Closed
Bug 1814000
Opened 1 year ago
Closed 1 year ago
Assertion failure: !obj->is<ScriptSourceObject>(), at vm/Compartment.cpp:292
Categories
(Core :: JavaScript Engine, defect, P3)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
112 Branch
Tracking | Status | |
---|---|---|
firefox112 | --- | fixed |
People
(Reporter: lukas.bernhard, Assigned: jandem)
References
(Blocks 2 open bugs)
Details
Attachments
(1 file)
Steps to reproduce:
The attached sample crashes the js-shell on commit cfa53fc21de3984ef9f4887235a45561666ed3a3 when invoked via obj-x86_64-pc-linux-gnu/dist/bin/js --fuzzing-safe crash.js
.
Bisecting the issue points to commit 9e723ef687c63a4ad2244d3da9878031d9e3825e related to bug 1795886.
const v0 = `
const v1 = \`
function f2() {
function f5(a6, a7) {
const v10 = this.newGlobal(f5);
const v9 = a7.__proto__;
v9.__proto__ = v10;
}
f5.sameZoneAs = f5;
new Promise(f5);
const v18 = eval("[];");
v18[0] = f5;
f5.findPath(v18, v1);
}
[f2];
\`;
const v26 = eval(eval(v1).toSource())[0];
v26(v0);
`;
let {...v32} = this;
v32.envChainObject = v32;
evaluate(v0, v32);
#0 0x0000555557924767 in JS::Compartment::getOrCreateWrapper (this=0x7ffff7403b30,
cx=0x7ffff742f100, existing=..., obj=...)
at js/src/vm/Compartment.cpp:292
#1 0x0000555557924e6e in JS::Compartment::wrap (this=0x7ffff7403b30, cx=0x7ffff742f100,
obj=...) at js/src/vm/Compartment.cpp:379
#2 0x000055555754f0f3 in JS::Compartment::wrap (this=0x7ffff7403b30, cx=0x7ffff742f100, vp=...)
at js/src/vm/Compartment-inl.h:114
#3 0x0000555557fd37d3 in FindPath (cx=0x7ffff742f100, argc=2, vp=0x7fffffff6af0)
at js/src/builtin/TestingFunctions.cpp:5820
#4 0x00005555576f1f0e in CallJSNative (cx=0x7ffff742f100,
native=0x555557fd2e20 <FindPath(JSContext*, unsigned int, JS::Value*)>,
reason=js::CallReason::Call, args=...)
at js/src/vm/Interpreter.cpp:459
#5 0x00005555576f174d in js::InternalCallOrConstruct (cx=0x7ffff742f100, args=...,
construct=js::NO_CONSTRUCT, reason=js::CallReason::Call)
at js/src/vm/Interpreter.cpp:547
#6 0x00005555576f2ae1 in InternalCall (cx=0x7ffff742f100, args=...,
reason=js::CallReason::Call) at js/src/vm/Interpreter.cpp:614
#7 0x00005555576f2d25 in js::Call (cx=0x7ffff742f100, fval=..., thisv=..., args=..., rval=...,
reason=js::CallReason::Call) at js/src/vm/Interpreter.cpp:646
#8 0x00005555581619b8 in js::ForwardingProxyHandler::call (
this=0x555559bb8530 <js::CrossCompartmentWrapper::singleton>, cx=0x7ffff742f100, proxy=...,
--Type <RET> for more, q to quit, c to continue without paging--
rgs=...) at js/src/proxy/Wrapper.cpp:168
#9 0x00005555581366e5 in js::CrossCompartmentWrapper::call (
this=0x555559bb8530 <js::CrossCompartmentWrapper::singleton>, cx=0x7ffff742f100,
wrapper=..., args=...)
at js/src/proxy/CrossCompartmentWrapper.cpp:229
#10 0x0000555558151271 in js::Proxy::call (cx=0x7ffff742f100, proxy=..., args=...)
at js/src/proxy/Proxy.cpp:676
#11 0x00005555576f13da in js::InternalCallOrConstruct (cx=0x7ffff742f100, args=...,
construct=js::NO_CONSTRUCT, reason=js::CallReason::Call)
at js/src/vm/Interpreter.cpp:527
#12 0x00005555576f2ae1 in InternalCall (cx=0x7ffff742f100, args=...,
reason=js::CallReason::Call) at js/src/vm/Interpreter.cpp:614
#13 0x00005555576f28a5 in js::CallFromStack (cx=0x7ffff742f100, args=...,
reason=js::CallReason::Call) at js/src/vm/Interpreter.cpp:619
#14 0x00005555576e35c9 in Interpret (cx=0x7ffff742f100, state=...)
at js/src/vm/Interpreter.cpp:3362
#15 0x00005555576d56a0 in js::RunScript (cx=0x7ffff742f100, state=...)
at js/src/vm/Interpreter.cpp:431
#16 0x00005555576f469c in js::ExecuteKernel (cx=0x7ffff742f100, script=..., envChainArg=...,
evalInFrame=..., result=...) at js/src/vm/Interpreter.cpp:812
#17 0x00005555576f4f45 in js::Execute (cx=0x7ffff742f100, script=..., envChain=..., rval=...)
at js/src/vm/Interpreter.cpp:844
Reporter | ||
Updated•1 year ago
|
Comment 1•1 year ago
|
||
Hi Jan,
Going to point you at this since it may be a regression from your bug.
Severity: -- → S3
Flags: needinfo?(jdemooij)
Priority: -- → P3
Assignee | ||
Comment 2•1 year ago
|
||
Updated•1 year ago
|
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Assignee | ||
Updated•1 year ago
|
Flags: needinfo?(jdemooij)
Pushed by jdemooij@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/c3f6513cf10e Don't expose ScriptSourceObject to JS through UbiNode. r=jonco
Comment 4•1 year ago
|
||
bugherder |
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
status-firefox112:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 112 Branch
You need to log in
before you can comment on or make changes to this bug.
Description
•