Closed Bug 1814000 Opened 1 year ago Closed 1 year ago

Assertion failure: !obj->is<ScriptSourceObject>(), at vm/Compartment.cpp:292

Categories

(Core :: JavaScript Engine, defect, P3)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
112 Branch
Tracking Flags:
Tracking Status
firefox112 --- fixed

People

(Reporter: lukas.bernhard, Assigned: jandem)

References

(Blocks 2 open bugs)

Details

Attachments

(1 file)

Bug 1814000 - Don't expose ScriptSourceObject to JS through UbiNode. r?jonco!
48 bytes, text/x-phabricator-request
Details | Review

Steps to reproduce:

The attached sample crashes the js-shell on commit cfa53fc21de3984ef9f4887235a45561666ed3a3 when invoked via obj-x86_64-pc-linux-gnu/dist/bin/js --fuzzing-safe crash.js.
Bisecting the issue points to commit 9e723ef687c63a4ad2244d3da9878031d9e3825e related to bug 1795886.

const v0 = ` 
    const v1 = \`
        function f2() {
            function f5(a6, a7) {
                const v10 = this.newGlobal(f5);
                const v9 = a7.__proto__;
                v9.__proto__ = v10;
            }
            f5.sameZoneAs = f5;
            new Promise(f5);
            const v18 = eval("[];");
            v18[0] = f5;
            f5.findPath(v18, v1);
        }
        [f2];
    \`;
    const v26 = eval(eval(v1).toSource())[0];
    v26(v0);
`;
let {...v32} = this;
v32.envChainObject = v32;
evaluate(v0, v32);

#0  0x0000555557924767 in JS::Compartment::getOrCreateWrapper (this=0x7ffff7403b30, 
    cx=0x7ffff742f100, existing=..., obj=...)
    at js/src/vm/Compartment.cpp:292
#1  0x0000555557924e6e in JS::Compartment::wrap (this=0x7ffff7403b30, cx=0x7ffff742f100, 
    obj=...) at js/src/vm/Compartment.cpp:379
#2  0x000055555754f0f3 in JS::Compartment::wrap (this=0x7ffff7403b30, cx=0x7ffff742f100, vp=...)
    at js/src/vm/Compartment-inl.h:114
#3  0x0000555557fd37d3 in FindPath (cx=0x7ffff742f100, argc=2, vp=0x7fffffff6af0)
    at js/src/builtin/TestingFunctions.cpp:5820
#4  0x00005555576f1f0e in CallJSNative (cx=0x7ffff742f100, 
    native=0x555557fd2e20 <FindPath(JSContext*, unsigned int, JS::Value*)>, 
    reason=js::CallReason::Call, args=...)
    at js/src/vm/Interpreter.cpp:459
#5  0x00005555576f174d in js::InternalCallOrConstruct (cx=0x7ffff742f100, args=..., 
    construct=js::NO_CONSTRUCT, reason=js::CallReason::Call)
    at js/src/vm/Interpreter.cpp:547
#6  0x00005555576f2ae1 in InternalCall (cx=0x7ffff742f100, args=..., 
    reason=js::CallReason::Call) at js/src/vm/Interpreter.cpp:614
#7  0x00005555576f2d25 in js::Call (cx=0x7ffff742f100, fval=..., thisv=..., args=..., rval=..., 
    reason=js::CallReason::Call) at js/src/vm/Interpreter.cpp:646
#8  0x00005555581619b8 in js::ForwardingProxyHandler::call (
    this=0x555559bb8530 <js::CrossCompartmentWrapper::singleton>, cx=0x7ffff742f100, proxy=..., 
--Type <RET> for more, q to quit, c to continue without paging--
    rgs=...) at js/src/proxy/Wrapper.cpp:168
#9  0x00005555581366e5 in js::CrossCompartmentWrapper::call (
    this=0x555559bb8530 <js::CrossCompartmentWrapper::singleton>, cx=0x7ffff742f100, 
    wrapper=..., args=...)
    at js/src/proxy/CrossCompartmentWrapper.cpp:229
#10 0x0000555558151271 in js::Proxy::call (cx=0x7ffff742f100, proxy=..., args=...)
    at js/src/proxy/Proxy.cpp:676
#11 0x00005555576f13da in js::InternalCallOrConstruct (cx=0x7ffff742f100, args=..., 
    construct=js::NO_CONSTRUCT, reason=js::CallReason::Call)
    at js/src/vm/Interpreter.cpp:527
#12 0x00005555576f2ae1 in InternalCall (cx=0x7ffff742f100, args=..., 
    reason=js::CallReason::Call) at js/src/vm/Interpreter.cpp:614
#13 0x00005555576f28a5 in js::CallFromStack (cx=0x7ffff742f100, args=..., 
    reason=js::CallReason::Call) at js/src/vm/Interpreter.cpp:619
#14 0x00005555576e35c9 in Interpret (cx=0x7ffff742f100, state=...)
    at js/src/vm/Interpreter.cpp:3362
#15 0x00005555576d56a0 in js::RunScript (cx=0x7ffff742f100, state=...)
    at js/src/vm/Interpreter.cpp:431
#16 0x00005555576f469c in js::ExecuteKernel (cx=0x7ffff742f100, script=..., envChainArg=..., 
    evalInFrame=..., result=...) at js/src/vm/Interpreter.cpp:812
#17 0x00005555576f4f45 in js::Execute (cx=0x7ffff742f100, script=..., envChain=..., rval=...)
    at js/src/vm/Interpreter.cpp:844
Blocks: l11d-js-fuzzing, sm-runtime
Component: Untriaged → JavaScript Engine
Product: Firefox → Core

Hi Jan,

Going to point you at this since it may be a regression from your bug.

Severity: -- → S3
Flags: needinfo?(jdemooij)
Priority: -- → P3
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Pushed by jdemooij@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/c3f6513cf10e
Don't expose ScriptSourceObject to JS through UbiNode. r=jonco

https://hg.mozilla.org/mozilla-central/rev/c3f6513cf10e

Status: ASSIGNED → RESOLVED
Closed: 1 year ago
status-firefox112: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 112 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: