Closed Bug 1706937 Opened 4 years ago Closed 4 years ago

Hit MOZ_CRASH(error getting source element) at shell/js.cpp:4734

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
90 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- wontfix
firefox88 --- wontfix
firefox89 --- wontfix
firefox90 --- verified

People

(Reporter: decoder, Assigned: tcampbell)

References

(Regression)

Details

(4 keywords, Whiteboard: [bugmon:update,bisected,confirmed])

Attachments

(3 files)

Testcase
(deleted), text/plain
Details
Bug 1706937 - Handle nuked CCWs in JS shell source element hook. r?jandem!
(deleted), text/x-phabricator-request
Details
Bug 1706937 - Cleanup JS source-element callback. r?jandem!
(deleted), text/x-phabricator-request
Details

The following testcase crashes on mozilla-central revision 20210421-683c2a81d1a3 (debug build, run with --fuzzing-safe --ion-offthread-compile=off --enable-private-methods):

newGlobal();
function foo() {
  nukeAllCCWs()
  b = newGlobal({newCompartment: true});
  c = new Debugger;
  d = c.addDebuggee(b);
  b.eval("function f() {}");
  e = d.getOwnPropertyDescriptor('f').value.script.source.element;
}
new foo;

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x00005555569f6f34 in GetElementCallback(JSContext*, JS::Handle<JS::Value>) ()
#1  0x0000555556ebd6d7 in js::ScriptSourceObject::unwrappedElement(JSContext*) const ()
#2  0x000055555726b96e in bool js::DebuggerSource::CallData::ToNative<&js::DebuggerSource::CallData::getElement>(JSContext*, unsigned int, JS::Value*) ()
#3  0x0000555556b8c881 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
#4  0x0000555556b8bfc0 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) ()
#5  0x0000555556b8d3f1 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) ()
#6  0x0000555556b8d610 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) ()
#7  0x0000555556b8e4b8 in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) ()
#8  0x0000555556ee524f in bool GetExistingProperty<(js::AllowGC)1>(JSContext*, js::MaybeRooted<JS::Value, (js::AllowGC)1>::HandleType, js::MaybeRooted<js::NativeObject*, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::PropertyKey, (js::AllowGC)1>::HandleType, js::ShapeProperty, js::MaybeRooted<JS::Value, (js::AllowGC)1>::MutableHandleType) ()
#9  0x0000555556ee5cfa in bool NativeGetPropertyInline<(js::AllowGC)1>(JSContext*, js::MaybeRooted<js::NativeObject*, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::Value, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::PropertyKey, (js::AllowGC)1>::HandleType, IsNameLookup, js::MaybeRooted<JS::Value, (js::AllowGC)1>::MutableHandleType) ()
#10 0x0000555556a58783 in js::GetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::PropertyName*, JS::MutableHandle<JS::Value>) ()
#11 0x0000555556b91db7 in js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) ()
#12 0x0000555556b7e07d in Interpret(JSContext*, js::RunState&) ()
#13 0x0000555556b77a39 in js::RunScript(JSContext*, js::RunState&) ()
#14 0x0000555556b8eb2e in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) ()
#15 0x0000555556b8f064 in js::Execute(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>) ()
#16 0x0000555556d4089d in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) ()
#17 0x0000555556d40a9e in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) ()
#18 0x0000555556a5b3b6 in RunFile(JSContext*, char const*, _IO_FILE*, CompileUtf8, bool) ()
#19 0x0000555556a5aa16 in Process(JSContext*, char const*, bool, FileKind) ()
#20 0x0000555556a03054 in Shell(JSContext*, js::cli::OptionParser*, char**) ()
#21 0x00005555569fa93f in main ()
rax	0x55555582665b	93824995190363
rbx	0x7fffffffba00	140737488337408
rcx	0x555558022fa8	93825037119400
rdx	0x0	0
rsi	0x7ffff7105770	140737338431344
rdi	0x7ffff7104540	140737338426688
rbp	0x7fffffffbaa0	140737488337568
rsp	0x7fffffffba00	140737488337408
r8	0x7ffff7105770	140737338431344
r9	0x7ffff7f99840	140737353717824
r10	0x0	0
r11	0x0	0
r12	0x7fffffffba10	140737488337424
r13	0x7ffff6026000	140737320738816
r14	0x7fffffffba30	140737488337456
r15	0x7ffff4a4b000	140737297821696
rip	0x5555569f6f34 <GetElementCallback(JSContext*, JS::Handle<JS::Value>)+884>
=> 0x5555569f6f34 <_Z18GetElementCallbackP9JSContextN2JS6HandleINS1_5ValueEEE+884>:	movl   $0x127e,0x0
   0x5555569f6f3f <_Z18GetElementCallbackP9JSContextN2JS6HandleINS1_5ValueEEE+895>:	callq  0x555556a853ae <abort>
Attached file Testcase (deleted) —

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210422093115-c00239b6c351.
The bug appears to have been introduced in the following build range:

Start: 3470d926c02ab45472ad7a932752df5bfeacf770 (20200512200601)
End: 554b7637fe60e8a57e5180b5daaa1441f1bea31b (20200512200659)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=3470d926c02ab45472ad7a932752df5bfeacf770&tochange=554b7637fe60e8a57e5180b5daaa1441f1bea31b

Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]
Has Regression Range: --- → yes
Assignee: nobody → tcampbell

Rename the JSGetElementCallback hook to JSSourceElementCallback to avoid
confusion with GetElement operations. Also make the hook fallible to allow
exceptions to be thrown (such as for nuked compartments).

Attachment #9219373 - Attachment description: WIP: Bug 1706937 - Make JS source element hook fallible → Bug 1706937 - Handle nuked CCWs in JS shell source element hook. r?jandem!

Rename the JSGetElementCallback hook to JSSourceElementCallback to avoid
confusion with GetElement operations.

Depends on D113876

Pushed by tcampbell@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/880a6c906c5b Handle nuked CCWs in JS shell source element hook. r=jandem https://hg.mozilla.org/integration/autoland/rev/fc9efe606084 Cleanup JS source-element callback. r=jandem

https://hg.mozilla.org/mozilla-central/rev/880a6c906c5b
https://hg.mozilla.org/mozilla-central/rev/fc9efe606084

Status: NEW → RESOLVED
Closed: 4 years ago
status-firefox90: fix-optionalfixed
Resolution: --- → FIXED
Target Milestone: --- → 90 Branch

Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20210504033521-17594d43a3dc.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox90: fixedverified
Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: