Closed Bug 952381 Opened 10 years ago Closed 10 years ago

Crash [@ PushMarkStack] or [@ js::GCMarker::processMarkStackTop] or Assertion failure: IsObjectValueInCompartment(value, compartment()), at vm/ObjectImpl.h

Categories

(Core :: JavaScript Engine, defect)

x86_64
All
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 952885

People

(Reporter: gkw, Unassigned)

References

Details

(4 keywords, Whiteboard: [fuzzblocker][jsbugmon:update])

Crash Data

Attachments

(2 files)

Attached file lldb stack
evaluate('', {
    global: newGlobal(),
    element: {}
})

asserts js debug shell on m-c changeset eabe3f50b083 without any CLI arguments at Assertion failure: IsObjectValueInCompartment(value, compartment()), at vm/ObjectImpl.h

My configure flags are:

CC="clang -Qunused-arguments" AR=ar CXX="clang++ -Qunused-arguments" sh ./configure --target=x86_64-apple-darwin12.5.0 --enable-optimize --enable-debug --enable-profiling --enable-gczeal --enable-debug-symbols --enable-methodjit --enable-type-inference --disable-tests --with-ccache --disable-threadsafe

Full credit for this goes to :jimb who mentioned this to us and Jesse then put support for this into jsfunfuzz.
Component: JavaScript Engine: JIT → JavaScript Engine
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/a15ba1bc98c5
user:        Eddy Bruel
date:        Thu Nov 21 13:25:15 2013 -0800
summary:     Bug 637572: Implement Debugger.Source.prototype.element (v7) r=sfink

Eddy, is bug 637572 a likely regressor?
Flags: needinfo?(ejpbruel)
Blocks: 637572
OS: Mac OS X → All
for (f in ["", ""])
for (f in ["", "", ""])

function f(code) {
    Function(code)()
}

f("\
    x = {};\
    evaluate(\"[]\", ({\
        global: evalcx(''),\
        element: x,\
    }))\
");
f("\
    x = schedulegc(Set);\
    gc('compartment');\
")

This testcase asserts similarly, but crashes opt shell at PushMarkStack. (when compiled with --enable-exact-rooting)

CC="clang -Qunused-arguments" AR=ar CXX="clang++ -Qunused-arguments" sh ./configure --target=x86_64-apple-darwin12.5.0 --enable-optimize --disable-debug --enable-profiling --enable-gczeal --enable-debug-symbols --enable-methodjit --enable-type-inference --disable-tests --enable-more-deterministic --enable-exact-rooting --enable-elf-hack --enable-stdcxx-compat --enable-warnings-as-errors --enable-signmar --disable-elf-hack --enable-js-diagnostics --with-intl-api=build --enable-ctypes --disable-shared-js --enable-jemalloc --with-ccache --enable-threadsafe <other NSPR flags>
Keywords: crash
Summary: Assertion failure: IsObjectValueInCompartment(value, compartment()), at vm/ObjectImpl.h → Crash [@ PushMarkStack] or Assertion failure: IsObjectValueInCompartment(value, compartment()), at vm/ObjectImpl.h
Crash Signature: [@ PushMarkStack] [@ js::GCMarker::processMarkStackTop]
Summary: Crash [@ PushMarkStack] or Assertion failure: IsObjectValueInCompartment(value, compartment()), at vm/ObjectImpl.h → Crash [@ PushMarkStack] or [@ js::GCMarker::processMarkStackTop] or Assertion failure: IsObjectValueInCompartment(value, compartment()), at vm/ObjectImpl.h
I have seen quite a few GC-related crash signatures associated with "element:" - may have to suspend fuzzing it if this is not fixed soon, as it hides other GC bugs.
Flags: needinfo?(jimb)
Whiteboard: [jsbugmon:update] → [fuzzblocker][jsbugmon:update]
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #1)
> autoBisect shows this is probably related to the following changeset:
> 
> The first bad revision is:
> changeset:   http://hg.mozilla.org/mozilla-central/rev/a15ba1bc98c5
> user:        Eddy Bruel
> date:        Thu Nov 21 13:25:15 2013 -0800
> summary:     Bug 637572: Implement Debugger.Source.prototype.element (v7)
> r=sfink
> 
> Eddy, is bug 637572 a likely regressor?

Hard to tell for sure, but I'd say it's definitely possible.
I'm pretty sure this is because we're trying to provide elements in one compartment for compilations in a different compartment. Marking dup.
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(jimb)
Resolution: --- → DUPLICATE
Clearing the needinfo on this bug since it's been marked as resolved.
Flags: needinfo?(ejpbruel)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: