Crash [@ ToStringOp(JSContext*, JS::Handle<JSObject*>, bool)] or Assertion failure: nameVal.isString(), at builtin/WrappedFunctionObject.cpp:222 with ShadowRealm
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr102 | --- | unaffected |
| firefox106 | --- | unaffected |
| firefox107 | --- | unaffected |
| firefox108 | --- | fixed |
People
(Reporter: decoder, Assigned: mgaudet)
References
(Regression)
Details
(5 keywords, Whiteboard: [bugmon:update,bisected,confirmed][adv-main108+r])
Crash Data
Attachments
(2 files)
The following testcase crashes on mozilla-central revision 20221026-460e8620ad58 (opt build, run with --fuzzing-safe --ion-offthread-compile=off --enable-shadow-realms test.js):
a = new ShadowRealm();
b = a.evaluate("function f() {} f");
Object.defineProperty(b, "name", {
value: 0
}).toString();
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 0x56800fe7 in ToStringOp(JSContext*, JS::Handle<JSObject*>, bool) [clone .llvm.6262291245551907720] ()
#1 0x56cf1e47 in js::fun_toString(JSContext*, unsigned int, JS::Value*) ()
#2 0x56c90226 in Interpret(JSContext*, js::RunState&) ()
[...]
#8 0x56fe3c4e in Process(JSContext*, char const*, bool, FileKind) ()
#9 0x56fbc78d in main ()
eax 0x0 0
ebx 0x58680000 1483210752
ecx 0xf6912200 -158260736
edx 0x20 32
esi 0x0 0
edi 0xfffc97a0 -223328
ebp 0xfffc9818 4294744088
esp 0xfffc9750 4294743888
eip 0x56800fe7 <ToStringOp(JSContext*, JS::Handle<JSObject*>, bool) [clone .llvm.6262291245551907720]+295>
=> 0x56800fe7 <_ZL10ToStringOpP9JSContextN2JS6HandleIP8JSObjectEEb.llvm.6262291245551907720+295>: mov (%eax),%edx
0x56800fe9 <_ZL10ToStringOpP9JSContextN2JS6HandleIP8JSObjectEEb.llvm.6262291245551907720+297>: test $0x10,%dl
|
Reporter | |
Comment 1•2 years ago
|
||
|
|
Reporter | |
Comment 2•2 years ago
|
||
|
||
Comment 4•2 years ago
•
|
||
Bug 1797750 should fix this issue, too.
Later: Verified this is no longer reproducible with the patches from bug 1797750 applied.
|
||
Comment 6•2 years ago
|
||
Bugmon Analysis
Verified bug as reproducible on mozilla-central 20221027215515-2dddf127c6ab.
The bug appears to have been introduced in the following build range:
Start: d1d1d489003c63f62db8eb3d4dc2af7d27862fbe (20221003212025)
End: 73c16d284362ba24606a516cd454dd3fe395b9b6 (20221004213513)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=d1d1d489003c63f62db8eb3d4dc2af7d27862fbe&tochange=73c16d284362ba24606a516cd454dd3fe395b9b6
|
||
Updated•2 years ago
|
|
Assignee | |
Comment 7•2 years ago
|
||
Patches on Bug 1797750 have been reviewed, and will fix this.
Note: This code has never shipped and is only available with a non-default pref set.
|
|
Assignee | |
Comment 8•2 years ago
|
||
This appears to be fixed with Bug 1797750. This fuzz test case is covered by the testing added in https://phabricator.services.mozilla.com/D160511
|
||
Updated•2 years ago
|
|
|
||
Comment 9•2 years ago
|
||
Verified bug as fixed on rev mozilla-central 20221101093931-d0fd41bff926.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
|
||
Updated•2 years ago
|
|
||
Comment 10•2 years ago
|
||
Based on comment #6, this bug contains a bisection range found by bugmon. However, the Regressed by field is still not filled.
:mgaudet, if possible, could you fill the Regressed by field and investigate this regression?
For more information, please visit auto_nag documentation.
|
||
Updated•2 years ago
|
|
||
Updated•2 years ago
|
Description
•