Segfault on github

[Manishearth]

Running ./mach run https://github.com/login --userscripts with the following in 00.example.js:

window.history = {};
CanvasRenderingContext2D.prototype.fillText = function(a,b,c){alert(a);alert(b);alert(c)}

gives a segfault:

    Program received signal SIGSEGV, Segmentation fault.
    [Switching to Thread 0x7fffdcfff700 (LWP 8024)]
    0x0000000000000000 in ?? ()
    (gdb) where
    #0  0x0000000000000000 in ?? ()
    #1  0x0000555557867343 in TryPreserveReflector (cx=0x7fffa4027ec0, obj=...)
        at /home/manishearth/Mozilla/.cargo/git/checkouts/mozjs-06d7f04b6dbb8a8e/master/mozjs/js/src/jsweakmap.cpp:333
    #2  0x00005555578989f1 in SetWeakMapEntryInternal (value=..., key=..., mapObj=..., cx=0x7fffa4027ec0)
        at /home/manishearth/Mozilla/.cargo/git/checkouts/mozjs-06d7f04b6dbb8a8e/master/mozjs/js/src/jsweakmap.cpp:368
    #3  WeakMap_set_impl (args=..., cx=0x7fffa4027ec0)
        at /home/manishearth/Mozilla/.cargo/git/checkouts/mozjs-06d7f04b6dbb8a8e/master/mozjs/js/src/jsweakmap.cpp:405
    #4  CallNonGenericMethod<IsWeakMap, WeakMap_set_impl> (args=..., cx=0x7fffa4027ec0)
        at ../../dist/include/js/CallNonGenericMethod.h:100
    #5  js::WeakMap_set (cx=0x7fffa4027ec0, argc=<optimized out>, vp=0x7fffa4078ed0)
        at /home/manishearth/Mozilla/.cargo/git/checkouts/mozjs-06d7f04b6dbb8a8e/master/mozjs/js/src/jsweakmap.cpp:415
    #6  0x00005555574b02c9 in CallJSNative (args=...,
        native=0x555557898870 <js::WeakMap_set(JSContext*, unsigned int, JS::Value*)>, cx=0x7fffa4027ec0)
        at /home/manishearth/Mozilla/.cargo/git/checkouts/mozjs-06d7f04b6dbb8a8e/master/mozjs/js/src/jscntxtinlines.h:235
    #7  js::Invoke (cx=0x7fffa4027ec0, args=..., construct=<optimized out>)
        at /home/manishearth/Mozilla/.cargo/git/checkouts/mozjs-06d7f04b6dbb8a8e/master/mozjs/js/src/vm/Interpreter.cpp:502
    #8  0x00005555574ab00a in Interpret (cx=0x7fffa4027ec0, state=...)
        at /home/manishearth/Mozilla/.cargo/git/checkouts/mozjs-06d7f04b6dbb8a8e/master/mozjs/js/src/vm/Interpreter.cpp:2609
    #9  0x00005555574aff6e in js::RunScript (cx=cx@entry=0x7fffa4027ec0, state=...)
        at /home/manishearth/Mozilla/.cargo/git/checkouts/mozjs-06d7f04b6dbb8a8e/master/mozjs/js/src/vm/Interpreter.cpp:452
    #10 0x00005555574b01fb in js::Invoke (cx=cx@entry=0x7fffa4027ec0, args=...,
        construct=construct@entry=js::NO_CONSTRUCT)
        at /home/manishearth/Mozilla/.cargo/git/checkouts/mozjs-06d7f04b6dbb8a8e/master/mozjs/js/src/vm/Interpreter.cpp:---Type <return> to continue, or q <return> to quit---
    521
    #11 0x000055555782a8e4 in js::fun_apply (cx=0x7fffa4027ec0, argc=<optimized out>, vp=0x7fffa4078c98)
        at /home/manishearth/Mozilla/.cargo/git/checkouts/mozjs-06d7f04b6dbb8a8e/master/mozjs/js/src/jsfun.cpp:1311
    #12 0x00005555574b02c9 in CallJSNative (args=...,
        native=0x55555782a500 <js::fun_apply(JSContext*, unsigned int, JS::Value*)>, cx=0x7fffa4027ec0)
        at /home/manishearth/Mozilla/.cargo/git/checkouts/mozjs-06d7f04b6dbb8a8e/master/mozjs/js/src/jscntxtinlines.h:235
    #13 js::Invoke (cx=0x7fffa4027ec0, args=..., construct=<optimized out>)
        at /home/manishearth/Mozilla/.cargo/git/checkouts/mozjs-06d7f04b6dbb8a8e/master/mozjs/js/src/vm/Interpreter.cpp:502
    #14 0x00005555574ab00a in Interpret (cx=0x7fffa4027ec0, state=...)
        at /home/manishearth/Mozilla/.cargo/git/checkouts/mozjs-06d7f04b6dbb8a8e/master/mozjs/js/src/vm/Interpreter.cpp:2609
    #15 0x00005555574aff6e in js::RunScript (cx=cx@entry=0x7fffa4027ec0, state=...)
        at /home/manishearth/Mozilla/.cargo/git/checkouts/mozjs-06d7f04b6dbb8a8e/master/mozjs/js/src/vm/Interpreter.cpp:452
    #16 0x00005555574b01fb in js::Invoke (cx=cx@entry=0x7fffa4027ec0, args=...,
        construct=construct@entry=js::NO_CONSTRUCT)
        at /home/manishearth/Mozilla/.cargo/git/checkouts/mozjs-06d7f04b6dbb8a8e/master/mozjs/js/src/vm/Interpreter.cpp:521
    #17 0x00005555574b187f in js::Invoke (cx=cx@entry=0x7fffa4027ec0, thisv=..., fval=..., argc=0,
        argv=<optimized out>, rval=...)
        at /home/manishearth/Mozilla/.cargo/git/checkouts/mozjs-06d7f04b6dbb8a8e/master/mozjs/js/src/vm/Interpreter.cpp:558
    #18 0x00005555577aba3a in JS_CallFunctionValue (cx=0x7fffa4027ec0, obj=..., fval=..., args=..., rval=...)
        at /home/manishearth/Mozilla/.cargo/git/checkouts/mozjs-06d7f04b6dbb8a8e/master/mozjs/js/src/jsapi.cpp:4335
    #19 0x000055555737f57f in js::jsapi::JS_CallFunctionValue (cx=0x7fffa4027ec0, obj=..., fval=...,
    ---Type <return> to continue, or q <return> to quit---
        args=0x7fffdcff9c78, rval=...)
        at /home/manishearth/Mozilla/servo/./../.cargo/git/checkouts/rust-mozjs-ebb4917e843c0a11/master/src/jsapi.rs:9071
    #20 0x000055555737f505 in jsapi::JS_CallFunctionValue::h281838e13376d4e8eri ()



    #21 0x00005555563eb6f2 in script::dom::bindings::codegen::Bindings::FunctionBinding::Function::Call (
        self=0x7fffed4235f0, cx=0x7fffa4027ec0, aThisObj=..., arguments=...)
        at /home/manishearth/Mozilla/servo/target/debug/build/script-c97123ae59ea59fd/out/Bindings/FunctionBinding.rs:151
    #22 0x0000555556932d4a in script::dom::bindings::codegen::Bindings::FunctionBinding::Function::Call_<script::dom::window::Window> (self=0x7fffed4235f0, thisObj=0x7fffb7c43600, arguments=..., aExceptionHandling=Report)
        at /home/manishearth/Mozilla/servo/target/debug/build/script-c97123ae59ea59fd/out/Bindings/FunctionBinding.rs:125
    #23 0x000055555692f92a in script::timers::TimerManager::fire_timer<script::dom::window::Window> (
        self=0x7fffb7c43700, timer_id=..., this=0x7fffb7c43600)
        at /home/manishearth/Mozilla/servo/components/script/timers.rs:253
    #24 0x000055555692f39e in script::dom::window::Window::handle_fire_timer (self=0x7fffb7c43600, timer_id=...)
        at /home/manishearth/Mozilla/servo/components/script/dom/window.rs:1082
    #25 0x00005555569cd697 in script::script_task::ScriptTask::handle_fire_timer_msg (self=0x7fffdcffe038, id=...,
        timer_id=...) at /home/manishearth/Mozilla/servo/components/script/script_task.rs:1317
    #26 0x0000555556997eaa in script::script_task::ScriptTask::handle_msg_from_script (self=0x7fffdcffe038, msg=...)
        at /home/manishearth/Mozilla/servo/components/script/script_task.rs:1005
    #27 0x00005555569c38ef in fnfn () at /home/manishearth/Mozilla/servo/components/script/script_task.rs:861
    #28 0x00005555569c346d in script::script_task::ScriptTask::profile_event<closure,core::option::Option<bool>> (
        self=0x7fffdcffe038, category=ScriptEvent, f=...)
        at /home/manishearth/Mozilla/servo/components/script/script_task.rs:938
    #29 0x000055555699fd60 in script::script_task::ScriptTask::handle_msgs (self=0x7fffdcffe038)
        at /home/manishearth/Mozilla/servo/components/script/script_task.rs:853
    ---Type <return> to continue, or q <return> to quit---
    #30 0x0000555556994fd1 in script::script_task::ScriptTask::start (self=0x7fffdcffe038)
        at /home/manishearth/Mozilla/servo/components/script/script_task.rs:718
    #31 0x0000555556994f9d in fnfn () at /home/manishearth/Mozilla/servo/components/script/script_task.rs:523
    #32 0x0000555556994cd5 in script::mem::ProfilerChan::run_with_memory_reporting<closure,fn(profile_traits::mem::ReportsChan) -> script::script_task::CommonScriptMsg,script::script_task::CommonScriptMsg,Box<ScriptChan>> (
        self=0x7fffdcffe388, f=..., reporter_name=..., channel_for_reporter=...,
        msg=0x5555566d7850 <script_task::CommonScriptMsg::CollectReports::h3105872027882182930>)
        at /home/manishearth/Mozilla/servo/components/profile_traits/mem.rs:61
    #33 0x000055555698b6d6 in fnfn () at /home/manishearth/Mozilla/servo/components/script/script_task.rs:522
    #34 0x000055555698a8a8 in fnfn () at /home/manishearth/Mozilla/servo/components/util/task.rs:31
    #35 0x000055555698a7f8 in script::boxed::F.FnBox<A>::call_box (self=0x7fffdec48280, args=0)
        at src/liballoc/boxed.rs:493
    #36 0x000055555623209c in script::boxed::Box<FnBox<A, Output = R>+ Send + 'a>.FnOnce<A>::call_once (self=...,
        args=0) at src/liballoc/boxed.rs:509
    #37 0x0000555556231c9e in fnfn () at src/libstd/thread/mod.rs:279
    #38 0x0000555556231c4a in script::rt::unwind::try::try_fn<closure> (opt_closure=0x7fffdcffe8f0 "")
        at src/libstd/rt/unwind/mod.rs:164
    #39 0x0000555557e27669 in __rust_try ()
    #40 0x0000555557e22323 in rt::unwind::try::inner_try::h7ad94d24dbab5183zNw ()
    #41 0x0000555556231bb4 in script::rt::unwind::try<closure> (f=...) at src/libstd/rt/unwind/mod.rs:136
    #42 0x0000555556231a49 in fnfn () at src/libstd/thread/mod.rs:279
    #43 0x00005555562322dd in script::boxed::F.FnBox<A>::call_box (self=0x7fffdec24120, args=0)
        at src/liballoc/boxed.rs:493
    #44 0x0000555557e26af4 in sys::thread::Thread::new::thread_start::h6529454a6c71bc13mXv ()
    #45 0x00007ffff6db76aa in start_thread (arg=0x7fffdcfff700) at pthread_create.c:333
    #46 0x00007ffff75feeed in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109 

Seems like a setTimeout()-created function is causing a crash. I'm not familiar enough with SM to be able to trace the origin of this or make a MWE.

I suspect the window.history replacement causes this (the filltext replacement is just required so that it doesn't crash early)
cc @michaelwu

[michaelwu]

Could you rebuild with --features script/debugmozjs and get another stack?

[Ms2ger]

#7218