |
The following testcase crashes on mozilla-try revision 20210407-2ee8c0094235 (debug build, run with --fuzzing-safe --no-threads --enable-private-methods):
var g7 = newGlobal({newCompartment: true});
g7.parent = this;
g7.eval(`
Debugger(parent).onEnterFrame = function(frame) {
let v = frame.environment.getVariable('var0');
};
`);
class C144252 {
static #x;
}
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 0x0000555556d584e5 in js::DebugEnvironments::takeFrameSnapshot(JSContext*, JS::Handle<js::DebugEnvironmentProxy*>, js::AbstractFramePtr) ()
#1 0x0000555556d596fb in void js::DebugEnvironments::onPopGeneric<js::ScopedLexicalEnvironmentObject, js::ClassBodyScope>(JSContext*, js::EnvironmentIter const&) ()
#2 0x0000555556d5925e in js::DebugEnvironments::onPopLexical(JSContext*, js::AbstractFramePtr, unsigned char*) ()
#3 0x0000555556b84451 in Interpret(JSContext*, js::RunState&) ()
#4 0x0000555556b74ac1 in js::RunScript(JSContext*, js::RunState&) ()
#5 0x0000555556b8bc0e in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) ()
#6 0x0000555556b8c144 in js::Execute(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>) ()
#7 0x0000555556d39cad in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) ()
#8 0x0000555556d39eae in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) ()
#9 0x0000555556a58c1c in RunFile(JSContext*, char const*, _IO_FILE*, CompileUtf8, bool) ()
#10 0x0000555556a581f2 in Process(JSContext*, char const*, bool, FileKind) ()
#11 0x0000555556a00c76 in Shell(JSContext*, js::cli::OptionParser*, char**) ()
#12 0x00005555569f8531 in main ()
rax 0x5555557bece1 93824994766049
rbx 0x555557f87a68 93825036483176
rcx 0x555558009708 93825037014792
rdx 0x0 0
rsi 0x7ffff7105770 140737338431344
rdi 0x7ffff7104540 140737338426688
rbp 0x7fffffffbe70 140737488338544
rsp 0x7fffffffbda0 140737488338336
r8 0x7ffff7105770 140737338431344
r9 0x7ffff7f99840 140737353717824
r10 0x0 0
r11 0x0 0
r12 0x7fffffffbef0 140737488338672
r13 0x206c57d9d100 35649702449408
r14 0x17b840c00ae8 26080127748840
r15 0x555557f878a8 93825036482728
rip 0x555556d584e5 <js::DebugEnvironments::takeFrameSnapshot(JSContext*, JS::Handle<js::DebugEnvironmentProxy*>, js::AbstractFramePtr)+2741>
=> 0x555556d584e5 <_ZN2js17DebugEnvironments17takeFrameSnapshotEP9JSContextN2JS6HandleIPNS_21DebugEnvironmentProxyEEENS_16AbstractFramePtrE+2741>: movl $0x1d3,0x0
0x555556d584f0 <_ZN2js17DebugEnvironments17takeFrameSnapshotEP9JSContextN2JS6HandleIPNS_21DebugEnvironmentProxyEEENS_16AbstractFramePtrE+2752>: callq 0x555556a82bdf <abort>
This is from patch testing, not on central yet.
|
Reporter | |
Comment 1•3 years ago
|
||
|
|
Reporter | |
Updated•3 years ago
|
Flags: needinfo?(mgaudet)
|
||
Comment 2•3 years ago
|
||
Thanks!
Missing handling in the Debugger for the new ClassBodyLexicalEnvironmentObject in Part 4! Easy fix, and I audited for any other missing cases.
Status: NEW → RESOLVED
Closed: 3 years ago
Flags: needinfo?(mgaudet)
Resolution: --- → FIXED
|
||
Updated•3 years ago
|
status-firefox87:
--- → unaffected
status-firefox88:
--- → unaffected
status-firefox89:
--- → fixed
status-firefox-esr78:
--- → unaffected
Target Milestone: --- → 89 Branch
You need to log in
before you can comment on or make changes to this bug.
Description
•