1249938 - Crash [@ js::CompartmentChecker::fail] involving shortestPaths

Status: RESOLVED DUPLICATE of bug 1249107

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

The following testcase crashes on mozilla-central revision 69ec3dc408a2 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-ion --no-baseline):

// Adapted from randomly chosen test: js/src/jit-test/tests/heap-analysis/shortestPaths.js
g = evalcx('');
g.x = Object;
shortestPaths(this, [Object, function() {}], 5);

Backtrace:

0   js-dbg-64-dm-clang-darwin-69ec3dc408a2	0x00000001007ba904 js::CompartmentChecker::fail(JSCompartment*, JSCompartment*) + 84 (jscntxtinlines.h:49)
1   js-dbg-64-dm-clang-darwin-69ec3dc408a2	0x00000001007ba7d3 js::CompartmentChecker::check(JS::Value const&) + 99 (jscntxtinlines.h:102)
2   js-dbg-64-dm-clang-darwin-69ec3dc408a2	0x0000000100522fbd DefinePropertyById(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JSNativeWrapper const&, JSNativeWrapper const&, unsigned int, unsigned int) + 989 (jscntxtinlines.h:80)
3   js-dbg-64-dm-clang-darwin-69ec3dc408a2	0x00000001005234d3 DefineProperty(JSContext*, JS::Handle<JSObject*>, char const*, JS::Handle<JS::Value>, JSNativeWrapper const&, JSNativeWrapper const&, unsigned int, unsigned int) + 275 (jsapi.cpp:2285)
4   js-dbg-64-dm-clang-darwin-69ec3dc408a2	0x00000001005233b5 JS_DefineProperty(JSContext*, JS::Handle<JSObject*>, char const*, JS::Handle<JS::Value>, unsigned int, bool (*)(JSContext*, unsigned int, JS::Value*), bool (*)(JSContext*, unsigned int, JS::Value*)) + 53 (jsapi.cpp:2293)
5   js-dbg-64-dm-clang-darwin-69ec3dc408a2	0x0000000100750602 ShortestPaths(JSContext*, unsigned int, JS::Value*) + 4418 (TestingFunctions.cpp:2694)
6   js-dbg-64-dm-clang-darwin-69ec3dc408a2	0x000000010078f2d2 js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) + 738 (jscntxtinlines.h:236)
7   js-dbg-64-dm-clang-darwin-69ec3dc408a2	0x0000000100784791 Interpret(JSContext*, js::RunState&) + 47361 (Interpreter.cpp:2799)
8   js-dbg-64-dm-clang-darwin-69ec3dc408a2	0x0000000100778e0d js::RunScript(JSContext*, js::RunState&) + 413 (Interpreter.cpp:425)
9   js-dbg-64-dm-clang-darwin-69ec3dc408a2	0x00000001007907aa js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) + 602 (Interpreter.cpp:681)
10  js-dbg-64-dm-clang-darwin-69ec3dc408a2	0x0000000100790b35 js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) + 469 (RootingAPI.h:666)
11  js-dbg-64-dm-clang-darwin-69ec3dc408a2	0x000000010052a521 ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::Value*) + 417 (jsapi.cpp:4366)
12  js-dbg-64-dm-clang-darwin-69ec3dc408a2	0x000000010052a792 JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) + 82 (RootingAPI.h:666)
13  js-dbg-64-dm-clang-darwin-69ec3dc408a2	0x000000010001f465 Process(JSContext*, char const*, bool, FileKind) + 3461 (js.cpp:525)
14  js-dbg-64-dm-clang-darwin-69ec3dc408a2	0x000000010000542d main + 11773 (js.cpp:6435)
15  js-dbg-64-dm-clang-darwin-69ec3dc408a2	0x00000001000017a4 start + 52

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/e4c61fe8518b
user:        Nick Fitzgerald
date:        Thu Feb 11 10:38:00 2016 +0100
summary:     Bug 961323 - Add a method for finding shortest retaining paths of `JS::ubi::Node` heap graphs; r=jimb

Nick, is bug 961323 a likely regressor?

Comment 2

[Nick Fitzgerald [:fitzgen] [⏰PST; UTC-8]]

I can reproduce this on master, but after applying the patch in bug 1249107, it stops crashing. Marking as duplicate.