1365564 - Intermittent toolkit/mozapps/extensions/test/browser/browser_cancelCompatCheck.js | application crashed [@ JS::Value::toObjectOrNull()] or [@ JSFunction::setExtendedSlot(unsigned long, JS::Value const&)]

Status: RESOLVED FIXED

(Core :: JavaScript: GC, defect)

Description

[Treeherder Bug Filer]

Filed by: cbook [at] mozilla.com

https://treeherder.mozilla.org/logviewer.html#?job_id=99710818&repo=mozilla-inbound

https://archive.mozilla.org/pub/firefox/tinderbox-builds/mozilla-inbound-win64-debug/1495008560/mozilla-inbound_win8_64-debug_test-mochitest-e10s-browser-chrome-1-bm119-tests1-windows-build395.txt.gz

Comment 1

[Geoff Brown [:gbrown]]

https://dxr.mozilla.org/mozilla-central/rev/85e5d15c31691c89b82d6068c26260416493071f/js/public/Value.h#651


11:29:39     INFO - GECKO(1989) | Assertion failure: isObjectOrNull(), at /home/worker/workspace/build/src/obj-firefox/dist/include/js/Value.h:651
11:30:13     INFO - GECKO(1989) | #01: js::GCMarker::stackContainsCrossZonePointerTo(js::gc::Cell const*) const [js/src/vm/ProxyObject.h:70]
11:30:13     INFO - 
11:30:13     INFO - GECKO(1989) | #02: js::gc::detail::CellIsNotGray(js::gc::Cell const*) [js/src/jsgc.cpp:8148]
11:30:13     INFO - 
11:30:13     INFO - GECKO(1989) | #03: JSFunction::setExtendedSlot(unsigned long, JS::Value const&) [js/src/gc/Barrier.h:251]
11:30:13     INFO - 
11:30:13     INFO - GECKO(1989) | #04: EnqueuePromiseReactionJob(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::PromiseState) [js/src/builtin/Promise.cpp:563]
11:30:13     INFO - 
11:30:13     INFO - GECKO(1989) | #05: ResolvePromise(JSContext*, JS::Handle<js::PromiseObject*>, JS::Handle<JS::Value>, JS::PromiseState) [js/src/builtin/Promise.cpp:843]
11:30:13     INFO - 
11:30:13     INFO - GECKO(1989) | #06: FulfillMaybeWrappedPromise(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>) [js/src/builtin/Promise.cpp:658]
11:30:13     INFO - 
11:30:13     INFO - GECKO(1989) | #07: ResolvePromiseInternal(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>) [js/src/builtin/Promise.cpp:418]
11:30:13     INFO - 
11:30:13     INFO - GECKO(1989) | #08: ResolvePromiseFunction(JSContext*, unsigned int, JS::Value*) [js/src/builtin/Promise.cpp:465]
11:30:13     INFO - 
11:30:13     INFO - GECKO(1989) | #09: js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) [js/src/jscntxtinlines.h:294]
11:30:13     INFO - 
11:30:13     INFO - GECKO(1989) | #10: js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) [js/src/vm/Interpreter.cpp:470]
11:30:13     INFO - 
11:30:13     INFO - GECKO(1989) | #11: <name omitted> [js/src/vm/Interpreter.cpp:534]
11:30:13     INFO - 
11:30:13     INFO - GECKO(1989) | #12: js::fun_call(JSContext*, unsigned int, JS::Value*) [js/src/jsfun.cpp:1229]
11:30:13     INFO - 
11:30:13     INFO - GECKO(1989) | #13: js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) [js/src/jscntxtinlines.h:294]
11:30:13     INFO - 
11:30:13     INFO - GECKO(1989) | #14: js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) [js/src/vm/Interpreter.cpp:470]
11:30:13     INFO - 
11:30:13     INFO - GECKO(1989) | #15: Interpret(JSContext*, js::RunState&) [js/src/vm/Interpreter.cpp:521]
11:30:13     INFO - 
11:30:13     INFO - GECKO(1989) | #16: js::RunScript(JSContext*, js::RunState&) [js/src/vm/Interpreter.cpp:410]
11:30:13     INFO - 
11:30:13     INFO - GECKO(1989) | #17: js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) [js/src/vm/Interpreter.cpp:488]
11:30:13     INFO - 
11:30:13     INFO - GECKO(1989) | #18: Interpret(JSContext*, js::RunState&) [js/src/vm/Interpreter.cpp:521]
11:30:13     INFO - 
11:30:13     INFO - GECKO(1989) | #19: js::RunScript(JSContext*, js::RunState&) [js/src/vm/Interpreter.cpp:410]
11:30:13     INFO - 
11:30:13     INFO - GECKO(1989) | #20: js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) [js/src/vm/Interpreter.cpp:488]
11:30:13     INFO - 
11:30:13     INFO - GECKO(1989) | #21: Interpret(JSContext*, js::RunState&) [js/src/vm/Interpreter.cpp:521]
11:30:13     INFO - 
11:30:13     INFO - GECKO(1989) | #22: js::RunScript(JSContext*, js::RunState&) [js/src/vm/Interpreter.cpp:410]
11:30:13     INFO - 
11:30:13     INFO - GECKO(1989) | #23: js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) [js/src/vm/Interpreter.cpp:488]
11:30:13     INFO - 
11:30:13     INFO - GECKO(1989) | #24: Interpret(JSContext*, js::RunState&) [js/src/vm/Interpreter.cpp:521]
11:30:13     INFO - 
11:30:13     INFO - GECKO(1989) | #25: js::RunScript(JSContext*, js::RunState&) [js/src/vm/Interpreter.cpp:410]
11:30:13     INFO - 
11:30:13     INFO - GECKO(1989) | #26: js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) [js/src/vm/Interpreter.cpp:488]
11:30:13     INFO - 
11:30:13     INFO - GECKO(1989) | #27: <name omitted> [js/src/vm/Interpreter.cpp:534]
11:30:13     INFO - 
11:30:13     INFO - GECKO(1989) | #28: JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) [js/src/jsapi.cpp:2832]
11:30:13     INFO - 
11:30:13     INFO - GECKO(1989) | #29: nsXPCComponents_Utils::CallFunctionWithAsyncStack(JS::Handle<JS::Value>, nsIStackFrame*, nsAString const&, JSContext*, JS::MutableHandle<JS::Value>) [js/xpconnect/src/XPCComponents.cpp:2712]
11:30:13     INFO -

Comment 2

[Geoff Brown [:gbrown]]

https://treeherder.mozilla.org/#/jobs?repo=mozilla-inbound&filter-searchStr=windows%20x64%20debug%20bc1%20e10s&tochange=159f82e6813c4dca0a72c1fa2a49ec99b087db32&fromchange=fb689ff5ec1955ea014734027457a95af1764208 suggests this failure started with https://treeherder.mozilla.org/#/jobs?repo=mozilla-inbound&revision=159f82e6813c4dca0a72c1fa2a49ec99b087db32, bug 1365362 / bug 1189822.

I don't see an obvious logical connection between those bugs and this failure. Also, there are other similar failures, like bug 1366083 that started around the same time but apparently have different regression ranges.

Comment 3

[Boris Zbarsky [:bzbarsky]]

Hmm.  So GCMarker::stackContainsCrossZonePointerTo (which is debug-only) does:

        auto source = iter.peekPtr().as<JSObject>();
...
        if ((source->is<ProxyObject>() && source->as<ProxyObject>().target() == target) ||
            Debugger::isDebuggerCrossCompartmentEdge(source, target))


Now ProxyObject::target() does:

    JSObject* target() const {
        return const_cast<ProxyObject*>(this)->private_().toObjectOrNull();
    }

where:

    const Value& private_() {
        return GetProxyPrivate(this);
    }

but nothing says that the private slot of a ProxyObject has to be an object, or null, or indeed anything.  It's a _private_ slot.  For DOM proxies it can be an ObjectValue, or a PrivateValue, or an UndefinedValue.

The changes in bug 1189822 made the UndefinedValue case more common and the ObjectValue case less common.  But this code seems wrong a priori: it should be checking js::IsWrapper() before poking at target(), no?  Or do some other check for a ProxyObject whose private is really expected to be an object-or-null.

That said, there might be something wrong with the changes in bug 1189822 too, of course...

Comment 4

[Intermittent Failures Robot]

34 failures in 777 pushes (0.044 failures/push) were associated with this bug in the last 7 days. 

This is the #34 most frequent failure this week.  

** This failure happened more than 30 times this week! Resolving this bug is a high priority. **

** Try to resolve this bug as soon as possible. If unresolved for 2 weeks, the affected test(s) may be disabled. ** 

Repository breakdown:
* mozilla-inbound: 16
* autoland: 13
* mozilla-central: 4
* try: 1

Platform breakdown:
* osx-10-10: 24
* windows8-64: 10

For more details, see:
https://brasstacks.mozilla.com/orangefactor/?display=Bug&bugid=1365564&startday=2017-05-15&endday=2017-05-21&tree=all

Comment 5

[Jon Coppeard (:jonco)]

(In reply to Boris Zbarsky [:bz] (work week until 5/26) (if a patch has no decent message, automatic r-) from comment #3)
> nothing says that the private slot of a ProxyObject has to be an object,
> or null, or indeed anything. 

Oh, I didn't realise that.

Comment 6

[Jon Coppeard (:jonco)]

Attachment: bug1365564-mark-stack-wrapper-check

Not all proxy objects have a target object and we only care about CCWs here anyway so call IsCrossCompartmentWrapper rather than is<ProxyObject>().

Comment 7

[Pulsebot]

Pushed by jcoppeard@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/28459b0a0f07
Don't try and get target object from non-wrapper proxies r=sfink

Comment 8

[Ryan VanderMeulen [:RyanVM]]

Looks like this patch just morphed the signature.
https://treeherder.mozilla.org/logviewer.html#?job_id=101601246&repo=mozilla-inbound

Comment 9

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/mozilla-central/rev/28459b0a0f07

Comment 10

[Jon Coppeard (:jonco)]

(In reply to Ryan VanderMeulen [:RyanVM] from comment #8)
Oh, it seems like non-CCWs can contain cross compartment pointers.  I filed bug 1367815 to investigate that.  In the mean time I'll change the condition again to check proxy targets, but only if they're objects.

Comment 11

[Jon Coppeard (:jonco)]

Attachment: bug1365635-mark-stack-wrapper-check-2

Try push: https://treeherder.mozilla.org/#/jobs?repo=try&revision=67c8b16a8a96655fe7698950c336bc8ec8a8ac5e

Comment 12

[Jon Coppeard (:jonco)]

Comment on attachment 8871351 [details] [diff] [review]
bug1365635-mark-stack-wrapper-check-2

Can you review if the try run looks OK?

Comment 13

[Steve Fink [:sfink] [:s:]]

Comment on attachment 8871351 [details] [diff] [review]
bug1365635-mark-stack-wrapper-check-2

Review of attachment 8871351 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/gc/Marking.cpp
@@ +2612,5 @@
> +        if (source->is<ProxyObject>()) {
> +            Value value = source->as<ProxyObject>().private_();
> +            if (value.isObject() && &value.toObject() == target)
> +                return sourceZone;
> +        }

I think this is good. ProxyObject::trace contains an unconditional

    TraceCrossCompartmentEdge(trc, obj, proxy->slotOfPrivate(), "private");

TraceCrossCompartmentEdge does the equivalent of

  Value value = source->as<ProxyObject>().private_();
  if (value.isGCThing()) {
    Cell* cell = value.toGCThing();
    if (cell->isTenured())
      /* check color */
    else
      /* assume black */
  }

so in this case you could do

  if (value.isGCThing() && value.toGCThing() == target)

but given that target is a JSObject*, they are functionally equivalent.

Comment 14

[Pulsebot]

Pushed by jcoppeard@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/d6e64cc963fa
Fix GCMarker::stackContainsCrossZonePointerTo to check all proxies for cross compartment target objects r=sfink

Comment 15

[Phil Ringnalda (:philor)]

https://hg.mozilla.org/mozilla-central/rev/d6e64cc963fa

Comment 16

[Intermittent Failures Robot]

33 failures in 891 pushes (0.037 failures/push) were associated with this bug in the last 7 days. 

This is the #43 most frequent failure this week.  

** This failure happened more than 30 times this week! Resolving this bug is a high priority. **

** Try to resolve this bug as soon as possible. If unresolved for 2 weeks, the affected test(s) may be disabled. ** 

Repository breakdown:
* autoland: 17
* mozilla-inbound: 13
* mozilla-central: 3

Platform breakdown:
* osx-10-10: 20
* windows8-64: 12
* windows7-32-vm: 1

For more details, see:
https://brasstacks.mozilla.com/orangefactor/?display=Bug&bugid=1365564&startday=2017-05-22&endday=2017-05-28&tree=all

Comment 17

[Ryan VanderMeulen [:RyanVM]]

The signature has shifted to bug 1368446 now. I don't see much value in having two bugs open to track essentially the same issue, so I'm duping this over.

Comment 18

[Jon Coppeard (:jonco)]

I don't think this is a duplicate.  They are different assertions failures.  The stacks are the same but I think this assertion failure was just masking the other one.