Closed Bug 1826230 Opened 1 year ago Closed 11 months ago

JS::ErrorReportBuilder asserts on ErrorObject with cause property

Tracking

()

Status:

RESOLVED FIXED

Milestone:

116 Branch

Tracking Flags:

Tracking

Status

firefox116

---

fixed

People

(Reporter: bthrall, Assigned: anba)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

Bug 1826230: Don't return the GetterSetter Private-GC thing from ErrorObject::getCause. r=bthrall! 1 year ago André Bargull [:anba] 48 bytes, text/x-phabricator-request		Details \| Review

Bryan Thrall [:bthrall]

Reporter

Description

•

1 year ago

The JS shell uses JS::ErrorReportBuilder so the following script will trigger the assertion:

const error = Error(this, { cause: "initial cause" });
Object.defineProperty(error, "cause", { get: () => "cause property" });
throw error;

which produces the following stack trace in GDB:

#0 js::ToStringSlow<(js::AllowGC)1>(JSContext*, js::MaybeRooted<JS::Value, (js::AllowGC)1>::HandleType)
(cx=<optimized out>, cx@entry=0x7ffff7630100, arg=arg@entry=$JS::Value(unrecognized!))
at /home/bryan/src/mozilla-unified/js/src/vm/StringType.cpp:2246
#1 0x00005555573bb8f2 in js::ToString<(js::AllowGC)1>(JSContext*, JS::Handle<JS::Value>)
(cx=0x7ffff7630100, v=$JS::Value(unrecognized!))
at /home/bryan/src/mozilla-unified/js/src/vm/StringType.h:1691
#2 JS::ErrorReportBuilder::init(JSContext*, JS::ExceptionStack const&, JS::ErrorReportBuilder::SniffingBehavior)
(this=0x7fffffffd740, cx=<optimized out>, exnStack=..., sniffingBehavior=JS::ErrorReportBuilder::WithSideEffects) at /home/bryan/src/mozilla-unified/js/src/jsexn.cpp:513

The cause appears to be that Object.defineProperty() stores the getter flagged as PrivateGCThing in the ErrorObject's slot, but ErrorReportBuilder is not expecting that type

Bryan Thrall [:bthrall]

Reporter

Updated

•

1 year ago

Blocks: sm-defects-crashes

André Bargull [:anba]

Assignee

Comment 1

•

1 year ago

Attached file Bug 1826230: Don't return the GetterSetter Private-GC thing from ErrorObject::getCause. r=bthrall! — Details

When the cause property has been redefined to an accessor property, the
CAUSE_SLOT reserved slot contains a Private-GC thing storing the GetterSetter
object. Make sure we don't try to return the Private-GC thing from the
ErrorObject::getCause() method.

Phabricator Automation

Updated

•

1 year ago

Assignee: nobody → andrebargull

Status: NEW → ASSIGNED

Matthew Gaudet (he/him) [:mgaudet]

Updated

•

1 year ago

Severity: -- → S3

Priority: -- → P1

Pulsebot

Comment 2

•

11 months ago

Pushed by andre.bargull@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/c87ce308f6ee
Don't return the GetterSetter Private-GC thing from ErrorObject::getCause. r=spidermonkey-reviewers,mgaudet

Bryan Thrall [:bthrall]

Reporter

Updated

•

11 months ago

Duplicate of this bug: 1816254

Noemi Erli[:noemi_erli]

Comment 4

•

11 months ago

bugherder

https://hg.mozilla.org/mozilla-central/rev/c87ce308f6ee

Status: ASSIGNED → RESOLVED

Closed: 11 months ago

status-firefox116: --- → fixed

Resolution: --- → FIXED

Target Milestone: --- → 116 Branch

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

JS::ErrorReportBuilder asserts on ErrorObject with cause property

Categories

(Core :: JavaScript Engine, defect, P1)

Tracking

()

People

(Reporter: bthrall, Assigned: anba)

References

(Blocks 1 open bug)

Details

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Updated

Comment 1

Updated

Updated

Comment 2

Updated

Comment 4

Attachment

General

Description

File Name

Content Type