1742603 - Assertion failure: isObject(), at js/Value.h:779 or various crashes with Stencil helpers

Status: VERIFIED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 20211123-71332992f78f (debug build, run with --fuzzing-safe --ion-offthread-compile=off):

a = compileToStencilXDR("");
instantiateModuleStencilXDR(a, 8);

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x0000555556abc61f in JS::Value::toObject() const ()
#1  0x0000555556af6c21 in InstantiateModuleStencilXDR(JSContext*, unsigned int, JS::Value*) ()
#2  0x0000555556c6ccb0 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
[...]
#14 0x0000555556ac33f3 in main ()
rax	0x5555558a9095	93824995725461
rbx	0xaaaaaaaaaaaaaaaa	-6148914691236517206
rcx	0x5555581a5020	93825038700576
rdx	0x0	0
rsi	0x7ffff7105770	140737338431344
rdi	0x7ffff7104540	140737338426688
rbp	0x7fffffffbc00	140737488337920
rsp	0x7fffffffbc00	140737488337920
r8	0x7ffff7105770	140737338431344
r9	0x7ffff7f99840	140737353717824
r10	0x0	0
r11	0x0	0
r12	0x7ffff6047218	140737320874520
r13	0x7ffff6047200	140737320874496
r14	0x7ffff4a8a0a8	140737298079912
r15	0xaaaaaaaaaaaaaaaa	-6148914691236517206
rip	0x555556abc61f <JS::Value::toObject() const+175>
=> 0x555556abc61f <_ZNK2JS5Value8toObjectEv+175>:	movl   $0x30b,0x0
   0x555556abc62a <_ZNK2JS5Value8toObjectEv+186>:	callq  0x555556b5a76b <abort>

Very likely an issue with these helper functions. This is fairly easy to trigger and should be resolved quickly.

Comment 1

[Christian Holler (:decoder)]

Attachment: Detailed Crash Information

Comment 2

[Christian Holler (:decoder)]

Attachment: Testcase

Comment 3

[Bugmon [:jkratzer for issues]]

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20211123094249-71332992f78f.
The bug appears to have been introduced in the following build range:

Start: 89fb3b9477f682794ca2a67a2811a46c0da34bd0 (20210921150814)
End: 9254ffa981e5e5c778992efba6568af56902048c (20210921151047)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=89fb3b9477f682794ca2a67a2811a46c0da34bd0&tochange=9254ffa981e5e5c778992efba6568af56902048c

Comment 4

[Caroline Cullen [:caroline]]

Hey arai! Do you have an idea what could be happening with this bug?

Comment 5

[Tooru Fujisawa [:arai]]

Attachment: Bug 1742603 - Unify error message for wrong compile option parameter in shell testing functions, and add missing checks. r?nbp!

Use the same message as compileToStencil testing function in TestingFunctions.cpp.

Comment 6

[Pulsebot]

Pushed by arai_a@mac.com:
https://hg.mozilla.org/integration/autoland/rev/799f1452308b
Unify error message for wrong compile option parameter in shell testing functions, and add missing checks. r=nbp

Comment 7

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1718711

Comment 8

[Iulian Moraru]

https://hg.mozilla.org/mozilla-central/rev/799f1452308b

Comment 9

[Bugmon [:jkratzer for issues]]

Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20211125043756-0bfe7aadbc81.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.