Assertion failure: IsObjectValueInCompartment(v, compartment()), at vm/NativeObject.h:1074
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr102 | --- | unaffected |
| firefox107 | --- | wontfix |
| firefox108 | --- | wontfix |
| firefox109 | --- | verified |
People
(Reporter: decoder, Assigned: jonco)
References
(Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])
Attachments
(3 files)
The following testcase crashes on mozilla-central revision 20221123-c300f1dba775 (debug build, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off):
function test(lfVarx) {
try {
oomTest(function() {
let m41 = parseModule(lfVarx);
moduleLink(m41);
moduleEvaluate(m41);
});
} catch (lfVare) {}
}
test(`
var g93 = newGlobal({newCompartment: true});
g93.eval("f(10);");
`);
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 0x0000555556b72621 in js::NativeObject::checkStoredValue(JS::Value const&) ()
#1 0x0000555556fb5cf5 in ResolvePromise(JSContext*, JS::Handle<js::PromiseObject*>, JS::Handle<JS::Value>, JS::PromiseState, JS::Handle<js::SavedFrame*>) ()
#2 0x0000555556da04f8 in js::ModuleObject::topLevelCapabilityReject(JSContext*, JS::Handle<js::ModuleObject*>, JS::Handle<JS::Value>) ()
#3 0x0000555556f4d1aa in js::ModuleEvaluate(JSContext*, JS::Handle<js::ModuleObject*>, JS::MutableHandle<JS::Value>) ()
#4 0x0000555556b9ba01 in ModuleEvaluate(JSContext*, unsigned int, JS::Value*) ()
#5 0x00002ec21584b943 in ?? ()
[...]
#9 0x0000000000000000 in ?? ()
rax 0x5555558333f8 93824995243000
rbx 0x7fffffffb4f0 140737488336112
rcx 0x5555582b1848 93825039800392
rdx 0x0 0
rsi 0x7ffff7105770 140737338431344
rdi 0x7ffff7104540 140737338426688
rbp 0x7fffffffb3e0 140737488335840
rsp 0x7fffffffb3d0 140737488335824
r8 0x7ffff7105770 140737338431344
r9 0x7ffff7f99800 140737353717760
r10 0x0 0
r11 0x0 0
r12 0x2 2
r13 0x555555945d00 93824996367616
r14 0x3b02cc713338 64883205944120
r15 0x7fffffffb4a8 140737488336040
rip 0x555556b72621 <js::NativeObject::checkStoredValue(JS::Value const&)+225>
=> 0x555556b72621 <_ZN2js12NativeObject16checkStoredValueERKN2JS5ValueE+225>: movl $0x432,0x0
0x555556b7262c <_ZN2js12NativeObject16checkStoredValueERKN2JS5ValueE+236>: callq 0x555556bfbf6c <abort>
|
Reporter | |
Comment 1•2 years ago
|
||
|
|
Reporter | |
Comment 2•2 years ago
|
||
|
||
Comment 3•2 years ago
|
||
Verified bug as reproducible on mozilla-central 20221125092806-9f4fd5a62c72.
The bug appears to have been introduced in the following build range:
Start: 11aee184972ff75cb84b8fb630a65331791f9a38 (20220802075758)
End: 9226460a36d80abbdaac1d486921345de3f05e29 (20220802083847)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=11aee184972ff75cb84b8fb630a65331791f9a38&tochange=9226460a36d80abbdaac1d486921345de3f05e29
|
||
Updated•2 years ago
|
|
Assignee | |
Updated•2 years ago
|
|
|
Assignee | |
Comment 4•2 years ago
|
||
The problem here is that the ModuleEvaluate assumed that getPendingException would
leave the output value as undefined if it failed, but that wasn't true.
|
||
Updated•2 years ago
|
|
||
Comment 6•2 years ago
|
||
| bugherder | ||
|
|
||
Comment 7•2 years ago
|
||
Verified bug as fixed on rev mozilla-central 20221128213916-2781784fdc50.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Description
•