1151958 - Crash [@ js::CompartmentChecker::fail] with shell-only findPath function

Status: RESOLVED WORKSFORME

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision ab0490972e1e (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --enable-arm-simulator --enable-debug, run with --fuzzing-safe):

function foo() {
    e = newGlobal().findPath;
    e( arguments, "s" );
} foo();



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x081dc036 in js::CompartmentChecker::fail (c1=0xf7a48c00, c2=0xf7a3e800) at js/src/jscntxtinlines.h:49
#0  0x081dc036 in js::CompartmentChecker::fail (c1=0xf7a48c00, c2=0xf7a3e800) at js/src/jscntxtinlines.h:49
#1  0x081dc167 in check (c=<optimized out>, this=0xffffb4b0) at js/src/jscntxtinlines.h:70
#2  check (obj=<optimized out>, this=0xffffb4b0) at js/src/jscntxtinlines.h:81
#3  js::CompartmentChecker::check (this=0xffffb4b0, v=...) at js/src/jscntxtinlines.h:101
#4  0x086b4e16 in check<JS::Value> (handle=..., this=0xffffb4b0) at js/src/jscntxtinlines.h:91
#5  assertSameCompartment<JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JSObject*, JSObject*> (t5=<optimized out>, t4=<optimized out>, t3=<synthetic pointer>, t2=<synthetic pointer>, t1=<synthetic pointer>, cx=0xf7a6c040) at js/src/jscntxtinlines.h:217
#6  DefinePropertyById (cx=cx@entry=0xf7a6c040, obj=..., obj@entry=..., id=id@entry=..., value=value@entry=..., get=..., set=..., attrs=<optimized out>, attrs@entry=1, flags=0) at js/src/jsapi.cpp:2243
#7  0x086b5bd0 in DefineProperty (cx=cx@entry=0xf7a6c040, obj=..., obj@entry=..., name=name@entry=0x89ab7f2 "node", value=value@entry=..., getter=..., setter=..., attrs=attrs@entry=1, flags=0) at js/src/jsapi.cpp:2424
#8  0x086b5c7d in JS_DefineProperty (cx=cx@entry=0xf7a6c040, obj=obj@entry=..., name=name@entry=0x89ab7f2 "node", value=..., attrs=attrs@entry=1, getter=getter@entry=0x0, setter=setter@entry=0x0) at js/src/jsapi.cpp:2472
#9  0x081d2840 in FindPath (cx=0xf7a6c040, argc=2, vp=0xffffbc9c) at js/src/builtin/TestingFunctions.cpp:2284
#10 0x082990f6 in js::CallJSNative (cx=0xf7a6c040, native=0x81d2260 <FindPath(JSContext*, unsigned int, jsval*)>, args=...) at js/src/jscntxtinlines.h:235
#11 0x0828caa6 in js::Invoke (cx=cx@entry=0xf7a6c040, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:704
#12 0x0828db6c in js::Invoke (cx=cx@entry=0xf7a6c040, thisv=..., fval=..., argc=2, argv=0xf5bb90c8, rval=...) at js/src/vm/Interpreter.cpp:760
#13 0x08770b66 in js::DirectProxyHandler::call (this=this@entry=0x962c1c8 <js::CrossCompartmentWrapper::singleton>, cx=cx@entry=0xf7a6c040, proxy=..., proxy@entry=..., args=...) at js/src/proxy/DirectProxyHandler.cpp:77
#14 0x0877ad2d in js::CrossCompartmentWrapper::call (this=0x962c1c8 <js::CrossCompartmentWrapper::singleton>, cx=0xf7a6c040, wrapper=..., args=...) at js/src/proxy/CrossCompartmentWrapper.cpp:289
#15 0x0876f77a in js::Proxy::call (cx=cx@entry=0xf7a6c040, proxy=proxy@entry=..., args=...) at js/src/proxy/Proxy.cpp:391
#16 0x0876f80b in js::proxy_Call (cx=0xf7a6c040, argc=2, vp=0xf5bb90b8) at js/src/proxy/Proxy.cpp:697
#17 0x082990f6 in js::CallJSNative (cx=0xf7a6c040, native=0x876f7a0 <js::proxy_Call(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#18 0x0828caa6 in js::Invoke (cx=0xf7a6c040, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:704
#19 0x0827f682 in Interpret (cx=cx@entry=0xf7a6c040, state=...) at js/src/vm/Interpreter.cpp:2842
#20 0x0828c439 in js::RunScript (cx=cx@entry=0xf7a6c040, state=...) at js/src/vm/Interpreter.cpp:654
#21 0x082927c7 in js::ExecuteKernel (cx=cx@entry=0xf7a6c040, script=..., script@entry=..., scopeChainArg=..., thisv=..., type=type@entry=js::EXECUTE_GLOBAL, evalInFrame=evalInFrame@entry=..., result=result@entry=0x0) at js/src/vm/Interpreter.cpp:879
#22 0x08292b16 in js::Execute (cx=cx@entry=0xf7a6c040, script=..., scopeChainArg=..., rval=rval@entry=0x0) at js/src/vm/Interpreter.cpp:919
#23 0x086a4b31 in ExecuteScript (cx=cx@entry=0xf7a6c040, obj=..., scriptArg=scriptArg@entry=..., rval=rval@entry=0x0) at js/src/jsapi.cpp:4133
#24 0x086a4d56 in JS_ExecuteScript (cx=cx@entry=0xf7a6c040, scriptArg=scriptArg@entry=...) at js/src/jsapi.cpp:4155
#25 0x08068d21 in RunFile (compileOnly=false, file=0xf7af29e0, filename=0xffffcf7e "min.js", cx=0xf7a6c040) at js/src/shell/js.cpp:466
#26 Process (cx=cx@entry=0xf7a6c040, filename=0xffffcf7e "min.js", forceTTY=forceTTY@entry=false) at js/src/shell/js.cpp:597
#27 0x080c3461 in ProcessArgs (op=0xffffcc20, cx=0xf7a6c040) at js/src/shell/js.cpp:5764
#28 Shell (envp=<optimized out>, op=0xffffcc20, cx=0xf7a6c040) at js/src/shell/js.cpp:6030
#29 main (argc=3, argv=0xffffcd74, envp=0xffffcd84) at js/src/shell/js.cpp:6372
eax	0x0	0
ebx	0x95f8414	157254676
ecx	0xf7e3b88c	-136071028
edx	0x0	0
esi	0xffffb4b0	-19280
edi	0xf7a6c040	-140066752
ebp	0xffffb418	4294947864
esp	0xffffb400	4294947840
eip	0x81dc036 <js::CompartmentChecker::fail(JSCompartment*, JSCompartment*)+70>
=> 0x81dc036 <js::CompartmentChecker::fail(JSCompartment*, JSCompartment*)+70>:	movl   $0x31,0x0
   0x81dc040 <js::CompartmentChecker::fail(JSCompartment*, JSCompartment*)+80>:	call   0x80666c0 <abort@plt>


Likely shell-only.

Comment 1

[Christian Holler (:decoder)]

JSBugMon: Bisection requested, failed due to error (try manually).

Comment 2

[Christian Holler (:decoder)]

JSBugMon: The testcase found in this bug no longer reproduces (tried revision efe86609e776).

Comment 3

[Lars T Hansen [:lth]]

Does not repro and there's little to be gained from trying to bisect where it was fixed.