1810414 - Assertion failure: MOZ_ASSERT(isObject()), at js/Value.h:828

Status: RESOLVED DUPLICATE of bug 1800629

(Core :: JavaScript Engine, defect, P2)

Description

[lukas.bernhard]

Steps to reproduce:

The attached sample crashes on commit 8187e40b492dff78e3d3225e652cc06f447484b, however older commits such as 0f5c5fe34065a57e82b4db9dee391a363bd54656 from Dec 2021 crash as well.
The asBits_ value is 0xfff9800000000000.

crash.js

function f0(a1) {
    class C2 {
        setUTCDate(a7, ...a8) {
        }
    }   
}
f0.identifier = f0; 
f0.builder = f0; 
Reflect.parse(f0, f0);

command line args:
obj-x86_64-pc-linux-gnu/dist/bin/js --fuzzing-safe crash.js

backtrace:

#0  0x00005555575206d4 in JS::Value::toObject (this=0x7fffffff5b18)
    at obj-x86_64-pc-linux-gnu/dist/include/js/Value.h:939
#1  0x000055555751e0fd in js::WrappedPtrOperations<JS::Value, JS::Rooted<JS::Value>, void>::toObject (
    this=0x7fffffff5b08) at obj-x86_64-pc-linux-gnu/dist/include/js/Value.h:1348
#2  0x0000555557c8da37 in (anonymous namespace)::ASTSerializer::functionArgs (this=0x7fffffffa5d0, 
    pn=0x7ffff74d2320, args=..., defaults=..., rest=...)
    at js/src/builtin/ReflectParse.cpp:3931
#3  0x0000555557c8c6b6 in (anonymous namespace)::ASTSerializer::functionArgsAndBody (this=0x7fffffffa5d0, 
    pn=0x7ffff74d2320, args=..., defaults=..., isAsync=false, isExpression=false, body=..., rest=...)
    at js/src/builtin/ReflectParse.cpp:3857
#4  0x0000555557c8c2f1 in (anonymous namespace)::ASTSerializer::function (this=0x7fffffffa5d0, 
    funNode=0x7ffff74d2250, type=AST_FUNC_EXPR, dst=...)
    at js/src/builtin/ReflectParse.cpp:3845
#5  0x0000555557c81410 in (anonymous namespace)::ASTSerializer::expression (this=0x7fffffffa5d0, 
    pn=0x7ffff74d2250, dst=...) at js/src/builtin/ReflectParse.cpp:2967
#6  0x0000555557c8bcbe in (anonymous namespace)::ASTSerializer::classMethod (this=0x7fffffffa5d0, 
    classMethod=0x7ffff74d2440, dst=...) at js/src/builtin/ReflectParse.cpp:2826
#7  0x0000555557c7ea28 in (anonymous namespace)::ASTSerializer::statement (this=0x7fffffffa5d0, 
    pn=0x7ffff74d21e0, dst=...) at js/src/builtin/ReflectParse.cpp:2788
#8  0x0000555557c8b068 in (anonymous namespace)::ASTSerializer::classDefinition (this=0x7fffffffa5d0, 
    pn=0x7ffff74d27e8, expr=false, dst=...) at js/src/builtin/ReflectParse.cpp:2527
#9  0x0000555557c7e312 in (anonymous namespace)::ASTSerializer::statement (this=0x7fffffffa5d0, 
    pn=0x7ffff74d27e8, dst=...) at js/src/builtin/ReflectParse.cpp:2752
#10 0x0000555557c7b46e in (anonymous namespace)::ASTSerializer::sourceElement (this=0x7fffffffa5d0, 
    pn=0x7ffff74d27e8, dst=...) at js/src/builtin/ReflectParse.cpp:2071

Comment 1

[Nicolas B. Pierron [:nbp]]

Arai, would you have any idea what might be going wrong?

Comment 2

[Iain Ireland [:iain]]

This looks similar to bug 1800629. We should probably remove the user-defined builder "feature" of Reflect.parse.

Comment 3

[Tooru Fujisawa [:arai]]

the builder function doesn't work as expected (it's expected to return an object, but returns undefined), and the rest parameter handling there doesn't expect such case.
if bug 1800629 is to remove the builder, that would fix the issue.

another quick fix would be to check if the returned value is an object, and ignore that otherwise.

Comment 4

[Iain Ireland [:iain]]

Reflect.parse isn't exposed to users, and there are no uses of the builder feature outside of tests, so this isn't security-sensitive. Opening it up and duping it to bug 1800629, where I'll remove this code.