Assertion failure: IsConstructor(args.CallArgs::newTarget()) (provided new.target value must be a constructor), at /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:704
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr140 | --- | unaffected |
| firefox143 | --- | unaffected |
| firefox144 | --- | unaffected |
| firefox145 | --- | fixed |
| firefox146 | --- | fixed |
People
(Reporter: tsmith, Assigned: iain)
References
(Blocks 2 open bugs, Regression, )
Details
(6 keywords)
Crash Data
Attachments
(2 files)
|
48 bytes,
text/x-phabricator-request
|
Details | Review | |
|
48 bytes,
text/x-phabricator-request
|
phab-bot
:
approval-mozilla-beta+
|
Details | Review |
Found with m-c 20251008-da5bff21c5c7 (--enable-debug)
This was found by visiting a live website with a debug build.
STR:
- Launch browser and visit site
This issue was triggered by visiting https://2game.com/de_de/search/football%20manager%2026/.
Assertion failure: IsConstructor(args.CallArgs::newTarget()) (provided new.target value must be a constructor), at /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:704
0|0|libxul.so|InternalConstruct(JSContext*, js::AnyConstructArgs const&, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:da5bff21c5c7a34178f2412db66ffe8998ec2e54|703|0x5f3
0|1|libxul.so|js::Construct(JSContext*, JS::Handle<JS::Value>, js::AnyConstructArgs const&, JS::Handle<JS::Value>, JS::MutableHandle<JSObject*>)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:da5bff21c5c7a34178f2412db66ffe8998ec2e54|774|0x8d
0|2|libxul.so|js::jit::InvokeFunction(JSContext*, JS::Handle<JSObject*>, bool, bool, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/jit/VMFunctions.cpp:da5bff21c5c7a34178f2412db66ffe8998ec2e54|523|0x44b
0|3|||||
0|4|||||
0|5|||||
0|6|libxul.so|js::jit::MaybeEnterJit(JSContext*, js::RunState&)|hg:hg.mozilla.org/mozilla-central:js/src/jit/Jit.cpp:da5bff21c5c7a34178f2412db66ffe8998ec2e54|255|0x49b
0|7|libxul.so|js::RunScript(JSContext*, js::RunState&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:da5bff21c5c7a34178f2412db66ffe8998ec2e54|450|0x3ba
0|8|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:da5bff21c5c7a34178f2412db66ffe8998ec2e54|618|0x2e5
0|9|libxul.so|InternalConstruct(JSContext*, js::AnyConstructArgs const&, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:da5bff21c5c7a34178f2412db66ffe8998ec2e54|717|0x21c
0|10|libxul.so|js::Construct(JSContext*, JS::Handle<JS::Value>, js::AnyConstructArgs const&, JS::Handle<JS::Value>, JS::MutableHandle<JSObject*>)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:da5bff21c5c7a34178f2412db66ffe8998ec2e54|774|0x8d
0|11|libxul.so|js::SpreadCallOperation(JSContext*, JS::Handle<JSScript*>, unsigned char*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:da5bff21c5c7a34178f2412db66ffe8998ec2e54|5015|0x36f
0|12|libxul.so|js::Interpret(JSContext*, js::RunState&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:da5bff21c5c7a34178f2412db66ffe8998ec2e54|3204|0xc833
0|13|libxul.so|js::RunScript(JSContext*, js::RunState&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:da5bff21c5c7a34178f2412db66ffe8998ec2e54|460|0x3d3
0|14|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:da5bff21c5c7a34178f2412db66ffe8998ec2e54|618|0x2e5
0|15|libxul.so|InternalConstruct(JSContext*, js::AnyConstructArgs const&, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:da5bff21c5c7a34178f2412db66ffe8998ec2e54|717|0x21c
0|16|libxul.so|js::Construct(JSContext*, JS::Handle<JS::Value>, js::AnyConstructArgs const&, JS::Handle<JS::Value>, JS::MutableHandle<JSObject*>)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:da5bff21c5c7a34178f2412db66ffe8998ec2e54|774|0x8d
0|17|libxul.so|js::jit::InvokeFunction(JSContext*, JS::Handle<JSObject*>, bool, bool, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/jit/VMFunctions.cpp:da5bff21c5c7a34178f2412db66ffe8998ec2e54|523|0x44b
0|18|libxul.so|js::jit::InvokeFromInterpreterStub(JSContext*, js::jit::InterpreterStubExitFrameLayout*)|hg:hg.mozilla.org/mozilla-central:js/src/jit/VMFunctions.cpp:da5bff21c5c7a34178f2412db66ffe8998ec2e54|572|0x10a
0|19|||||
0|20|||||
0|21|||||
0|22|||||
0|23|||||
0|24|||||
0|25|libxul.so|js::jit::MaybeEnterJit(JSContext*, js::RunState&)|hg:hg.mozilla.org/mozilla-central:js/src/jit/Jit.cpp:da5bff21c5c7a34178f2412db66ffe8998ec2e54|255|0x49b
0|26|libxul.so|js::RunScript(JSContext*, js::RunState&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:da5bff21c5c7a34178f2412db66ffe8998ec2e54|450|0x3ba
0|27|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:da5bff21c5c7a34178f2412db66ffe8998ec2e54|618|0x2e5
0|28|libxul.so|js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:da5bff21c5c7a34178f2412db66ffe8998ec2e54|685|0x12c
0|29|libxul.so|js::ScriptedProxyHandler::construct(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const|hg:hg.mozilla.org/mozilla-central:js/src/proxy/ScriptedProxyHandler.cpp:da5bff21c5c7a34178f2412db66ffe8998ec2e54|1410|0x674
0|30|libxul.so|js::Proxy::construct(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&)|hg:hg.mozilla.org/mozilla-central:js/src/proxy/Proxy.cpp:da5bff21c5c7a34178f2412db66ffe8998ec2e54|725|0xc2
0|31|libxul.so|InternalConstruct(JSContext*, js::AnyConstructArgs const&, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:da5bff21c5c7a34178f2412db66ffe8998ec2e54|727|0x322
0|32|libxul.so|js::Construct(JSContext*, JS::Handle<JS::Value>, js::AnyConstructArgs const&, JS::Handle<JS::Value>, JS::MutableHandle<JSObject*>)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:da5bff21c5c7a34178f2412db66ffe8998ec2e54|774|0x8d
0|33|libxul.so|js::SpreadCallOperation(JSContext*, JS::Handle<JSScript*>, unsigned char*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:da5bff21c5c7a34178f2412db66ffe8998ec2e54|5015|0x36f
0|34|libxul.so|js::Interpret(JSContext*, js::RunState&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:da5bff21c5c7a34178f2412db66ffe8998ec2e54|3204|0xc833
0|35|libxul.so|js::RunScript(JSContext*, js::RunState&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:da5bff21c5c7a34178f2412db66ffe8998ec2e54|460|0x3d3
0|36|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:da5bff21c5c7a34178f2412db66ffe8998ec2e54|618|0x2e5
0|37|libxul.so|InternalConstruct(JSContext*, js::AnyConstructArgs const&, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:da5bff21c5c7a34178f2412db66ffe8998ec2e54|717|0x21c
0|38|libxul.so|js::Construct(JSContext*, JS::Handle<JS::Value>, js::AnyConstructArgs const&, JS::Handle<JS::Value>, JS::MutableHandle<JSObject*>)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:da5bff21c5c7a34178f2412db66ffe8998ec2e54|774|0x8d
0|39|libxul.so|js::jit::InvokeFunction(JSContext*, JS::Handle<JSObject*>, bool, bool, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/jit/VMFunctions.cpp:da5bff21c5c7a34178f2412db66ffe8998ec2e54|523|0x44b
0|40|libxul.so|js::jit::InvokeFromInterpreterStub(JSContext*, js::jit::InterpreterStubExitFrameLayout*)|hg:hg.mozilla.org/mozilla-central:js/src/jit/VMFunctions.cpp:da5bff21c5c7a34178f2412db66ffe8998ec2e54|572|0x10a
0|41|||||
0|42|||||
0|43|||||
0|44|||||
0|45|||||
0|46|||||
0|47|libxul.so|js::jit::MaybeEnterJit(JSContext*, js::RunState&)|hg:hg.mozilla.org/mozilla-central:js/src/jit/Jit.cpp:da5bff21c5c7a34178f2412db66ffe8998ec2e54|255|0x49b
0|48|libxul.so|js::RunScript(JSContext*, js::RunState&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:da5bff21c5c7a34178f2412db66ffe8998ec2e54|450|0x3ba
0|49|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:da5bff21c5c7a34178f2412db66ffe8998ec2e54|618|0x2e5
0|50|libxul.so|js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:da5bff21c5c7a34178f2412db66ffe8998ec2e54|685|0x12c
0|51|libxul.so|js::ScriptedProxyHandler::construct(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const|hg:hg.mozilla.org/mozilla-central:js/src/proxy/ScriptedProxyHandler.cpp:da5bff21c5c7a34178f2412db66ffe8998ec2e54|1410|0x674
0|52|libxul.so|js::Proxy::construct(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&)|hg:hg.mozilla.org/mozilla-central:js/src/proxy/Proxy.cpp:da5bff21c5c7a34178f2412db66ffe8998ec2e54|725|0xc2
0|53|libxul.so|InternalConstruct(JSContext*, js::AnyConstructArgs const&, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:da5bff21c5c7a34178f2412db66ffe8998ec2e54|727|0x322
0|54|libxul.so|js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/jit/BaselineIC.cpp:da5bff21c5c7a34178f2412db66ffe8998ec2e54|1674|0x4f3
0|55|||||
0|56|||||
0|57|||||
0|58|||||
0|59|||||
0|60|||||
0|61|||||
0|62|||||
0|63|||||
0|64|||||
0|65|||||
0|66|||||
0|67|||||
0|68|libxul.so|js::jit::MaybeEnterJit(JSContext*, js::RunState&)|hg:hg.mozilla.org/mozilla-central:js/src/jit/Jit.cpp:da5bff21c5c7a34178f2412db66ffe8998ec2e54|255|0x49b
0|69|libxul.so|js::RunScript(JSContext*, js::RunState&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:da5bff21c5c7a34178f2412db66ffe8998ec2e54|450|0x3ba
0|70|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:da5bff21c5c7a34178f2412db66ffe8998ec2e54|618|0x2e5
0|71|libxul.so|js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:da5bff21c5c7a34178f2412db66ffe8998ec2e54|685|0x12c
0|72|libxul.so|JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/vm/CallAndConstruct.cpp:da5bff21c5c7a34178f2412db66ffe8998ec2e54|119|0x20b
0|73|libxul.so|mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&)|s3:gecko-generated-sources:6bb50a9febd07b2ad041cb59a1fa6678b97d5dfa7934c45cdfb310e02ee1d5fd2d0aff84c3cbda807717ae7247884aa5f52594385c678b698b0d951ba796aa45/dom/bindings/EventHandlerBinding.cpp:|65|0x305
0|74|libxul.so|mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget> >(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObjectBase::ExceptionHandling, JS::Realm*)|s3:gecko-generated-sources:2c0600fb668133ec78b4dbdd71621eeefcafca4a527e24f8dcefe291fb1ae7c5c4647bce637883fe669db31805b6a9d1251a807433b4f2db5c3b207f28308026/dist/include/mozilla/dom/EventHandlerBinding.h:|82|0x12b
0|75|libxul.so|mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*)|hg:hg.mozilla.org/mozilla-central:dom/events/JSEventHandler.cpp:da5bff21c5c7a34178f2412db66ffe8998ec2e54|201|0x52b
0|76|libxul.so|mozilla::EventListenerManager::HandleEventSingleListener(mozilla::EventListenerManager::Listener*, nsAtom*, mozilla::WidgetEvent*, mozilla::dom::Event*, mozilla::dom::EventTarget*, bool)|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:da5bff21c5c7a34178f2412db66ffe8998ec2e54|1301|0x301
0|77|libxul.so|mozilla::EventListenerManager::HandleEventWithListenerArray(mozilla::EventListenerManager::ListenerArray*, nsAtom*, mozilla::EventMessage, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, bool)|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:da5bff21c5c7a34178f2412db66ffe8998ec2e54|1607|0x389
0|78|libxul.so|mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool)|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:da5bff21c5c7a34178f2412db66ffe8998ec2e54|1512|0x1df
0|79|libxul.so|mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:da5bff21c5c7a34178f2412db66ffe8998ec2e54|365|0x1de
0|80|libxul.so|mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:da5bff21c5c7a34178f2412db66ffe8998ec2e54|606|0x65c
0|81|libxul.so|mozilla::EventDispatcher::Dispatch(mozilla::dom::EventTarget*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:da5bff21c5c7a34178f2412db66ffe8998ec2e54|1261|0x15d2
0|82|libxul.so|mozilla::EventDispatcher::DispatchDOMEvent(mozilla::dom::EventTarget*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:da5bff21c5c7a34178f2412db66ffe8998ec2e54||0x11a
0|83|libxul.so|nsWindowRoot::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/base/nsWindowRoot.cpp:da5bff21c5c7a34178f2412db66ffe8998ec2e54|83|0x3b
0|84|libxul.so|mozilla::dom::EventTarget::DispatchEvent(mozilla::dom::Event&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventTarget.cpp:da5bff21c5c7a34178f2412db66ffe8998ec2e54|215|0x57
0|85|libxul.so|mozilla::dom::PostMessageRunnable::DispatchMessage() const|hg:hg.mozilla.org/mozilla-central:dom/messagechannel/MessagePort.cpp:da5bff21c5c7a34178f2412db66ffe8998ec2e54|136|0x2c0
0|86|libxul.so|mozilla::dom::PostMessageRunnable::Run()|hg:hg.mozilla.org/mozilla-central:dom/messagechannel/MessagePort.cpp:da5bff21c5c7a34178f2412db66ffe8998ec2e54|72|0x32
0|87|libxul.so|mozilla::RunnableTask::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/TaskController.cpp:da5bff21c5c7a34178f2412db66ffe8998ec2e54|705|0x17
0|88|libxul.so|mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/TaskController.cpp:da5bff21c5c7a34178f2412db66ffe8998ec2e54|1325|0x597
0|89|libxul.so|mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/TaskController.cpp:da5bff21c5c7a34178f2412db66ffe8998ec2e54|1148|0x57
0|90|libxul.so|mozilla::TaskController::ProcessPendingMTTask(bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/TaskController.cpp:da5bff21c5c7a34178f2412db66ffe8998ec2e54|641|0x65
0|91|libxul.so|mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.h:da5bff21c5c7a34178f2412db66ffe8998ec2e54|549|0x16
0|92|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:da5bff21c5c7a34178f2412db66ffe8998ec2e54|1157|0x5aa
0|93|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:da5bff21c5c7a34178f2412db66ffe8998ec2e54|462|0x4f
0|94|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:da5bff21c5c7a34178f2412db66ffe8998ec2e54|85|0xc0
0|95|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:da5bff21c5c7a34178f2412db66ffe8998ec2e54|343|0x61
0|96|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:da5bff21c5c7a34178f2412db66ffe8998ec2e54|148|0x28
0|97|libxul.so|nsAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/gtk/nsAppShell.cpp:da5bff21c5c7a34178f2412db66ffe8998ec2e54|471|0x114
0|98|libxul.so|XRE_RunAppShell()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:da5bff21c5c7a34178f2412db66ffe8998ec2e54|657|0x6b
0|99|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:da5bff21c5c7a34178f2412db66ffe8998ec2e54|235|0x3c
0|100|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:da5bff21c5c7a34178f2412db66ffe8998ec2e54|343|0x61
0|101|libxul.so|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:da5bff21c5c7a34178f2412db66ffe8998ec2e54|595|0xa11
0|102|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:da5bff21c5c7a34178f2412db66ffe8998ec2e54|420|0x21c
0|103|libc.so.6||||
0|104|libc.so.6||||
0|105|firefox-bin|_start|||0x28
|
Reporter | |
Comment 1•9 days ago
|
||
The URL also seems to be triggering a frequent crash as well.
|
|
Reporter | |
Comment 2•9 days ago
|
||
A Pernosco for the crash is available here: https://pernos.co/debug/gdyDJDwfEX1V7oB-PLzVAQ/index.html
|
|
Reporter | |
Comment 3•9 days ago
|
||
A Pernosco session for the assertion is available here: https://pernos.co/debug/tHwudV3epUoBzCLv9HUj7g/index.html
|
Assignee | |
Comment 4•8 days ago
|
||
This is a regression from bug 1991223. Here's a shell testcase:
class C {
constructor(a,b,c) {}
}
class D extends C {
constructor(x) {
super(...x);
}
}
let P = new Proxy(D, {});
function foo() {
return new P([1,2]);
}
with ({}) {}
for (var i = 0; i < 2000; i++) {
foo();
}
Prior to the patch, we only called the arguments rectifier if we were calling JIT code. The slow path (a VM call to InvokeFunction) would never pad out missing arguments. After the patch, we push the missing arguments earlier. We check to make sure that we're calling a function with a JIT entry, but there are a few other checks that might cause us to take the slow path which aren't duplicated. In this particular case, it looks like newTarget is a proxy object, which causes CreateThisFromIon to return null, forcing us down the slow path. InvokeFunction expects newTarget at argv[argc], but since we pushed extra undefined values, it's actually at argv[callee->nargs()].
The good news here is that the bogus NewTarget will always be UndefinedValue, which is not a valid pointer and does not unbox into a valid pointer, so this should always crash safely. I don't think this is security sensitive.
One possible fix is to duplicate all of the checks before handling arguments underflow. Another is to check in InvokeFunction whether newTarget is undefined, and if it is, go look at the correct offset instead. The latter adds less overhead to the fast path, so I think I prefer it.
|
||
Comment 5•8 days ago
|
||
Set release status flags based on info from the regressing bug 1991223
|
|
||
Comment 6•8 days ago
|
||
The bug is linked to a topcrash signature, which matches the following criteria:
- Top 20 desktop browser crashes on release (startup)
- Top 20 desktop browser crashes on beta
- Top 10 desktop browser crashes on nightly
- Top 10 content process crashes on beta
- Top 10 content process crashes on release
For more information, please visit BugBot documentation.
|
||
Updated•4 days ago
|
|
|
||
Comment 7•4 days ago
|
||
Set release status flags based on info from the regressing bug 1991223
|
|
Assignee | |
Comment 8•3 days ago
|
||
Prior to bug 1991223, we only called the arguments rectifier in CodeGenerator::emitApplyGeneric if we were definitely calling JIT code. The slow path (a VM call to InvokeFunction) would never pad out missing arguments. After the patch, we push the missing arguments earlier. We do check to make sure that we're calling a function with a JIT entry, but there are a few more checks in emitApplyGeneric that might cause us to take the slow path, and those checks aren't duplicated. In particular, if newTarget is a proxy object, then CreateThisFromIon will return null, forcing us down the slow path. InvokeFunction expects newTarget at argv[argc], but since we pushed extra undefined values, it's actually at argv[callee->nargs()].
This patch updates InvokeFunction to check for this case. The alternative would be to pass this in to emitAllocateSpaceForConstructAndPushNewTarget and add a check here to see if this is null. (We don't need to check whether the callee is a constructor because InvokeFunction already does that before looking at newTarget. We don't need to handle this problem in non-constructing contexts because then we won't be passing newTarget.) I went with the current approach instead because a) it moves the extra check into the slow path, and b) it will continue to work if we add new branches to the slow path in the future, without needing us to update emitAllocateSpaceForConstructAndPushNewTarget.
I believe we could technically remove the branchIfFunctionHasJitEntry check in emitAllocateSpaceForConstructAndPushNewTarget, but that lets us avoid doing extra work when calling non-scripted constructors, so I think it is still pulling its own weight. The cases that we're fixing here are significantly less common.
|
||
Comment 10•2 days ago
|
||
| bugherder | ||
|
|
||
Comment 11•2 days ago
|
||
The patch landed in nightly and beta is affected.
:iain, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- See https://wiki.mozilla.org/Release_Management/Requesting_an_Uplift for documentation on how to request an uplift.
- If no, please set
status-firefox145towontfix.
For more information, please visit BugBot documentation.
|
||
Comment 13•2 days ago
|
||
firefox-beta Uplift Approval Request
- User impact if declined: Crashes have been observed in the wild.
- Code covered by automated testing: yes
- Fix verified in Nightly: yes
- Needs manual QE test: no
- Steps to reproduce for manual QE testing:
- Risk associated with taking this patch: low
- Explanation of risk level: Small, narrowly targeted patch.
- String changes made/needed: None.
- Is Android affected?: yes
|
|
Assignee | |
Comment 14•2 days ago
|
||
Prior to bug 1991223, we only called the arguments rectifier in CodeGenerator::emitApplyGeneric if we were definitely calling JIT code. The slow path (a VM call to InvokeFunction) would never pad out missing arguments. After the patch, we push the missing arguments earlier. We do check to make sure that we're calling a function with a JIT entry, but there are a few more checks in emitApplyGeneric that might cause us to take the slow path, and those checks aren't duplicated. In particular, if newTarget is a proxy object, then CreateThisFromIon will return null, forcing us down the slow path. InvokeFunction expects newTarget at argv[argc], but since we pushed extra undefined values, it's actually at argv[callee->nargs()].
This patch updates InvokeFunction to check for this case. The alternative would be to pass this in to emitAllocateSpaceForConstructAndPushNewTarget and add a check here to see if this is null. (We don't need to check whether the callee is a constructor because InvokeFunction already does that before looking at newTarget. We don't need to handle this problem in non-constructing contexts because then we won't be passing newTarget.) I went with the current approach instead because a) it moves the extra check into the slow path, and b) it will continue to work if we add new branches to the slow path in the future, without needing us to update emitAllocateSpaceForConstructAndPushNewTarget.
I believe we could technically remove the branchIfFunctionHasJitEntry check in emitAllocateSpaceForConstructAndPushNewTarget, but that lets us avoid doing extra work when calling non-scripted constructors, so I think it is still pulling its own weight. The cases that we're fixing here are significantly less common.
Original Revision: https://phabricator.services.mozilla.com/D268633
|
|
Assignee | |
Updated•2 days ago
|
|
|
||
Comment 15•2 days ago
|
||
Copying crash signatures from duplicate bugs.
|
|
||
Updated•23 hours ago
|
|
||
Updated•23 hours ago
|
|
||
Comment 16•23 hours ago
|
||
| uplift | ||
Description
•