Closed Bug 1547129 Opened 6 years ago Closed 6 years ago

Assertion failure: obj->is<PlainObject>() || obj->is<JSFunction>(), at js/src/vm/Interpreter-inl.h:361

Tracking

()

Status:

RESOLVED FIXED

Milestone:

mozilla68

Tracking Flags:

Tracking

Status

firefox-esr60

---

unaffected

firefox67

---

disabled

firefox68

---

fixed

People

(Reporter: decoder, Assigned: khyperia)

References

Details

(4 keywords, Whiteboard: [jsbugmon:])

Attachments

(1 file)

Bug 1547129 - Change JSOP_INITPROP implementation to DefineDataProperty. 6 years ago Ashley Hauck [:khyperia] (deleted), text/x-phabricator-request		Details

Christian Holler (:decoder)

Reporter

Description

•

6 years ago

The following testcase crashes on mozilla-central revision 0ec836eceb96 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off --enable-experimental-fields):

new class foo extends Array {
  e = function() {}
}

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  js::InitPropertyOperation (rhs=..., name=..., obj=..., op=<optimized out>, cx=<optimized out>) at js/src/vm/Interpreter-inl.h:361
#1  Interpret (cx=0x555556b5cc20, state=...) at js/src/vm/Interpreter.cpp:3804
#2  0x00005555558e8716 in js::RunScript (cx=0x7ffff5f19000, state=...) at js/src/vm/Interpreter.cpp:423
#3  0x00005555558ebe34 in js::ExecuteKernel (cx=<optimized out>, script=..., script@entry=..., envChainArg=..., newTargetValue=..., evalInFrame=..., evalInFrame@entry=..., result=result@entry=0x0) at js/src/vm/Interpreter.cpp:782
#4  0x00005555558ec47c in js::Execute (cx=<optimized out>, cx@entry=0x7ffff5f19000, script=script@entry=..., envChainArg=..., rval=rval@entry=0x0) at js/src/vm/Interpreter.cpp:816
#5  0x0000555555a066a0 in ExecuteScript (cx=0x7ffff5f19000, scope=scope@entry=..., script=..., rval=rval@entry=0x0) at js/src/vm/CompilationAndEvaluation.cpp:435
#6  0x0000555555a101f8 in JS_ExecuteScript (cx=<optimized out>, scriptArg=...) at js/src/vm/CompilationAndEvaluation.cpp:468
#7  0x0000555555820148 in RunFile (cx=0x7ffff5f19000, filename=0x7fffffffdfb4 "test.js", file=<optimized out>, compileMethod=<optimized out>, compileOnly=<optimized out>) at js/src/shell/js.cpp:914
#8  0x0000555555820a75 in Process (cx=0x7ffff5f19000, filename=0x7fffffffdfb4 "test.js", forceTTY=<optimized out>, kind=FileScript) at js/src/shell/js.cpp:1470
#9  0x0000555555822625 in ProcessArgs (cx=<optimized out>, op=0x7fffffffd940) at js/src/shell/js.cpp:10195
#10 0x00005555558306db in Shell (envp=<optimized out>, op=0x7fffffffd940, cx=<optimized out>) at js/src/shell/js.cpp:10758
#11 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:11373
rax	0x555557c90360	93825033372512
rbx	0x555556b5cc20	93825015335968
rcx	0x7ffff6c1c2dd	140737333281501
rdx	0x0	0
rsi	0x7ffff6eeb770	140737336227696
rdi	0x7ffff6eea540	140737336223040
rbp	0x7fffffffcdb0	140737488342448
rsp	0x7fffffffc7d0	140737488340944
r8	0x7ffff6eeb770	140737336227696
r9	0x7ffff7fe6cc0	140737354034368
r10	0x58	88
r11	0x7ffff6b927a0	140737332717472
r12	0x7fffffffcaa0	140737488341664
r13	0x7fffffffca10	140737488341520
r14	0x555557bf4b00	93825032735488
r15	0x7fffffffccc0	140737488342208
rip	0x5555558e7922 <Interpret(JSContext*, js::RunState&)+59378>
=> 0x5555558e7922 <Interpret(JSContext*, js::RunState&)+59378>:	movl   $0x0,0x0
   0x5555558e792d <Interpret(JSContext*, js::RunState&)+59389>:	ud2

Ashley Hauck [:khyperia]

Assignee

Comment 1

•

6 years ago

Attached file Bug 1547129 - Change JSOP_INITPROP implementation to DefineDataProperty. (deleted) — Details

Fuzzing Team

Updated

•

6 years ago

Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]

Fuzzing Team

Comment 2

•

6 years ago

JSBugMon: Cannot process bug: Error: Failed to isolate test from comment

Fuzzing Team

Updated

•

6 years ago

Whiteboard: [jsbugmon:bisect] → [jsbugmon:]

Fuzzing Team

Comment 3

•

6 years ago

JSBugMon: Bisection requested, failed due to error: Error: Failed to isolate test from comment

Ashley Hauck [:khyperia]

Assignee

Updated

•

6 years ago

Assignee: nobody → khyperia

Status: NEW → ASSIGNED

Jason Orendorff [:jorendorff]

Updated

•

6 years ago

Priority: -- → P1

Nicolas B. Pierron [:nbp]

Updated

•

6 years ago

status-firefox68: disabled → affected

Phabricator Automation

Updated

•

6 years ago

Attachment #9061112 - Attachment description: Bug 1547129 - Delete outdated assertion. → Bug 1547129 - Change JSOP_INITPROP implementation to DefineDataProperty.

Pulsebot

Comment 4

•

6 years ago

Pushed by ahauck@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/a5fe44cee772 Change JSOP_INITPROP implementation to DefineDataProperty. r=jorendorff

Razvan Maries

Comment 5

•

6 years ago

bugherder

https://hg.mozilla.org/mozilla-central/rev/a5fe44cee772

Status: ASSIGNED → RESOLVED

Closed: 6 years ago

status-firefox68: affected → fixed

Resolution: --- → FIXED

Target Milestone: --- → mozilla68

Ryan VanderMeulen [:RyanVM]

Updated

•

5 years ago

status-firefox67: --- → disabled

status-firefox-esr60: --- → unaffected

Flags: in-testsuite+

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

Assertion failure: obj->is<PlainObject>() || obj->is<JSFunction>(), at js/src/vm/Interpreter-inl.h:361

Categories

(Core :: JavaScript Engine, defect, P1)

Tracking

()

People

(Reporter: decoder, Assigned: khyperia)

References

Details

(4 keywords, Whiteboard: [jsbugmon:])

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Comment 1

Updated

Comment 2

Updated

Comment 3

Updated

Updated

Updated

Updated

Comment 4

Comment 5

Updated

Attachment

General

Description

File Name

Content Type