Closed
Bug 1634845
Opened 5 years ago
Closed 5 years ago
Assertion failure: cx->runtime()->getElementCallback, at vm/JSScript.cpp:1761 or Crash [@ js::ScriptSourceObject::unwrappedElement] with Debugger
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla77
Tracking | Status | |
---|---|---|
firefox-esr68 | --- | unaffected |
firefox75 | --- | unaffected |
firefox76 | --- | unaffected |
firefox77 | --- | verified |
People
(Reporter: decoder, Assigned: denispal)
References
(Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisect][fuzzblocker])
Crash Data
Attachments
(1 file)
(deleted),
text/plain
|
Details |
The following testcase crashes on mozilla-central revision 20200501-0f9c5a59e45d (debug build, run with --fuzzing-safe --ion-offthread-compile=off):
evalInWorker(`
var g94 = newGlobal({newCompartment: true});
var dbg = new Debugger;
var gw = dbg.addDebuggee(g94);
g94.evaluate("function f(x) { return 2*x; }", {element: { foo: "bar" }});
var fw = gw.getOwnPropertyDescriptor('f').value;
assertEq(typeof fw.script.source.element, "object");
`);
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 0x0000555555ca81d5 in js::ScriptSourceObject::unwrappedElement(JSContext*) const ()
#1 0x00005555560ad499 in js::DebuggerSource::CallData::getElement() ()
#2 0x00005555560afc91 in bool js::DebuggerSource::CallData::ToNative<&js::DebuggerSource::CallData::getElement>(JSContext*, unsigned int, JS::Value*) ()
#3 0x000055555591a712 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
#4 0x0000555555919fe9 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) ()
#5 0x000055555591c636 in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) ()
#6 0x0000555555cf93cc in bool GetExistingProperty<(js::AllowGC)1>(JSContext*, js::MaybeRooted<JS::Value, (js::AllowGC)1>::HandleType, js::MaybeRooted<js::NativeObject*, (js::AllowGC)1>::HandleType, js::MaybeRooted<js::Shape*, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::Value, (js::AllowGC)1>::MutableHandleType) ()
#7 0x0000555555cfa163 in bool NativeGetPropertyInline<(js::AllowGC)1>(JSContext*, js::MaybeRooted<js::NativeObject*, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::Value, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::PropertyKey, (js::AllowGC)1>::HandleType, IsNameLookup, js::MaybeRooted<JS::Value, (js::AllowGC)1>::MutableHandleType) ()
#8 0x00005555557f7e28 in js::GetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::PropertyName*, JS::MutableHandle<JS::Value>) ()
#9 0x000055555592092f in js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) ()
#10 0x000055555590c0f9 in Interpret(JSContext*, js::RunState&) ()
[...]
#19 0x00007ffff6c3e41d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109
rax 0x555556f739bc 93825019623868
rbx 0x7ffff4be1000 140737299484672
rcx 0x555557fdb908 93825036826888
rdx 0x0 0
rsi 0x7ffff6efd770 140737336301424
rdi 0x7ffff6efc540 140737336296768
rbp 0x7ffff6765ac0 140737328339648
rsp 0x7ffff6765a70 140737328339568
r8 0x7ffff6efd770 140737336301424
r9 0x7ffff6767700 140737328346880
r10 0x58 88
r11 0x7ffff6ba47a0 140737332791200
r12 0xfff9800000000000 -1829587348619264
r13 0x7ffff6765a70 140737328339568
r14 0x7ffff6765a80 140737328339584
r15 0x7ffff4be7000 140737299509248
rip 0x555555ca81d5 <js::ScriptSourceObject::unwrappedElement(JSContext*) const+501>
=> 0x555555ca81d5 <_ZNK2js18ScriptSourceObject16unwrappedElementEP9JSContext+501>: movl $0x6e1,0x0
0x555555ca81e0 <_ZNK2js18ScriptSourceObject16unwrappedElementEP9JSContext+512>: callq 0x555555824c96 <abort>
Reporter | ||
Comment 1•5 years ago
|
||
Reporter | ||
Comment 2•5 years ago
|
||
This also crashes and it is fairly frequent, marking as fuzzblocker.
Crash Signature: [@ js::ScriptSourceObject::unwrappedElement]
Summary: Assertion failure: cx->runtime()->getElementCallback, at vm/JSScript.cpp:1761 with Debugger → Assertion failure: cx->runtime()->getElementCallback, at vm/JSScript.cpp:1761 or Crash [@ js::ScriptSourceObject::unwrappedElement] with Debugger
Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisect][fuzzblocker]
Updated•5 years ago
|
Has Regression Range: --- → yes
Assignee | ||
Updated•5 years ago
|
Assignee: nobody → dpalmeiro
Assignee | ||
Comment 3•5 years ago
|
||
I did not realize the JS shell can create more than 1 runtime. I have a fix for this that will be pushed as part of the original patch.
Comment 4•5 years ago
|
||
Hi Denis, since it looks like 1501608 was backed out can we close this one out?
Flags: needinfo?(dpalmeiro)
Updated•5 years ago
|
Assignee | ||
Comment 5•5 years ago
|
||
Yes, a fix for this should also be in next time I push 1501608 .
Status: NEW → RESOLVED
Closed: 5 years ago
Flags: needinfo?(dpalmeiro)
Resolution: --- → FIXED
Updated•5 years ago
|
status-firefox75:
--- → unaffected
status-firefox76:
--- → unaffected
status-firefox78:
unaffected → ---
status-firefox-esr68:
--- → unaffected
Target Milestone: --- → mozilla77
Updated•4 years ago
|
Comment 6•4 years ago
|
||
Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20200518152416-a627b6676824.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
You need to log in
before you can comment on or make changes to this bug.
Description
•