Closed Bug 1763501 Opened 3 years ago Closed 3 years ago

Assertion failure: !IsInternalDotName(cx, id), at vm/EnvironmentObject.cpp:727

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
101 Branch
Tracking Flags:
Tracking Status
firefox-esr91 --- unaffected
firefox99 --- unaffected
firefox100 --- wontfix
firefox101 --- verified

People

(Reporter: decoder, Assigned: anba)

References

(Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed][fuzzblocker])

Attachments

(3 files)

Detailed Crash Information
2.72 KB, text/plain
Details
Testcase
43 bytes, text/plain
Details
Bug 1763501: Treat ".newTarget" as unscopable. r=jandem!
48 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 20220406-678264f22280 (debug build, run with --fuzzing-safe --ion-offthread-compile=off test.js):

(function() {
    with(7) new.target()
})()

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x0000561a3308e9ce in with_LookupProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JSObject*>, js::PropertyResult*) ()
#1  0x0000561a3314c045 in js::LookupProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JSObject*>, js::PropertyResult*) ()
#2  0x0000561a3314cf6f in js::LookupName(JSContext*, JS::Handle<js::PropertyName*>, JS::Handle<JSObject*>, JS::MutableHandle<JSObject*>, JS::MutableHandle<JSObject*>, js::PropertyResult*) ()
#3  0x0000561a32f4b84d in bool js::GetEnvironmentName<(js::GetNameMode)0>(JSContext*, JS::Handle<JSObject*>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) ()
#4  0x0000561a32f29f3f in Interpret(JSContext*, js::RunState&) ()
#5  0x0000561a32f2047f in js::RunScript(JSContext*, js::RunState&) ()
#6  0x0000561a32f369a4 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) ()
#7  0x0000561a32f36e6c in js::Execute(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>) ()
#8  0x0000561a330658ff in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) ()
#9  0x0000561a33065b28 in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) ()
#10 0x0000561a32df6af1 in RunFile(JSContext*, char const*, _IO_FILE*, CompileUtf8, bool) ()
#11 0x0000561a32df60f7 in Process(JSContext*, char const*, bool, FileKind) ()
#12 0x0000561a32d93545 in Shell(JSContext*, js::cli::OptionParser*) ()
#13 0x0000561a32d8abf6 in main ()
rax	0x561a31acb6fc	94670502541052
rbx	0x7fff1d808488	140733688349832
rcx	0x561a3445ab18	94670546119448
rdx	0x1	1
rsi	0x0	0
rdi	0x7f50f1fdd7d0	139985634056144
rbp	0x7fff1d808300	140733688349440
rsp	0x7fff1d8082a0	140733688349344
r8	0x0	0
r9	0x75	117
r10	0x561a3182f6c3	94670499804867
r11	0x7f50f1e71370	139985632564080
r12	0x7fff1d808420	140733688349728
r13	0x7fff1d808400	140733688349696
r14	0x140897829740	22027134211904
r15	0x7f50f0f2a200	139985616544256
rip	0x561a3308e9ce <with_LookupProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JSObject*>, js::PropertyResult*)+590>
=> 0x561a3308e9ce <_ZL19with_LookupPropertyP9JSContextN2JS6HandleIP8JSObjectEENS2_INS1_11PropertyKeyEEENS1_13MutableHandleIS4_EEPN2js14PropertyResultE+590>:	movl   $0x2d7,0x0
   0x561a3308e9d9 <_ZL19with_LookupPropertyP9JSContextN2JS6HandleIP8JSObjectEENS2_INS1_11PropertyKeyEEENS1_13MutableHandleIS4_EEPN2js14PropertyResultE+601>:	callq  0x561a32e215e7 <abort>

This started spiking massively today, marking as fuzzblocker.

Attached file Testcase

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220406154100-b617178ef491.
The bug appears to have been introduced in the following build range:

Start: 8b11b00d98c23582cff9a255dc043f22ff82ec8b (20220404182822)
End: 14b23dd0871b856c6163837e98faa5ba312fcb10 (20220404183421)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=8b11b00d98c23582cff9a255dc043f22ff82ec8b&tochange=14b23dd0871b856c6163837e98faa5ba312fcb10

Whiteboard: [bugmon:update,bisect][fuzzblocker] → [bugmon:update,bisected,confirmed][fuzzblocker]
Assignee: nobody → andrebargull
Status: NEW → ASSIGNED
Regressed by: 1282976

Set release status flags based on info from the regressing bug 1282976

status-firefox101: --- → affected
status-firefox99: --- → unaffected
status-firefox-esr91: --- → unaffected
Pushed by andre.bargull@gmail.com: https://hg.mozilla.org/integration/autoland/rev/1eff60b030f5 Treat ".newTarget" as unscopable. r=jandem
Has Regression Range: --- → yes

https://hg.mozilla.org/mozilla-central/rev/1eff60b030f5

Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox101: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 101 Branch

Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20220407153722-9da4eda47412.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox101: fixedverified
Keywords: bugmon
status-firefox100: affectedwontfix
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: