Open Bug 1823904 Opened 2 years ago Updated 2 years ago

Assertion failure: cx->realm()->isDebuggee(), at debugger/DebugScript.cpp:305

Categories

(Core :: JavaScript Engine, defect, P3)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

People

(Reporter: lukas.bernhard, Unassigned)

References

(Blocks 2 open bugs)

Details

Steps to reproduce:

On git commit d00845a44a8d1bf3f472ff36fd3f22a03af30a76 the attached sample asserts in the js-shell when invoked as obj-x86_64-pc-linux-gnu/dist/bin/js --fuzzing-safe crash.js

const v1 = new Set();
const v2 = v1.add(v1);
async function f3(a4, a5, a6) {
    await a6; 
    for (let v11 = -4294967297; v11 < 9; v11 = v11 + 5) {
        const o12 = { 
        };  
        function f13(a14, a15) {
            a15.sameZoneAs = v2; 
            return this;
        }
        const v18 = f13(v2, f13).newGlobal(f13);
        const v20 = !(v11 << v11);
        const v21 = v18.Debugger;
        const v22 = v21(o12);
        const v24 = v22.getNewestFrame(-4294967297, Set).asyncPromise;
        ((v20 % v20) || v22).removeAllDebuggees(v21, v20, -4294967297);
        v24.getPromiseReactions(f3, a6, v1, a5);
    }
    return v2; 
}
const v29 = f3();
f3(v1, v29, v29);

#0  0x000055555806bbc2 in js::DebugScript::incrementGeneratorObserverCount (cx=0x7ffff7435c00, script=...)     at js/src/debugger/DebugScript.cpp:305
#1  0x0000555558092e4b in js::DebuggerFrame::setGeneratorInfo (cx=0x7ffff7435c00, frame=..., genObj=...)     at js/src/debugger/Frame.cpp:389
#2  0x000055555806effa in js::DebuggerFrame::create (cx=0x7ffff7435c00, proto=..., debugger=..., maybeIter=0x0, maybeGenerator=...) at js/src/debugger/Frame.cpp:250
#3  0x000055555806f5b7 in js::Debugger::getFrame (this=0x7ffff4d2a300, cx=0x7ffff7435c00, genObj=..., result=...) at js/src/debugger/Debugger.cpp:723
#4  0x000055555816dc36 in js::DebuggerObject::PromiseReactionRecordBuilder::maybePushGenerator (this=0x7fffffff9a28, cx=0x7ffff7435c00, unwrappedGenerator=...) at js/src/debugger/Object.cpp:1423
#5  0x000055555816d729 in js::DebuggerObject::PromiseReactionRecordBuilder::asyncFunction (this=0x7fffffff9a28, cx=0x7ffff7435c00, unwrappedGenerator=...) at js/src/debugger/Object.cpp:1396
#6  0x0000555557b4e612 in js::PromiseObject::forEachReactionRecord(JSContext*, js::PromiseReactionRecordBuilder&)::$_6::operator()(JS::MutableHandle<JSObject*>) const (this=0x7fffffff98f0, obj=...) at 
js/src/builtin/Promise.cpp:6223
#7  0x0000555557ad2619 in ForEachReaction<js::PromiseObject::forEachReactionRecord(JSContext*, js::PromiseReactionRecordBuilder&)::$_6>(JSContext*, JS::Handle<JS::Value>, js::PromiseObject::forEachReac
tionRecord(JSContext*, js::PromiseReactionRecordBuilder&)::$_6) (cx=0x7ffff7435c00, 
    reactionsVal=..., f=...) at js/src/builtin/Promise.cpp:1976
#8  0x0000555557ad2404 in js::PromiseObject::forEachReactionRecord (this=0x1639ac9006c0, cx=0x7ffff7435c00, builder=...)
    at js/src/builtin/Promise.cpp:6205
#9  0x000055555814de57 in js::DebuggerObject::CallData::getPromiseReactionsMethod (this=0x7fffffff9ae0)
    at js/src/debugger/Object.cpp:1456
#10 0x0000555558163e04 in js::DebuggerObject::CallData::ToNative<&js::DebuggerObject::CallData::getPromiseReactionsMethod> (cx=0x7ffff7435c00, 
    argc=4, vp=0x7fffffff9fd0) at js/src/debugger/Object.cpp:234
#11 0x0000555557573ace in CallJSNative (cx=0x7ffff7435c00, 
--Type <RET> for more, q to quit, c to continue without paging--
    native=0x555558163c50 <js::DebuggerObject::CallData::ToNative<&js::DebuggerObject::CallData::getPromiseReactionsMethod>(JSContext*, unsigned int, JS::Value*)>, reason=js::CallReason::Call, args=...
) at js/src/vm/Interpreter.cpp:459
#12 0x00005555575732ad in js::InternalCallOrConstruct (cx=0x7ffff7435c00, args=..., construct=js::NO_CONSTRUCT, reason=js::CallReason::Call)
    at js/src/vm/Interpreter.cpp:553
#13 0x00005555575746a1 in InternalCall (cx=0x7ffff7435c00, args=..., reason=js::CallReason::Call)
    at js/src/vm/Interpreter.cpp:620
#14 0x00005555575748e5 in js::Call (cx=0x7ffff7435c00, fval=..., thisv=..., args=..., rval=..., reason=js::CallReason::Call)
    at js/src/vm/Interpreter.cpp:652
#15 0x0000555557ff4e58 in js::ForwardingProxyHandler::call (this=0x55555993cac0 <js::CrossCompartmentWrapper::singleton>, cx=0x7ffff7435c00, 
    proxy=..., args=...) at js/src/proxy/Wrapper.cpp:168
#16 0x0000555557fc9b85 in js::CrossCompartmentWrapper::call (this=0x55555993cac0 <js::CrossCompartmentWrapper::singleton>, cx=0x7ffff7435c00, 
    wrapper=..., args=...) at js/src/proxy/CrossCompartmentWrapper.cpp:229
#17 0x0000555557fe4711 in js::Proxy::call (cx=0x7ffff7435c00, proxy=..., args=...) at js/src/proxy/Proxy.cpp:676
#18 0x0000555557572f3a in js::InternalCallOrConstruct (cx=0x7ffff7435c00, args=..., construct=js::NO_CONSTRUCT, reason=js::CallReason::Call)
    at js/src/vm/Interpreter.cpp:533
#19 0x00005555575746a1 in InternalCall (cx=0x7ffff7435c00, args=..., reason=js::CallReason::Call)
    at js/src/vm/Interpreter.cpp:620
#20 0x0000555557574465 in js::CallFromStack (cx=0x7ffff7435c00, args=..., reason=js::CallReason::Call)
    at js/src/vm/Interpreter.cpp:625
#21 0x0000555557565134 in Interpret (cx=0x7ffff7435c00, state=...) at js/src/vm/Interpreter.cpp:3368
Blocks: l11d-js-fuzzing
Component: Untriaged → JavaScript Engine
Product: Firefox → Core
Blocks: js-debugger
Severity: -- → S3
Priority: -- → P3
You need to log in before you can comment on or make changes to this bug.