Assertion failure: args.rval() != ObjectValue(*callee), at vm/Interpreter.cpp:492
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr102 | --- | unaffected |
| firefox110 | --- | unaffected |
| firefox111 | --- | unaffected |
| firefox112 | --- | verified |
People
(Reporter: decoder, Assigned: jandem)
References
(Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])
Attachments
(3 files)
The following testcase crashes on mozilla-central revision 20230228-bc3bdd8c19f8 (debug build, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off):
var func = function() {
objResult = NewFunc;
return objResult;
};
var NewFunc = Function.prototype.bind.call(func);
var newInstance = new NewFunc();
Backtrace:
received signal SIGSEGV, Segmentation fault.
0x0000555556d42303 in CallJSNativeConstructor(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) ()
#0 0x0000555556d42303 in CallJSNativeConstructor(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) ()
#1 0x0000555556d33e3b in InternalConstruct(JSContext*, js::AnyConstructArgs const&, js::CallReason) ()
#2 0x0000555556d28ae4 in Interpret(JSContext*, js::RunState&) ()
[...]
#11 0x0000555556b8ac8a in main ()
rax 0x555555879d4f 93824995532111
rbx 0x7ffff51630a8 140737305260200
rcx 0x5555582e6d08 93825040018696
rdx 0x0 0
rsi 0x7ffff6abd770 140737331844976
rdi 0x7ffff6abc540 140737331840320
rbp 0x7fffffffcdc0 140737488342464
rsp 0x7fffffffcd70 140737488342384
r8 0x7ffff6abd770 140737331844976
r9 0x7ffff7fe3840 140737354020928
r10 0x0 0
r11 0x0 0
r12 0x7fffffffcd78 140737488342392
r13 0x555558261270 93825039471216
r14 0x1 1
r15 0x3e6b69300618 68631047177752
rip 0x555556d42303 <CallJSNativeConstructor(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&)+963>
=> 0x555556d42303 <_Z23CallJSNativeConstructorP9JSContextPFbS0_jPN2JS5ValueEERKNS1_8CallArgsE+963>: movl $0x1ec,0x0
0x555556d4230e <_Z23CallJSNativeConstructorP9JSContextPFbS0_jPN2JS5ValueEERKNS1_8CallArgsE+974>: callq 0x555556c20f44 <abort>
|
Reporter | |
Comment 1•1 year ago
|
||
|
|
Reporter | |
Comment 2•1 year ago
|
||
|
|
Reporter | |
Updated•1 year ago
|
|
Assignee | |
Comment 3•1 year ago
|
||
Most likely a bogus assertion. In CallJSNativeConstructor we check that a native function doesn't return itself (often a bug because callee/rval use the same Value slot in our native call ABI), but a bound function constructor can return itself if that's what the bound function is doing. We probably just have to add it to the allowlist.
I'll take a closer look tomorrow.
|
||
Comment 4•1 year ago
|
||
Verified bug as reproducible on mozilla-central 20230301093735-d59b76766f0d.
The bug appears to have been introduced in the following build range:
Start: 9c3f71785d22cc144088970c41ba7779fe005d5b (20230227130037)
End: 443570c2740f2014644dcb6e1e35937b423b9c95 (20230227130952)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=9c3f71785d22cc144088970c41ba7779fe005d5b&tochange=443570c2740f2014644dcb6e1e35937b423b9c95
|
||
Comment 5•1 year ago
|
||
Set release status flags based on info from the regressing bug 1483869
|
|
Assignee | |
Updated•1 year ago
|
|
|
Assignee | |
Comment 6•1 year ago
|
||
|
|
Assignee | |
Updated•1 year ago
|
Pushed by jdemooij@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/a80f1935af57 Add bound function construct hook to allowlist in CallJSNativeConstructor. r=iain
|
||
Comment 9•1 year ago
|
||
| bugherder | ||
|
|
||
Comment 10•1 year ago
|
||
Verified bug as fixed on rev mozilla-central 20230303155912-fa3134749ef0.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Description
•