Assertion failure: CurrentThreadCanAccessZone(zone), at js/src/gc/Heap.h:1258 with Worker and fullcompartmentchecks

RESOLVED FIXED in Firefox 50

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: decoder, Assigned: jonco)

Tracking

(Blocks: 1 bug, {assertion, testcase})

Trunk
mozilla50
x86
Linux
assertion, testcase
Points:
---

Firefox Tracking Flags

(firefox50 fixed)

Details

(Whiteboard: [jsbugmon:update])

Attachments

(1 attachment)

(Reporter)

Description

2 years ago
The following testcase crashes on mozilla-central revision 3ce53bd1e25b (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --without-intl-api --enable-optimize --target=i686-pc-linux-gnu, run with --fuzzing-safe --thread-count=2):

evalInWorker(`
  function f() {
    fullcompartmentchecks(f);
  }
  try { f(); } catch(e) {}
`);



Backtrace:

Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x08129bf6 in js::gc::TenuredCell::zone (this=0xf5011c80) at js/src/gc/Heap.h:1258
#1  0x08596caa in CompartmentCheckTracer::onChild (this=0xf4cfedfc, thing=...) at js/src/jsgc.cpp:3735
#2  0x089476f1 in JS::CallbackTracer::onStringEdge (strp=0xf4cfec74, this=0xf4cfedfc) at /srv/jenkins/jobs/mozilla-central-build-jsshell/workspace/arch/32/compiler/gcc/sanitizer/none/type/debug/dist/include/js/TracingAPI.h:127
#3  JS::CallbackTracer::dispatchToOnEdge (strp=0xf4cfec74, this=0xf4cfedfc) at /srv/jenkins/jobs/mozilla-central-build-jsshell/workspace/arch/32/compiler/gcc/sanitizer/none/type/debug/dist/include/js/TracingAPI.h:206
#4  DoCallback<JSString*> (trc=0xf4cfedfc, thingp=0xf4cfec74, name=0x89daeaa "object slot") at js/src/gc/Tracer.cpp:51
#5  0x0892c823 in DoCallbackFunctor<JS::Value>::operator()<JSString> (this=<synthetic pointer>, name=<optimized out>, trc=<optimized out>, t=0xf5011c80) at js/src/gc/Tracer.cpp:62
#6  js::DispatchTyped<DoCallbackFunctor<JS::Value>, JS::CallbackTracer*&, char const*&> (val=..., f=...) at /srv/jenkins/jobs/mozilla-central-build-jsshell/workspace/arch/32/compiler/gcc/sanitizer/none/type/debug/dist/include/js/Value.h:1912
#7  DoCallback<JS::Value> (trc=0xf4cfedfc, vp=0xf7196708, name=0x89daeaa "object slot") at js/src/gc/Tracer.cpp:70
#8  0x089257d7 in DispatchToTracer<JS::Value> (trc=0xf4cfee00, thingp=0xf7196708, name=0x89daeaa "object slot") at js/src/gc/Marking.cpp:647
#9  0x085688e0 in JSObject::traceChildren (this=0xf4806040, trc=0xf4cfee00) at js/src/jsobj.cpp:3865
#10 0x08947add in TraceChildrenFunctor::operator()<JSObject> (this=<synthetic pointer>, thing=<optimized out>, trc=<optimized out>) at js/src/gc/Tracer.cpp:117
#11 JS::DispatchTraceKindTyped<TraceChildrenFunctor, JSTracer*&, void*&> (f=..., traceKind=<optimized out>) at /srv/jenkins/jobs/mozilla-central-build-jsshell/workspace/arch/32/compiler/gcc/sanitizer/none/type/debug/dist/include/js/TraceKind.h:182
#12 0x0892bc29 in js::TraceChildren (trc=0xf4cfee00, thing=0xf4806040, kind=JS::TraceKind::Object) at js/src/gc/Tracer.cpp:126
#13 0x08562b43 in js::gc::GCRuntime::checkForCompartmentMismatches (this=this@entry=0xf719d230) at js/src/jsgc.cpp:3755
#14 0x08598877 in js::gc::GCRuntime::checkForCompartmentMismatches (this=0xf719d230) at js/src/jsgc.cpp:3797
#15 js::gc::GCRuntime::beginMarkPhase (this=0xf719d230, reason=JS::gcreason::DESTROY_RUNTIME, lock=...) at js/src/jsgc.cpp:3785
#16 0x0859c045 in js::gc::GCRuntime::incrementalCollectSlice (this=0xf719d230, budget=..., reason=JS::gcreason::DESTROY_RUNTIME, lock=...) at js/src/jsgc.cpp:5882
#17 0x0859d508 in js::gc::GCRuntime::gcCycle (this=0xf719d230, nonincrementalByAPI=true, budget=..., reason=JS::gcreason::DESTROY_RUNTIME) at js/src/jsgc.cpp:6167
#18 0x0859db50 in js::gc::GCRuntime::collect (this=0xf719d230, nonincrementalByAPI=true, budget=..., reason=JS::gcreason::DESTROY_RUNTIME) at js/src/jsgc.cpp:6275
#19 0x0859df85 in js::gc::GCRuntime::gc (this=0xf719d230, gckind=GC_NORMAL, reason=JS::gcreason::DESTROY_RUNTIME) at js/src/jsgc.cpp:6342
#20 0x0874245e in JSRuntime::~JSRuntime (this=0xf719d000, __in_chrg=<optimized out>) at js/src/vm/Runtime.cpp:428
#21 0x084f5630 in js_delete<JSRuntime> (p=0xf719d000) at /srv/jenkins/jobs/mozilla-central-build-jsshell/workspace/arch/32/compiler/gcc/sanitizer/none/type/debug/dist/include/js/Utility.h:382
#22 JS_DestroyRuntime (rt=0xf719d000) at js/src/jsapi.cpp:484
#23 0x08098e2f in WorkerMain (arg=0xf7108880) at js/src/shell/js.cpp:3033
#24 0x08717099 in nspr::Thread::ThreadRoutine (arg=0xf7108890) at js/src/vm/PosixNSPR.cpp:45
#25 0xf77712b5 in start_thread (arg=0xf4cffb40) at pthread_create.c:333
#26 0xf749816e in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:114
eax	0x0	0
ebx	0x8bdeff4	146665460
ecx	0xf7564864	-145340316
edx	0x0	0
esi	0xf7149000	-149647360
edi	0xf4cfec28	-187700184
ebp	0xf4cfeb48	4107266888
esp	0xf4cfeb40	4107266880
eip	0x8129bf6 <js::gc::TenuredCell::zone() const+342>
=> 0x8129bf6 <js::gc::TenuredCell::zone() const+342>:	movl   $0x0,0x0
   0x8129c00 <js::gc::TenuredCell::zone() const+352>:	ud2
(Assignee)

Comment 1

2 years ago
Created attachment 8763528 [details] [diff] [review]
bug1280889-zone-assertion

CurrentThreadCanAccessZone() is returning false for the atoms zone of the parent runtime making |tenured->zone()| assert.

I think we can just zoneFromAnyThread() instead.
Assignee: nobody → jcoppeard
Attachment #8763528 - Flags: review?(terrence)
Comment on attachment 8763528 [details] [diff] [review]
bug1280889-zone-assertion

Review of attachment 8763528 [details] [diff] [review]:
-----------------------------------------------------------------

I agree, thanks for taking this!
Attachment #8763528 - Flags: review?(terrence) → review+

Comment 3

2 years ago
Pushed by jcoppeard@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/c2becf602688
Fix compartment checking assertion r=terrence

Updated

2 years ago
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]

Comment 4

2 years ago
JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===

The "bad" changeset has the timestamp "20160621064604" and the hash "14ac8b409bcd40985ef2abe2ee63ad3b08ab7c69".
The "good" changeset has the timestamp "20160621074059" and the hash "c2becf602688b56146321cb7c1f4d6297bb86bd1".

Likely fix window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=14ac8b409bcd40985ef2abe2ee63ad3b08ab7c69&tochange=c2becf602688b56146321cb7c1f4d6297bb86bd1

Comment 5

2 years ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/c2becf602688
Status: NEW → RESOLVED
Last Resolved: 2 years ago
status-firefox50: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla50
You need to log in before you can comment on or make changes to this bug.