Hit MOZ_CRASH(error getting source element) at shell/js.cpp:4734
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
People
(Reporter: decoder, Assigned: tcampbell)
References
(Regression)
Details
(4 keywords, Whiteboard: [bugmon:update,bisected,confirmed])
Attachments
(3 files)
The following testcase crashes on mozilla-central revision 20210421-683c2a81d1a3 (debug build, run with --fuzzing-safe --ion-offthread-compile=off --enable-private-methods):
newGlobal();
function foo() {
nukeAllCCWs()
b = newGlobal({newCompartment: true});
c = new Debugger;
d = c.addDebuggee(b);
b.eval("function f() {}");
e = d.getOwnPropertyDescriptor('f').value.script.source.element;
}
new foo;
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 0x00005555569f6f34 in GetElementCallback(JSContext*, JS::Handle<JS::Value>) ()
#1 0x0000555556ebd6d7 in js::ScriptSourceObject::unwrappedElement(JSContext*) const ()
#2 0x000055555726b96e in bool js::DebuggerSource::CallData::ToNative<&js::DebuggerSource::CallData::getElement>(JSContext*, unsigned int, JS::Value*) ()
#3 0x0000555556b8c881 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
#4 0x0000555556b8bfc0 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) ()
#5 0x0000555556b8d3f1 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) ()
#6 0x0000555556b8d610 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) ()
#7 0x0000555556b8e4b8 in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) ()
#8 0x0000555556ee524f in bool GetExistingProperty<(js::AllowGC)1>(JSContext*, js::MaybeRooted<JS::Value, (js::AllowGC)1>::HandleType, js::MaybeRooted<js::NativeObject*, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::PropertyKey, (js::AllowGC)1>::HandleType, js::ShapeProperty, js::MaybeRooted<JS::Value, (js::AllowGC)1>::MutableHandleType) ()
#9 0x0000555556ee5cfa in bool NativeGetPropertyInline<(js::AllowGC)1>(JSContext*, js::MaybeRooted<js::NativeObject*, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::Value, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::PropertyKey, (js::AllowGC)1>::HandleType, IsNameLookup, js::MaybeRooted<JS::Value, (js::AllowGC)1>::MutableHandleType) ()
#10 0x0000555556a58783 in js::GetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::PropertyName*, JS::MutableHandle<JS::Value>) ()
#11 0x0000555556b91db7 in js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) ()
#12 0x0000555556b7e07d in Interpret(JSContext*, js::RunState&) ()
#13 0x0000555556b77a39 in js::RunScript(JSContext*, js::RunState&) ()
#14 0x0000555556b8eb2e in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) ()
#15 0x0000555556b8f064 in js::Execute(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>) ()
#16 0x0000555556d4089d in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) ()
#17 0x0000555556d40a9e in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) ()
#18 0x0000555556a5b3b6 in RunFile(JSContext*, char const*, _IO_FILE*, CompileUtf8, bool) ()
#19 0x0000555556a5aa16 in Process(JSContext*, char const*, bool, FileKind) ()
#20 0x0000555556a03054 in Shell(JSContext*, js::cli::OptionParser*, char**) ()
#21 0x00005555569fa93f in main ()
rax 0x55555582665b 93824995190363
rbx 0x7fffffffba00 140737488337408
rcx 0x555558022fa8 93825037119400
rdx 0x0 0
rsi 0x7ffff7105770 140737338431344
rdi 0x7ffff7104540 140737338426688
rbp 0x7fffffffbaa0 140737488337568
rsp 0x7fffffffba00 140737488337408
r8 0x7ffff7105770 140737338431344
r9 0x7ffff7f99840 140737353717824
r10 0x0 0
r11 0x0 0
r12 0x7fffffffba10 140737488337424
r13 0x7ffff6026000 140737320738816
r14 0x7fffffffba30 140737488337456
r15 0x7ffff4a4b000 140737297821696
rip 0x5555569f6f34 <GetElementCallback(JSContext*, JS::Handle<JS::Value>)+884>
=> 0x5555569f6f34 <_Z18GetElementCallbackP9JSContextN2JS6HandleINS1_5ValueEEE+884>: movl $0x127e,0x0
0x5555569f6f3f <_Z18GetElementCallbackP9JSContextN2JS6HandleINS1_5ValueEEE+895>: callq 0x555556a853ae <abort>
Reporter | ||
Comment 1•4 years ago
|
||
Comment 2•4 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210422093115-c00239b6c351.
The bug appears to have been introduced in the following build range:
Start: 3470d926c02ab45472ad7a932752df5bfeacf770 (20200512200601)
End: 554b7637fe60e8a57e5180b5daaa1441f1bea31b (20200512200659)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=3470d926c02ab45472ad7a932752df5bfeacf770&tochange=554b7637fe60e8a57e5180b5daaa1441f1bea31b
Updated•4 years ago
|
Updated•4 years ago
|
Assignee | ||
Updated•4 years ago
|
Assignee | ||
Comment 3•4 years ago
|
||
Rename the JSGetElementCallback hook to JSSourceElementCallback to avoid
confusion with GetElement operations. Also make the hook fallible to allow
exceptions to be thrown (such as for nuked compartments).
Updated•4 years ago
|
Assignee | ||
Comment 4•4 years ago
|
||
Rename the JSGetElementCallback hook to JSSourceElementCallback to avoid
confusion with GetElement operations.
Depends on D113876
Comment 6•4 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/880a6c906c5b
https://hg.mozilla.org/mozilla-central/rev/fc9efe606084
Comment 7•4 years ago
|
||
Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20210504033521-17594d43a3dc.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
Description
•