1718027 - Assertion failure: isObject(), at js/Value.h:776 or Crash [@ JS_GetProperty]

Status: VERIFIED FIXED

(Core :: JavaScript Engine, defect, P1)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 20210624-9b2ffc8e8505 (debug build, run with --fuzzing-safe --ion-offthread-compile=off):

function b(c) {
  compileToStencil(c, new.target);
}
b();

Backtrace:

received signal SIGSEGV, Segmentation fault.
0x0000555556a68aef in JS::Value::toObject() const ()
#0  0x0000555556a68aef in JS::Value::toObject() const ()
#1  0x000055555717ccc7 in CompileToStencil(JSContext*, unsigned int, JS::Value*) ()
#2  0x0000555556bf19f1 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
#3  0x0000555556bf1126 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) ()
#4  0x0000555556bf2561 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) ()
#5  0x0000555556be64bd in Interpret(JSContext*, js::RunState&) ()
#6  0x0000555556bdde71 in js::RunScript(JSContext*, js::RunState&) ()
#7  0x0000555556bf3c96 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) ()
#8  0x0000555556bf41c4 in js::Execute(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>) ()
#9  0x0000555556dd50ef in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) ()
#10 0x0000555556dd52ea in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) ()
#11 0x0000555556abeae5 in RunFile(JSContext*, char const*, _IO_FILE*, CompileUtf8, bool) ()
#12 0x0000555556abe170 in Process(JSContext*, char const*, bool, FileKind) ()
#13 0x0000555556a655bb in Shell(JSContext*, js::cli::OptionParser*) ()
#14 0x0000555556a5ccb2 in main ()
rax	0x5555558a4a71	93824995707505
rbx	0x7fffffffbd90	140737488338320
rcx	0x5555580dbcb8	93825037876408
rdx	0x0	0
rsi	0x7ffff7105770	140737338431344
rdi	0x7ffff7104540	140737338426688
rbp	0x7fffffffbd50	140737488338256
rsp	0x7fffffffbd50	140737488338256
r8	0x7ffff7105770	140737338431344
r9	0x7ffff7f99840	140737353717824
r10	0x0	0
r11	0x0	0
r12	0x7fffffffbd90	140737488338320
r13	0xaaaaaaaaaaaaaaaa	-6148914691236517206
r14	0x7ffff4ef1150	140737302696272
r15	0x7ffff6019000	140737320685568
rip	0x555556a68aef <JS::Value::toObject() const+175>
=> 0x555556a68aef <_ZNK2JS5Value8toObjectEv+175>:	movl   $0x308,0x0
   0x555556a68afa <_ZNK2JS5Value8toObjectEv+186>:	callq  0x555556ae8a6a <abort>

Very likely a shell-only problem with that function.

Comment 1

[Christian Holler (:decoder)]

Attachment: Testcase

Comment 2

[Christian Holler (:decoder)]

This is happening frequently, marking as fuzzblocker.

Comment 3

[Tooru Fujisawa [:arai]]

Thanks!

Given this is in testing functions, the function is available only in shell and chrome-priv code (via Cu.getJSTestingFunctions()).
not exploitable from web-content.

Comment 5

[Tooru Fujisawa [:arai]]

Attachment: Bug 1718027 - Check the argument type in stencil testing functions. r?tcampbell!

Comment 6

[Pulsebot]

Pushed by arai_a@mac.com:
https://hg.mozilla.org/integration/autoland/rev/91fcff83e84e
Check the argument type in stencil testing functions. r=jandem

Comment 7

[Marian-Vasile Laza]

https://hg.mozilla.org/mozilla-central/rev/91fcff83e84e

Comment 8

[Bugmon [:jkratzer for issues]]

Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20210707215219-7dca70384eb6.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Comment 9

[BugBot [:suhaib / :marco/ :calixte]]

:arai, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.