Assertion failure: !realParent || realParent == cx->global() || realParent->isUnqualifiedVarObj(), at js/src/jsfun.cpp:2145

RESOLVED FIXED in Firefox 39

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
3 years ago
3 years ago

People

(Reporter: decoder, Assigned: bz)

Tracking

(Blocks: 1 bug, {assertion, regression, testcase})

Trunk
mozilla39
x86_64
Linux
assertion, regression, testcase
Points:
---
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox39 fixed)

Details

(Whiteboard: [jsbugmon:update])

Attachments

(1 attachment)

(Reporter)

Description

3 years ago
The following testcase crashes on mozilla-central revision cc0950b7a369 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2):

var evalInFrame = (function (global) {
  var dbgGlobal = newGlobal();
  var dbg = new dbgGlobal.Debugger();
  return function evalInFrame(upCount, code) {
    dbg.addDebuggee(global);
    var frame = dbg.getNewestFrame().older;
    var completion = frame.eval(code);
  };
})(this);
var x = 5;
let (x = eval("x++")) {
  evalInFrame(0, ("for (var x = 0; x < 3; ++x) { (function(){})() } "))
}



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x0000000000b1879d in js::CloneFunctionObject (cx=cx@entry=0x7ffff691b4e0, fun=..., fun@entry=..., parent=..., parent@entry=..., allocKind=js::gc::OBJECT4_BACKGROUND, newKindArg=newKindArg@entry=js::GenericObject, proto=..., proto@entry=...) at js/src/jsfun.cpp:2144
#0  0x0000000000b1879d in js::CloneFunctionObject (cx=cx@entry=0x7ffff691b4e0, fun=..., fun@entry=..., parent=..., parent@entry=..., allocKind=js::gc::OBJECT4_BACKGROUND, newKindArg=newKindArg@entry=js::GenericObject, proto=..., proto@entry=...) at js/src/jsfun.cpp:2144
#1  0x00000000006a6b11 in js::CloneFunctionObjectIfNotSingleton (cx=0x7ffff691b4e0, fun=..., parent=..., proto=..., newKind=js::GenericObject) at js/src/jsfuninlines.h:88
#2  0x000000000065a739 in js::Lambda (cx=cx@entry=0x7ffff691b4e0, fun=fun@entry=..., parent=...) at js/src/vm/Interpreter.cpp:3788
#3  0x000000000066772d in Interpret (cx=cx@entry=0x7ffff691b4e0, state=...) at js/src/vm/Interpreter.cpp:3089
#4  0x0000000000671c38 in js::RunScript (cx=cx@entry=0x7ffff691b4e0, state=...) at js/src/vm/Interpreter.cpp:452
#5  0x0000000000678ca6 in js::ExecuteKernel (cx=cx@entry=0x7ffff691b4e0, script=..., script@entry=..., scopeChainArg=..., thisv=..., type=js::EXECUTE_DEBUG, evalInFrame=..., result=result@entry=0x7fffffffb110) at js/src/vm/Interpreter.cpp:660
#6  0x00000000006797ec in EvaluateInEnv (rval=..., lineno=<optimized out>, filename=<optimized out>, pc=<optimized out>, frame=..., thisv=..., env=..., cx=0x7ffff691b4e0, chars=...) at js/src/vm/Debugger.cpp:6166
#7  DebuggerGenericEval (cx=cx@entry=0x7ffff691b4e0, fullMethodName=fullMethodName@entry=0xd569fe "Debugger.Frame.prototype.eval", code=..., evalWithBindings=evalWithBindings@entry=EvalWithDefaultBindings, bindings=..., options=..., vp=..., dbg=dbg@entry=0x7ffff695d000, scope=..., iter=iter@entry=0x7fffffffb478) at js/src/vm/Debugger.cpp:6318
#8  0x000000000067ab52 in DebuggerFrame_eval (cx=0x7ffff691b4e0, argc=<optimized out>, vp=<optimized out>) at js/src/vm/Debugger.cpp:6332
#9  0x0000000000682d82 in js::CallJSNative (cx=0x7ffff691b4e0, native=0x67a8d0 <DebuggerFrame_eval(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#10 0x0000000000671ed3 in js::Invoke (cx=cx@entry=0x7ffff691b4e0, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:502
#11 0x0000000000673993 in js::Invoke (cx=cx@entry=0x7ffff691b4e0, thisv=..., fval=..., argc=<optimized out>, argv=0x7ffff53e3158, rval=...) at js/src/vm/Interpreter.cpp:558
#12 0x0000000000b558bb in js::DirectProxyHandler::call (this=this@entry=0x1a07b20 <js::CrossCompartmentWrapper::singleton>, cx=cx@entry=0x7ffff691b4e0, proxy=..., proxy@entry=..., args=...) at js/src/proxy/DirectProxyHandler.cpp:77
#13 0x0000000000b5c172 in js::CrossCompartmentWrapper::call (this=0x1a07b20 <js::CrossCompartmentWrapper::singleton>, cx=0x7ffff691b4e0, wrapper=..., args=...) at js/src/proxy/CrossCompartmentWrapper.cpp:288
#14 0x0000000000b677f2 in js::Proxy::call (cx=cx@entry=0x7ffff691b4e0, proxy=proxy@entry=..., args=...) at js/src/proxy/Proxy.cpp:391
#15 0x0000000000b67872 in js::proxy_Call (cx=0x7ffff691b4e0, argc=<optimized out>, vp=<optimized out>) at js/src/proxy/Proxy.cpp:703
#16 0x0000000000682d82 in js::CallJSNative (cx=0x7ffff691b4e0, native=0xb67810 <js::proxy_Call(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#17 0x0000000000672181 in js::Invoke (cx=cx@entry=0x7ffff691b4e0, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:495
#18 0x000000000066c59d in Interpret (cx=cx@entry=0x7ffff691b4e0, state=...) at js/src/vm/Interpreter.cpp:2617
#19 0x0000000000671c38 in js::RunScript (cx=cx@entry=0x7ffff691b4e0, state=...) at js/src/vm/Interpreter.cpp:452
#20 0x0000000000678ca6 in js::ExecuteKernel (cx=cx@entry=0x7ffff691b4e0, script=..., script@entry=..., scopeChainArg=..., thisv=..., type=type@entry=js::EXECUTE_GLOBAL, evalInFrame=..., evalInFrame@entry=..., result=result@entry=0x0) at js/src/vm/Interpreter.cpp:660
#21 0x000000000067ad70 in js::Execute (cx=cx@entry=0x7ffff691b4e0, script=script@entry=..., scopeChainArg=..., rval=rval@entry=0x0) at js/src/vm/Interpreter.cpp:703
#22 0x0000000000a595be in ExecuteScript (cx=cx@entry=0x7ffff691b4e0, obj=..., scriptArg=..., rval=rval@entry=0x0) at js/src/jsapi.cpp:4107
#23 0x0000000000a5973b in JS_ExecuteScript (cx=cx@entry=0x7ffff691b4e0, scriptArg=..., scriptArg@entry=...) at js/src/jsapi.cpp:4129
#24 0x000000000042531b in RunFile (compileOnly=false, file=0x7ffff699b800, filename=0x7fffffffe07e "min.js", cx=0x7ffff691b4e0) at js/src/shell/js.cpp:466
#25 Process (cx=cx@entry=0x7ffff691b4e0, filename=0x7fffffffe07e "min.js", forceTTY=forceTTY@entry=false) at js/src/shell/js.cpp:597
#26 0x0000000000472b22 in ProcessArgs (op=0x7fffffffdb50, cx=0x7ffff691b4e0) at js/src/shell/js.cpp:5754
#27 Shell (envp=<optimized out>, op=0x7fffffffdb50, cx=0x7ffff691b4e0) at js/src/shell/js.cpp:6020
#28 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:6362
rax	0x0	0
rbx	0x7fffffffa720	140737488332576
rcx	0x7ffff6cb2f4d	140737333899085
rdx	0x0	0
rsi	0x7ffff6f86a80	140737336863360
rdi	0x7ffff6f85180	140737336856960
rbp	0x7fffffffa7b0	140737488332720
rsp	0x7fffffffa6c0	140737488332480
r8	0x7ffff7fe8740	140737354041152
r9	0x6372732f736a2f6c	7165916604736876396
r10	0x7fffffffa450	140737488331856
r11	0x7ffff6c3a940	140737333406016
r12	0x19c86e0	27035360
r13	0x19aaf20	26914592
r14	0x7ffff691b4f8	140737330132216
r15	0x7ffff691b4e0	140737330132192
rip	0xb1879d <js::CloneFunctionObject(JSContext*, JS::Handle<JSFunction*>, JS::Handle<JSObject*>, js::gc::AllocKind, js::NewObjectKind, JS::Handle<JSObject*>)+461>
=> 0xb1879d <js::CloneFunctionObject(JSContext*, JS::Handle<JSFunction*>, JS::Handle<JSObject*>, js::gc::AllocKind, js::NewObjectKind, JS::Handle<JSObject*>)+461>:	movl   $0x861,0x0
   0xb187a8 <js::CloneFunctionObject(JSContext*, JS::Handle<JSFunction*>, JS::Handle<JSObject*>, js::gc::AllocKind, js::NewObjectKind, JS::Handle<JSObject*>)+472>:	callq  0x423050 <abort@plt>
(Reporter)

Updated

3 years ago
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
(Reporter)

Comment 1

3 years ago
JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20150313223419" and the hash "94fa4a005c33".
The "bad" changeset has the timestamp "20150313223819" and the hash "c0a7bfc8dfae".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=94fa4a005c33&tochange=c0a7bfc8dfae
Flags: needinfo?(bzbarsky)
Alright.  So realParent is ending up as a Proxy.  In particular, a DebugScopeProxy.

We should probably loosen up the assert accordingly.  Note also bug 1143794.
Flags: needinfo?(bzbarsky)
Created attachment 8583940 [details] [diff] [review]
Relax our realParent asserts in CloneFunction a bit, pending a proper fix for bug 1143794
Attachment #8583940 - Flags: review?(luke)
Assignee: nobody → bzbarsky
Status: NEW → ASSIGNED

Comment 4

3 years ago
Comment on attachment 8583940 [details] [diff] [review]
Relax our realParent asserts in CloneFunction a bit, pending a proper fix for bug 1143794

Review of attachment 8583940 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/jsfun.cpp
@@ +2050,5 @@
>  #ifdef DEBUG
>      RootedObject nonScopeParent(cx, SkipScopeParent(enclosingDynamicScope));
> +    // We'd like to assert that nonScopeParent is null-or-global, but
> +    // js::ExecuteInGlobalAndReturnScope and debugger eval bits mess that up.
> +    // Assert that it's one of those or a debug scope prosxy or the unqualified

s/prosxy/proxy/
Attachment #8583940 - Flags: review?(luke) → review+
https://hg.mozilla.org/mozilla-central/rev/f0c08ce4f555
Status: ASSIGNED → RESOLVED
Last Resolved: 3 years ago
status-firefox39: affected → fixed
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla39
You need to log in before you can comment on or make changes to this bug.