Closed
Bug 1180047
Opened 9 years ago
Closed 9 years ago
Assertion failure: !IsInternalFunctionObject(*obj), at js/src/vm/Debugger.cpp:809
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla42
| Tracking | Status | |
|---|---|---|
| firefox42 | --- | fixed |
People
(Reporter: decoder, Assigned: jimb)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])
Attachments
(1 file)
|
(deleted),
patch
|
fitzgen
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision f5e3bacfb60e (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2):
var g = this;
function arrayContains(arr, expected) {
Object.defineProperty(obj, "0", {
get: function() {}
});
}
var lfGlobal = newGlobal();
for (lfLocal in this) {
if (!(lfLocal in lfGlobal)) {
lfGlobal[lfLocal] = this[lfLocal];
}
}
lfGlobal.offThreadCompileScript("var dbg = new Debugger(); dbg.addDebuggee(g); dbg.findObjects();");
lfGlobal.runOffThreadScript();
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
0x0000000000666ced in js::Debugger::wrapDebuggeeValue (this=this@entry=0x7ffff6960000, cx=cx@entry=0x7ffff691b4e0, vp=vp@entry=...) at js/src/vm/Debugger.cpp:809
#0 0x0000000000666ced in js::Debugger::wrapDebuggeeValue (this=this@entry=0x7ffff6960000, cx=cx@entry=0x7ffff691b4e0, vp=vp@entry=...) at js/src/vm/Debugger.cpp:809
#1 0x000000000066c01d in js::Debugger::findObjects (cx=0x7ffff691b4e0, argc=<optimized out>, vp=<optimized out>) at js/src/vm/Debugger.cpp:3985
#2 0x000000000069a9d2 in js::CallJSNative (cx=0x7ffff691b4e0, native=0x66bb00 <js::Debugger::findObjects(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#3 0x0000000000689d52 in js::Invoke (cx=cx@entry=0x7ffff691b4e0, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:711
#4 0x000000000067c0c2 in Interpret (cx=cx@entry=0x7ffff691b4e0, state=...) at js/src/vm/Interpreter.cpp:2959
#5 0x0000000000689753 in js::RunScript (cx=cx@entry=0x7ffff691b4e0, state=...) at js/src/vm/Interpreter.cpp:655
#6 0x00000000006947f6 in js::ExecuteKernel (cx=cx@entry=0x7ffff691b4e0, script=..., script@entry=..., scopeChainArg=..., thisv=..., newTargetValue=..., type=type@entry=js::EXECUTE_GLOBAL, evalInFrame=evalInFrame@entry=..., result=result@entry=0x7fffffffb718) at js/src/vm/Interpreter.cpp:895
#7 0x0000000000696ae3 in js::Execute (cx=cx@entry=0x7ffff691b4e0, script=script@entry=..., scopeChainArg=..., rval=rval@entry=0x7fffffffb718) at js/src/vm/Interpreter.cpp:929
#8 0x0000000000a88ffb in ExecuteScript (cx=cx@entry=0x7ffff691b4e0, scope=..., script=..., rval=0x7fffffffb718) at js/src/jsapi.cpp:4325
#9 0x0000000000a890ef in JS_ExecuteScript (cx=cx@entry=0x7ffff691b4e0, scriptArg=..., scriptArg@entry=..., rval=..., rval@entry=...) at js/src/jsapi.cpp:4350
#10 0x000000000047d401 in runOffThreadScript (cx=0x7ffff691b4e0, argc=<optimized out>, vp=0x7fffffffb718) at js/src/shell/js.cpp:3483
#11 0x000000000069a9d2 in js::CallJSNative (cx=0x7ffff691b4e0, native=0x47d2f0 <runOffThreadScript(JSContext*, unsigned int, jsval*)>, args=...) at js/src/jscntxtinlines.h:235
#12 0x0000000000689d52 in js::Invoke (cx=cx@entry=0x7ffff691b4e0, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:711
#13 0x000000000068bbc6 in js::Invoke (cx=cx@entry=0x7ffff691b4e0, thisv=..., fval=..., argc=<optimized out>, argv=0x7fffffffc2e8, rval=...) at js/src/vm/Interpreter.cpp:768
#14 0x0000000000b95744 in js::DirectProxyHandler::call (this=this@entry=0x1c21d20 <js::CrossCompartmentWrapper::singleton>, cx=cx@entry=0x7ffff691b4e0, proxy=..., proxy@entry=..., args=...) at js/src/proxy/DirectProxyHandler.cpp:77
#15 0x0000000000b9c352 in js::CrossCompartmentWrapper::call (this=0x1c21d20 <js::CrossCompartmentWrapper::singleton>, cx=0x7ffff691b4e0, wrapper=..., args=...) at js/src/proxy/CrossCompartmentWrapper.cpp:289
#16 0x0000000000ba8b62 in js::Proxy::call (cx=cx@entry=0x7ffff691b4e0, proxy=proxy@entry=..., args=...) at js/src/proxy/Proxy.cpp:391
#17 0x0000000000ba8c1e in js::proxy_Call (cx=0x7ffff691b4e0, argc=<optimized out>, vp=<optimized out>) at js/src/proxy/Proxy.cpp:697
#18 0x000000000069a9d2 in js::CallJSNative (cx=0x7ffff691b4e0, native=0xba8b80 <js::proxy_Call(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#19 0x000000000068a03d in js::Invoke (cx=cx@entry=0x7ffff691b4e0, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:699
#20 0x000000000068bbc6 in js::Invoke (cx=cx@entry=0x7ffff691b4e0, thisv=..., fval=..., argc=argc@entry=0, argv=argv@entry=0x7fffffffc778, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:768
#21 0x00000000008ade0a in js::jit::DoCallFallback (cx=0x7ffff691b4e0, frame=0x7fffffffc7a8, stub_=<optimized out>, argc=<optimized out>, vp=0x7fffffffc768, res=...) at js/src/jit/BaselineIC.cpp:9859
#22 0x00007ffff7feebdf in ?? ()
[...]
#32 0x0000000000000000 in ?? ()
rax 0x0 0
rbx 0x7ffff691b4e0 140737330132192
rcx 0x7ffff6ca53cd 140737333842893
rdx 0x0 0
rsi 0x7ffff6f7a9d0 140737336814032
rdi 0x7ffff6f791c0 140737336807872
rbp 0x7fffffff99b0 140737488329136
rsp 0x7fffffff9870 140737488328816
r8 0x7ffff7fe0780 140737354008448
r9 0x6372732f736a2f6c 7165916604736876396
r10 0x7fffffff9630 140737488328240
r11 0x7ffff6c27960 140737333328224
r12 0x7fffffff9a60 140737488329312
r13 0x7ffff6960000 140737330413568
r14 0xffffff01 4294967041
r15 0x7ffff7e74480 140737352516736
rip 0x666ced <js::Debugger::wrapDebuggeeValue(JSContext*, JS::MutableHandle<JS::Value>)+1789>
=> 0x666ced <js::Debugger::wrapDebuggeeValue(JSContext*, JS::MutableHandle<JS::Value>)+1789>: movl $0x329,0x0
0x666cf8 <js::Debugger::wrapDebuggeeValue(JSContext*, JS::MutableHandle<JS::Value>)+1800>: callq 0x4961f0 <abort()>
|
Reporter | |
Updated•9 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
Reporter | |
Comment 1•9 years ago
|
||
JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===
The "good" changeset has the timestamp "20150630155644" and the hash "486709a9d6f8".
The "bad" changeset has the timestamp "20150630160449" and the hash "827e17b69b0f".
Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=486709a9d6f8&tochange=827e17b69b0f
|
||
Updated•9 years ago
|
Flags: needinfo?(jimb)
|
Assignee | |
Comment 2•9 years ago
|
||
I have to admit, I don't quite understand why the test case doesn't reduce more. But this does crash without the change to Debugger.cpp.
Assignee: nobody → jimb
Status: NEW → ASSIGNED
Flags: needinfo?(jimb)
Attachment #8630080 -
Flags: review?(nfitzgerald)
|
||
Comment 3•9 years ago
|
||
Comment on attachment 8630080 [details] [diff] [review]
Debugger.prototype.findObjects should not return objects that must not be exposed to JS.
Review of attachment 8630080 [details] [diff] [review]:
-----------------------------------------------------------------
(In reply to Jim Blandy :jimb from comment #2)
> I have to admit, I don't quite understand why the test case doesn't reduce
> more.
The beauty of fuzzers: it doesn't really matter! We discovered the bug and fixed it :D
Attachment #8630080 -
Flags: review?(nfitzgerald) → review+
|
|
Assignee | |
Updated•9 years ago
|
Flags: in-testsuite+
Target Milestone: --- → mozilla42
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•