Closed
Bug 1890252
Opened 1 year ago
Closed 1 year ago
Assertion failure: !chain[i]->is<GlobalObject>() && !chain[i]->is<NonSyntacticVariablesObject>(), at vm/EnvironmentObject.cpp:3328
Categories
(Core :: JavaScript Engine, defect, P3)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
127 Branch
| Tracking | Status | |
|---|---|---|
| firefox127 | --- | fixed |
People
(Reporter: lukas.bernhard, Assigned: mgaudet)
References
(Blocks 1 open bug)
Details
Attachments
(1 file)
Steps to reproduce:
On git commit 624107ac3ba02d3de1a58c6966b0e364053b32b5 the attached sample asserts in the js-shell when invoked as obj-x86_64-pc-linux-gnu/dist/bin/js --fuzzing-safe --more-compartments crash.js
const v2 = evalcx("lazy");
const o4 = {
"global": v2,
};
o4.envChainObject = v2;
evaluate("{ let eval = parseInt; eval()}", o4);
#0 js::CreateObjectsForEnvironmentChain (cx=cx@entry=0x7ffff7439100, chain=chain@entry=..., terminatingEnv=terminatingEnv@entry=..., envObj=envObj@entry=...)
at js/src/vm/EnvironmentObject.cpp:3356
#1 0x00005555574ba26f in js::CreateNonSyntacticEnvironmentChain (cx=cx@entry=0x7ffff7439100, envChain=envChain@entry=..., env=env@entry=...)
at js/src/vm/EnvironmentObject.cpp:885
#2 0x00005555574b8c18 in ExecuteScript (cx=0x7ffff7439100, envChain=..., script=..., rval=...) at js/src/vm/CompilationAndEvaluation.cpp:500
#3 JS_ExecuteScript (cx=0x7ffff7439100, envChain=envChain@entry=..., scriptArg=scriptArg@entry=..., rval=rval@entry=...) at js/src/vm/CompilationAndEvaluation.cpp:524
#4 0x0000555557174829 in Evaluate (cx=0x7ffff7439100, argc=<optimised out>, vp=<optimised out>) at js/src/shell/js.cpp:2735
#5 0x0000555557269a77 in CallJSNative (cx=cx@entry=0x7ffff7439100, native=native@entry=0x555557173730 <Evaluate(JSContext*, unsigned int, JS::Value*)>, reason=reason@entry=js::CallReason::Call,
args=...) at js/src/vm/Interpreter.cpp:479
#6 0x0000555557268c92 in js::InternalCallOrConstruct (cx=0x7ffff7439100, args=..., construct=construct@entry=js::NO_CONSTRUCT, reason=js::CallReason::Call)
at js/src/vm/Interpreter.cpp:573
#7 0x000055555726a9e6 in InternalCall (cx=0x7ffff7a008e0 <_IO_stdfile_2_lock>, args=..., reason=1505763904) at js/src/vm/Interpreter.cpp:640
#8 0x000055555727ec71 in js::CallFromStack (cx=0x7ffff7a008e0 <_IO_stdfile_2_lock>, args=..., reason=<optimised out>) at js/src/vm/Interpreter.cpp:645
#9 js::Interpret (cx=0x7ffff7439100, state=...) at js/src/vm/Interpreter.cpp:3060
#10 0x00005555572681e7 in MaybeEnterInterpreterTrampoline (cx=0x7ffff7a008e0 <_IO_stdfile_2_lock>, cx@entry=0x7ffff7439100, state=...) at js/src/vm/Interpreter.cpp:393
#11 0x0000555557267eda in js::RunScript (cx=cx@entry=0x7ffff7439100, state=...) at js/src/vm/Interpreter.cpp:451
#12 0x000055555726ceb2 in js::ExecuteKernel (cx=cx@entry=0x7ffff7439100, script=script@entry=..., envChainArg=envChainArg@entry=..., evalInFrame=evalInFrame@entry=..., result=result@entry=...)
at js/src/vm/Interpreter.cpp:838
#13 0x000055555726d6bd in js::Execute (cx=cx@entry=0x7ffff7439100, script=script@entry=..., envChain=..., rval=rval@entry=...) at js/src/vm/Interpreter.cpp:870
#14 0x00005555574b872a in ExecuteScript (cx=cx@entry=0x7ffff7439100, envChain=..., script=..., rval=rval@entry=...) at js/src/vm/CompilationAndEvaluation.cpp:494
#15 0x00005555574b89a8 in JS_ExecuteScript (cx=cx@entry=0x7ffff7439100, scriptArg=scriptArg@entry=...) at js/src/vm/CompilationAndEvaluation.cpp:518
#16 0x00005555571a5628 in RunFile (cx=0x7ffff7439100, filename=<optimised out>, file=<optimised out>, compileMethod=CompileUtf8::DontInflate, compileOnly=false, fullParse=<optimised out>)
at js/src/shell/js.cpp:1196
#17 0x00005555571a4aee in Process (cx=cx@entry=0x7ffff7439100, filename=0x0, forceTTY=<optimised out>, kind=kind@entry=FileScript) at js/src/shell/js.cpp:1782
#18 0x0000555557160af3 in ProcessArgs (cx=0x7ffff7439100, op=0x7fffffffe618) at js/src/shell/js.cpp:11131
#19 Shell (cx=0x7ffff7439100, op=op@entry=0x7fffffffe618) at js/src/shell/js.cpp:11390
#20 0x00005555571591a9 in main (argc=<optimised out>, argv=0x7fffffffe8a8) at js/src/shell/js.cpp:11898
|
Reporter | |
Updated•1 year ago
|
|
Assignee | |
Updated•1 year ago
|
Severity: -- → S3
Flags: needinfo?(mgaudet)
Priority: -- → P3
|
|
Assignee | |
Comment 1•1 year ago
|
||
(The assertion in the bug summary went away a while ago; this fails with !chain[i]->isUnqualifiedVarObj(), at /Users/mgaudet/unified/js/src/vm/EnvironmentObject.cpp:3356 for me)
Anyhow; missing CCW unwrap, patch inbound.
Flags: needinfo?(mgaudet)
|
|
Assignee | |
Comment 2•1 year ago
|
||
|
||
Updated•1 year ago
|
Assignee: nobody → mgaudet
Status: NEW → ASSIGNED
Pushed by mgaudet@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/00916d9a4a91
Unwrap potential CCW environment chain object r=arai
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
status-firefox127:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 127 Branch
You need to log in
before you can comment on or make changes to this bug.
Description
•