Bug 1519140 Comment 0 Edit History

Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.

Original comment by
on 
The following testcase crashes on mozilla-central revision 74bb778f7879 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off --ion-eager):

try {
  var g = newGlobal();
  g.eval("(" + function () {
    f(import(""));
  } + ")();");
} catch(exc) {}
fullcompartmentchecks(true);


Backtrace:

received signal SIGSEGV, Segmentation fault.
CompartmentCheckTracer::onChild (this=0x7fffffffd0d0, thing=...) at js/src/gc/GC.cpp:4053
#0  CompartmentCheckTracer::onChild (this=0x7fffffffd0d0, thing=...) at js/src/gc/GC.cpp:4053
#1  0x0000555555c902ca in JS::CallbackTracer::onObjectEdge (this=0x7fffffffd0d0, objp=<optimized out>) at dist/include/js/TracingAPI.h:157
#2  0x000055555602b088 in JS::CallbackTracer::dispatchToOnEdge (objp=0x7fffffffce50, this=0x7fffffffd0d0) at dist/include/js/TracingAPI.h:259
#3  DoCallback<JSObject*> (trc=0x7fffffffd0d0, thingp=thingp@entry=0x7fffffffce50, name=0x555556ab487f "jit-masm-value") at js/src/gc/Tracer.cpp:47
#4  0x000055555602f086 in DoCallbackFunctor<JS::Value>::operator()<JSObject> (this=<synthetic pointer>, name=<optimized out>, trc=<optimized out>, t=<optimized out>) at js/src/gc/Tracer.cpp:59
#5  js::DispatchTyped<DoCallbackFunctor<JS::Value>, JS::CallbackTracer*&, char const*&> (f=..., val=..., args#0=@0x7fffffffceb8: 0x7fffffffd0d0, args#1=@0x7fffffffceb0: 0x555556ab487f "jit-masm-value") at dist/include/js/Value.h:1327
#6  0x000055555601e496 in DoCallback<JS::Value> (trc=<optimized out>, vp=vp@entry=0x7fffffffcf30, name=<optimized out>, name@entry=0x555556ab487f "jit-masm-value") at js/src/gc/Tracer.cpp:68
#7  0x0000555556002149 in js::gc::TraceEdgeInternal<JS::Value> (trc=trc@entry=0x7fffffffd0d8, thingp=thingp@entry=0x7fffffffcf30, name=name@entry=0x555556ab487f "jit-masm-value") at js/src/gc/Marking.cpp:576
#8  0x00005555560fa16e in js::TraceManuallyBarrieredEdge<JS::Value> (name=0x555556ab487f "jit-masm-value", thingp=0x7fffffffcf30, trc=0x7fffffffd0d8) at js/src/gc/Tracer.h:185
#9  js::jit::AssemblerX86Shared::TraceDataRelocations (trc=trc@entry=0x7fffffffd0d8, code=code@entry=0x7ffff4dda100, reader=...) at js/src/jit/x86-shared/Assembler-x86-shared.cpp:56
#10 0x0000555556210618 in js::jit::JitCode::traceChildren (this=0x7ffff4dda100, trc=0x7fffffffd0d8) at js/src/jit/Ion.cpp:710
#11 0x0000555556016cba in js::TraceChildren (trc=<optimized out>, trc@entry=0x7fffffffd0d8, thing=<optimized out>, kind=<optimized out>) at js/src/gc/Tracer.cpp:129
#12 0x0000555555fb546b in js::gc::GCRuntime::checkForCompartmentMismatches (this=this@entry=0x7ffff5f1c6a0) at js/src/gc/GC.cpp:4074
#13 0x0000555555fd1f58 in js::gc::GCRuntime::beginMarkPhase (this=0x7ffff5f1c6a0, reason=JS::gcreason::DESTROY_RUNTIME, session=...) at js/src/gc/GC.cpp:4263
#14 0x0000555555fd357c in js::gc::GCRuntime::incrementalSlice (this=this@entry=0x7ffff5f1c6a0, budget=..., reason=reason@entry=JS::gcreason::DESTROY_RUNTIME, session=...) at js/src/gc/GC.cpp:6989
#15 0x0000555555fd3fb2 in js::gc::GCRuntime::gcCycle (this=this@entry=0x7ffff5f1c6a0, nonincrementalByAPI=nonincrementalByAPI@entry=true, budget=..., reason=reason@entry=JS::gcreason::DESTROY_RUNTIME) at js/src/gc/GC.cpp:7410
#16 0x0000555555fd47e5 in js::gc::GCRuntime::collect (this=this@entry=0x7ffff5f1c6a0, nonincrementalByAPI=nonincrementalByAPI@entry=true, budget=..., reason=reason@entry=JS::gcreason::DESTROY_RUNTIME) at js/src/gc/GC.cpp:7582
#17 0x0000555555fd4bf9 in js::gc::GCRuntime::gc (this=this@entry=0x7ffff5f1c6a0, gckind=gckind@entry=GC_NORMAL, reason=reason@entry=JS::gcreason::DESTROY_RUNTIME) at js/src/gc/GC.cpp:7660
#18 0x0000555555bec15f in JSRuntime::destroyRuntime (this=0x7ffff5f1c000) at js/src/vm/Runtime.cpp:283
#19 0x0000555555b2d22f in js::DestroyContext (cx=0x7ffff5f18000) at js/src/vm/JSContext.cpp:203
#20 0x000055555583714a in main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:11326
rax	0x555557bf7280	93825032745600
rbx	0x7fffffffd0d0	140737488343248
rcx	0x555556b8a178	93825015521656
rdx	0x0	0
rsi	0x7ffff6eeb770	140737336227696
rdi	0x7ffff6eea540	140737336223040
rbp	0x7fffffffcdb0	140737488342448
rsp	0x7fffffffcda0	140737488342432
r8	0x7ffff6eeb770	140737336227696
r9	0x7ffff7fe6c80	140737354034304
r10	0x58	88
r11	0x7ffff6b927a0	140737332717472
r12	0x7fffffffcdc0	140737488342464
r13	0x555555fd71d0	93825003254224
r14	0x7fffffffceb0	140737488342704
r15	0xfffaffffffffffff	-1407374883553281
rip	0x555555fd7264 <CompartmentCheckTracer::onChild(JS::GCCellPtr const&)+148>
=> 0x555555fd7264 <CompartmentCheckTracer::onChild(JS::GCCellPtr const&)+148>:	movl   $0x0,0x0
   0x555555fd726f <CompartmentCheckTracer::onChild(JS::GCCellPtr const&)+159>:	ud2



Marking s-s because this is a GC assertion failure.
Revision 1 by
on 
```
The following testcase crashes on mozilla-central revision 74bb778f7879 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off --ion-eager):

try {
  var g = newGlobal();
  g.eval("(" + function () {
    f(import(""));
  } + ")();");
} catch(exc) {}
fullcompartmentchecks(true);


Backtrace:

received signal SIGSEGV, Segmentation fault.
CompartmentCheckTracer::onChild (this=0x7fffffffd0d0, thing=...) at js/src/gc/GC.cpp:4053
#0  CompartmentCheckTracer::onChild (this=0x7fffffffd0d0, thing=...) at js/src/gc/GC.cpp:4053
#1  0x0000555555c902ca in JS::CallbackTracer::onObjectEdge (this=0x7fffffffd0d0, objp=<optimized out>) at dist/include/js/TracingAPI.h:157
#2  0x000055555602b088 in JS::CallbackTracer::dispatchToOnEdge (objp=0x7fffffffce50, this=0x7fffffffd0d0) at dist/include/js/TracingAPI.h:259
#3  DoCallback<JSObject*> (trc=0x7fffffffd0d0, thingp=thingp@entry=0x7fffffffce50, name=0x555556ab487f "jit-masm-value") at js/src/gc/Tracer.cpp:47
#4  0x000055555602f086 in DoCallbackFunctor<JS::Value>::operator()<JSObject> (this=<synthetic pointer>, name=<optimized out>, trc=<optimized out>, t=<optimized out>) at js/src/gc/Tracer.cpp:59
#5  js::DispatchTyped<DoCallbackFunctor<JS::Value>, JS::CallbackTracer*&, char const*&> (f=..., val=..., args#0=@0x7fffffffceb8: 0x7fffffffd0d0, args#1=@0x7fffffffceb0: 0x555556ab487f "jit-masm-value") at dist/include/js/Value.h:1327
#6  0x000055555601e496 in DoCallback<JS::Value> (trc=<optimized out>, vp=vp@entry=0x7fffffffcf30, name=<optimized out>, name@entry=0x555556ab487f "jit-masm-value") at js/src/gc/Tracer.cpp:68
#7  0x0000555556002149 in js::gc::TraceEdgeInternal<JS::Value> (trc=trc@entry=0x7fffffffd0d8, thingp=thingp@entry=0x7fffffffcf30, name=name@entry=0x555556ab487f "jit-masm-value") at js/src/gc/Marking.cpp:576
#8  0x00005555560fa16e in js::TraceManuallyBarrieredEdge<JS::Value> (name=0x555556ab487f "jit-masm-value", thingp=0x7fffffffcf30, trc=0x7fffffffd0d8) at js/src/gc/Tracer.h:185
#9  js::jit::AssemblerX86Shared::TraceDataRelocations (trc=trc@entry=0x7fffffffd0d8, code=code@entry=0x7ffff4dda100, reader=...) at js/src/jit/x86-shared/Assembler-x86-shared.cpp:56
#10 0x0000555556210618 in js::jit::JitCode::traceChildren (this=0x7ffff4dda100, trc=0x7fffffffd0d8) at js/src/jit/Ion.cpp:710
#11 0x0000555556016cba in js::TraceChildren (trc=<optimized out>, trc@entry=0x7fffffffd0d8, thing=<optimized out>, kind=<optimized out>) at js/src/gc/Tracer.cpp:129
#12 0x0000555555fb546b in js::gc::GCRuntime::checkForCompartmentMismatches (this=this@entry=0x7ffff5f1c6a0) at js/src/gc/GC.cpp:4074
#13 0x0000555555fd1f58 in js::gc::GCRuntime::beginMarkPhase (this=0x7ffff5f1c6a0, reason=JS::gcreason::DESTROY_RUNTIME, session=...) at js/src/gc/GC.cpp:4263
#14 0x0000555555fd357c in js::gc::GCRuntime::incrementalSlice (this=this@entry=0x7ffff5f1c6a0, budget=..., reason=reason@entry=JS::gcreason::DESTROY_RUNTIME, session=...) at js/src/gc/GC.cpp:6989
#15 0x0000555555fd3fb2 in js::gc::GCRuntime::gcCycle (this=this@entry=0x7ffff5f1c6a0, nonincrementalByAPI=nonincrementalByAPI@entry=true, budget=..., reason=reason@entry=JS::gcreason::DESTROY_RUNTIME) at js/src/gc/GC.cpp:7410
#16 0x0000555555fd47e5 in js::gc::GCRuntime::collect (this=this@entry=0x7ffff5f1c6a0, nonincrementalByAPI=nonincrementalByAPI@entry=true, budget=..., reason=reason@entry=JS::gcreason::DESTROY_RUNTIME) at js/src/gc/GC.cpp:7582
#17 0x0000555555fd4bf9 in js::gc::GCRuntime::gc (this=this@entry=0x7ffff5f1c6a0, gckind=gckind@entry=GC_NORMAL, reason=reason@entry=JS::gcreason::DESTROY_RUNTIME) at js/src/gc/GC.cpp:7660
#18 0x0000555555bec15f in JSRuntime::destroyRuntime (this=0x7ffff5f1c000) at js/src/vm/Runtime.cpp:283
#19 0x0000555555b2d22f in js::DestroyContext (cx=0x7ffff5f18000) at js/src/vm/JSContext.cpp:203
#20 0x000055555583714a in main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:11326
rax	0x555557bf7280	93825032745600
rbx	0x7fffffffd0d0	140737488343248
rcx	0x555556b8a178	93825015521656
rdx	0x0	0
rsi	0x7ffff6eeb770	140737336227696
rdi	0x7ffff6eea540	140737336223040
rbp	0x7fffffffcdb0	140737488342448
rsp	0x7fffffffcda0	140737488342432
r8	0x7ffff6eeb770	140737336227696
r9	0x7ffff7fe6c80	140737354034304
r10	0x58	88
r11	0x7ffff6b927a0	140737332717472
r12	0x7fffffffcdc0	140737488342464
r13	0x555555fd71d0	93825003254224
r14	0x7fffffffceb0	140737488342704
r15	0xfffaffffffffffff	-1407374883553281
rip	0x555555fd7264 <CompartmentCheckTracer::onChild(JS::GCCellPtr const&)+148>
=> 0x555555fd7264 <CompartmentCheckTracer::onChild(JS::GCCellPtr const&)+148>:	movl   $0x0,0x0
   0x555555fd726f <CompartmentCheckTracer::onChild(JS::GCCellPtr const&)+159>:	ud2
```


Marking s-s because this is a GC assertion failure.
Revision 2 by
on 
The following testcase crashes on mozilla-central revision 74bb778f7879 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off --ion-eager):

```
try {
  var g = newGlobal();
  g.eval("(" + function () {
    f(import(""));
  } + ")();");
} catch(exc) {}
fullcompartmentchecks(true);


Backtrace:

received signal SIGSEGV, Segmentation fault.
CompartmentCheckTracer::onChild (this=0x7fffffffd0d0, thing=...) at js/src/gc/GC.cpp:4053
#0  CompartmentCheckTracer::onChild (this=0x7fffffffd0d0, thing=...) at js/src/gc/GC.cpp:4053
#1  0x0000555555c902ca in JS::CallbackTracer::onObjectEdge (this=0x7fffffffd0d0, objp=<optimized out>) at dist/include/js/TracingAPI.h:157
#2  0x000055555602b088 in JS::CallbackTracer::dispatchToOnEdge (objp=0x7fffffffce50, this=0x7fffffffd0d0) at dist/include/js/TracingAPI.h:259
#3  DoCallback<JSObject*> (trc=0x7fffffffd0d0, thingp=thingp@entry=0x7fffffffce50, name=0x555556ab487f "jit-masm-value") at js/src/gc/Tracer.cpp:47
#4  0x000055555602f086 in DoCallbackFunctor<JS::Value>::operator()<JSObject> (this=<synthetic pointer>, name=<optimized out>, trc=<optimized out>, t=<optimized out>) at js/src/gc/Tracer.cpp:59
#5  js::DispatchTyped<DoCallbackFunctor<JS::Value>, JS::CallbackTracer*&, char const*&> (f=..., val=..., args#0=@0x7fffffffceb8: 0x7fffffffd0d0, args#1=@0x7fffffffceb0: 0x555556ab487f "jit-masm-value") at dist/include/js/Value.h:1327
#6  0x000055555601e496 in DoCallback<JS::Value> (trc=<optimized out>, vp=vp@entry=0x7fffffffcf30, name=<optimized out>, name@entry=0x555556ab487f "jit-masm-value") at js/src/gc/Tracer.cpp:68
#7  0x0000555556002149 in js::gc::TraceEdgeInternal<JS::Value> (trc=trc@entry=0x7fffffffd0d8, thingp=thingp@entry=0x7fffffffcf30, name=name@entry=0x555556ab487f "jit-masm-value") at js/src/gc/Marking.cpp:576
#8  0x00005555560fa16e in js::TraceManuallyBarrieredEdge<JS::Value> (name=0x555556ab487f "jit-masm-value", thingp=0x7fffffffcf30, trc=0x7fffffffd0d8) at js/src/gc/Tracer.h:185
#9  js::jit::AssemblerX86Shared::TraceDataRelocations (trc=trc@entry=0x7fffffffd0d8, code=code@entry=0x7ffff4dda100, reader=...) at js/src/jit/x86-shared/Assembler-x86-shared.cpp:56
#10 0x0000555556210618 in js::jit::JitCode::traceChildren (this=0x7ffff4dda100, trc=0x7fffffffd0d8) at js/src/jit/Ion.cpp:710
#11 0x0000555556016cba in js::TraceChildren (trc=<optimized out>, trc@entry=0x7fffffffd0d8, thing=<optimized out>, kind=<optimized out>) at js/src/gc/Tracer.cpp:129
#12 0x0000555555fb546b in js::gc::GCRuntime::checkForCompartmentMismatches (this=this@entry=0x7ffff5f1c6a0) at js/src/gc/GC.cpp:4074
#13 0x0000555555fd1f58 in js::gc::GCRuntime::beginMarkPhase (this=0x7ffff5f1c6a0, reason=JS::gcreason::DESTROY_RUNTIME, session=...) at js/src/gc/GC.cpp:4263
#14 0x0000555555fd357c in js::gc::GCRuntime::incrementalSlice (this=this@entry=0x7ffff5f1c6a0, budget=..., reason=reason@entry=JS::gcreason::DESTROY_RUNTIME, session=...) at js/src/gc/GC.cpp:6989
#15 0x0000555555fd3fb2 in js::gc::GCRuntime::gcCycle (this=this@entry=0x7ffff5f1c6a0, nonincrementalByAPI=nonincrementalByAPI@entry=true, budget=..., reason=reason@entry=JS::gcreason::DESTROY_RUNTIME) at js/src/gc/GC.cpp:7410
#16 0x0000555555fd47e5 in js::gc::GCRuntime::collect (this=this@entry=0x7ffff5f1c6a0, nonincrementalByAPI=nonincrementalByAPI@entry=true, budget=..., reason=reason@entry=JS::gcreason::DESTROY_RUNTIME) at js/src/gc/GC.cpp:7582
#17 0x0000555555fd4bf9 in js::gc::GCRuntime::gc (this=this@entry=0x7ffff5f1c6a0, gckind=gckind@entry=GC_NORMAL, reason=reason@entry=JS::gcreason::DESTROY_RUNTIME) at js/src/gc/GC.cpp:7660
#18 0x0000555555bec15f in JSRuntime::destroyRuntime (this=0x7ffff5f1c000) at js/src/vm/Runtime.cpp:283
#19 0x0000555555b2d22f in js::DestroyContext (cx=0x7ffff5f18000) at js/src/vm/JSContext.cpp:203
#20 0x000055555583714a in main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:11326
rax	0x555557bf7280	93825032745600
rbx	0x7fffffffd0d0	140737488343248
rcx	0x555556b8a178	93825015521656
rdx	0x0	0
rsi	0x7ffff6eeb770	140737336227696
rdi	0x7ffff6eea540	140737336223040
rbp	0x7fffffffcdb0	140737488342448
rsp	0x7fffffffcda0	140737488342432
r8	0x7ffff6eeb770	140737336227696
r9	0x7ffff7fe6c80	140737354034304
r10	0x58	88
r11	0x7ffff6b927a0	140737332717472
r12	0x7fffffffcdc0	140737488342464
r13	0x555555fd71d0	93825003254224
r14	0x7fffffffceb0	140737488342704
r15	0xfffaffffffffffff	-1407374883553281
rip	0x555555fd7264 <CompartmentCheckTracer::onChild(JS::GCCellPtr const&)+148>
=> 0x555555fd7264 <CompartmentCheckTracer::onChild(JS::GCCellPtr const&)+148>:	movl   $0x0,0x0
   0x555555fd726f <CompartmentCheckTracer::onChild(JS::GCCellPtr const&)+159>:	ud2
```


Marking s-s because this is a GC assertion failure.

Back to Bug 1519140 Comment 0