1365903 - Crash [@ JSObject::compartment] or Assertion failure: !sweepKey, at gc/NurseryAwareHashMap.h:157 with nukeCCW and enableLastWarning

Status: RESOLVED DUPLICATE of bug 1357022

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision e66dedabe582 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --disable-debug --enable-optimize, run with --fuzzing-safe --thread-count=2 --disable-oom-functions --ion-offthread-compile=off --ion-eager --baseline-eager):

lfLogBuffer = `
function testWarn(code) {
    enableLastWarning();
    g = newGlobal();
    g.code = code;
    g.eval('eval(code)');
    warning = getLastWarning();
    nukeCCW(warning)
}
testWarn("function f() 1")
//corefuzzdcdendofdata
//corefuzzdcdendofdata
`.split('\n');
lfCodeBuffer = lfAccumulatedCode = "";
while (true) {
    line = lfLogBuffer.shift();
    if (line) loadFile(lfCodeBuffer);
    lfCodeBuffer += line;
}
function loadFile(lfVarx) {
    eval(lfAccumulatedCode)
    lfAccumulatedCode = "try { evaluate(`\n" + lfVarx + "\n`) } catch(exc) {}\n"
}



Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x000000000082b677 in JSObject::compartment (this=0x7ffff5300e28) at js/src/jsobj.h:175
#0  0x000000000082b677 in JSObject::compartment (this=0x7ffff5300e28) at js/src/jsobj.h:175
#1  js::CrossCompartmentKey::compartment()::GetCompartmentFunctor::operator()(JSObject**) const (this=<synthetic pointer>, tp=<optimized out>) at js/src/jscompartment.h:191
#2  decltype ({parm#1}(static_cast<JSObject**>((decltype(nullptr))0))) js::CrossCompartmentKey::applyToWrapped<js::CrossCompartmentKey::compartment()::GetCompartmentFunctor>(js::CrossCompartmentKey::compartment()::GetCompartmentFunctor)::WrappedMatcher::match(JSObject*&) (obj=<optimized out>, this=<synthetic pointer>) at js/src/jscompartment.h:165
#3  mozilla::detail::VariantImplementation<unsigned char, 0ul, JSObject*, JSString*, mozilla::Tuple<js::NativeObject*, JSScript*>, mozilla::Tuple<js::NativeObject*, JSObject*, js::CrossCompartmentKey::DebuggerObjectKind> >::match<decltype ({parm#1}(static_cast<JSObject**>((decltype(nullptr))0))) js::CrossCompartmentKey::applyToWrapped<js::CrossCompartmentKey::compartment()::GetCompartmentFunctor>(js::CrossCompartmentKey::compartment()::GetCompartmentFunctor)::WrappedMatcher&, mozilla::Variant<JSObject*, JSString*, mozilla::Tuple<js::NativeObject*, JSScript*>, mozilla::Tuple<js::NativeObject*, JSObject*, js::CrossCompartmentKey::DebuggerObjectKind> > >(decltype ({parm#1}(static_cast<JSObject**>((decltype(nullptr))0))) js::CrossCompartmentKey::applyToWrapped<js::CrossCompartmentKey::compartment()::GetCompartmentFunctor>(js::CrossCompartmentKey::compartment()::GetCompartmentFunctor)::WrappedMatcher&, mozilla::Variant<JSObject*, JSString*, mozilla::Tuple<js::NativeObject*, JSScript*>, mozilla::Tuple<js::NativeObject*, JSObject*, js::CrossCompartmentKey::DebuggerObjectKind> >&) (aV=..., aMatcher=<synthetic pointer>) at /srv/jenkins/jobs/mozilla-central-build-jsshell/workspace/arch/64/compiler/gcc/sanitizer/none/type/opt/dist/include/mozilla/Variant.h:266
#4  mozilla::Variant<JSObject*, JSString*, mozilla::Tuple<js::NativeObject*, JSScript*>, mozilla::Tuple<js::NativeObject*, JSObject*, js::CrossCompartmentKey::DebuggerObjectKind> >::match<decltype ({parm#1}(static_cast<JSObject**>((decltype(nullptr))0))) js::CrossCompartmentKey::applyToWrapped<js::CrossCompartmentKey::compartment()::GetCompartmentFunctor>(js::CrossCompartmentKey::compartment()::GetCompartmentFunctor)::WrappedMatcher&>(decltype ({parm#1}(static_cast<JSObject**>((decltype(nullptr))0))) js::CrossCompartmentKey::applyToWrapped<js::CrossCompartmentKey::compartment()::GetCompartmentFunctor>(js::CrossCompartmentKey::compartment()::GetCompartmentFunctor)::WrappedMatcher&) (aMatcher=<synthetic pointer>, this=0x7ffff6983ab8) at /srv/jenkins/jobs/mozilla-central-build-jsshell/workspace/arch/64/compiler/gcc/sanitizer/none/type/opt/dist/include/mozilla/Variant.h:625
#5  js::CrossCompartmentKey::applyToWrapped<js::CrossCompartmentKey::compartment()::GetCompartmentFunctor>(js::CrossCompartmentKey::compartment()::GetCompartmentFunctor) (f=..., this=<optimized out>) at js/src/jscompartment.h:170
#6  js::CrossCompartmentKey::compartment (this=<optimized out>) at js/src/jscompartment.h:197
#7  js::gc::GCRuntime::markCompartments (this=this@entry=0x7ffff695e410) at js/src/jsgc.cpp:4028
#8  0x000000000082bf04 in js::gc::GCRuntime::beginMarkPhase (this=this@entry=0x7ffff695e410, reason=reason@entry=JS::gcreason::ALLOC_TRIGGER, lock=...) at js/src/jsgc.cpp:3971
#9  0x00000000008414f5 in js::gc::GCRuntime::incrementalCollectSlice (this=this@entry=0x7ffff695e410, budget=..., reason=reason@entry=JS::gcreason::ALLOC_TRIGGER, lock=...) at js/src/jsgc.cpp:6147
#10 0x0000000000842571 in js::gc::GCRuntime::gcCycle (this=this@entry=0x7ffff695e410, nonincrementalByAPI=nonincrementalByAPI@entry=false, budget=..., reason=reason@entry=JS::gcreason::ALLOC_TRIGGER) at js/src/jsgc.cpp:6507
#11 0x00000000008429cd in js::gc::GCRuntime::collect (this=this@entry=0x7ffff695e410, nonincrementalByAPI=nonincrementalByAPI@entry=false, budget=..., reason=reason@entry=JS::gcreason::ALLOC_TRIGGER) at js/src/jsgc.cpp:6656
#12 0x00000000008443f2 in js::gc::GCRuntime::startGC (this=0x7ffff695e410, gckind=GC_NORMAL, reason=JS::gcreason::ALLOC_TRIGGER, millis=<optimized out>) at js/src/jsgc.cpp:6734
#13 0x00000000008444da in js::gc::GCRuntime::gcIfRequested (this=0x7ffff695e410) at js/src/jsgc.cpp:6932
#14 0x000000000098c14a in InvokeInterruptCallback (cx=0x7ffff694a000) at js/src/vm/Runtime.cpp:505
#15 0x0000099b2da51406 in ?? ()
[...]
#25 0x0000000000000000 in ?? ()
rax	0x7ffff6983ab0	140737330559664
rbx	0x7fffffffc720	140737488340768
rcx	0x7ffff6983b40	140737330559808
rdx	0x2f2f2f2f2f2f2f2f	3399988123389603631
rsi	0x4	4
rdi	0x7fffffffc700	140737488340736
rbp	0x7ffff695e410	140737330406416
rsp	0x7fffffffc6d0	140737488340688
r8	0x7ffff695e448	140737330406472
r9	0x7ffff6a001a8	140737331069352
r10	0x7ffff6a00218	140737331069464
r11	0x340	832
r12	0x7ffff695e468	140737330406504
r13	0x1	1
r14	0x20	32
r15	0x7fffffffc700	140737488340736
rip	0x82b677 <js::gc::GCRuntime::markCompartments()+455>
=> 0x82b677 <js::gc::GCRuntime::markCompartments()+455>:	mov    0x10(%rdx),%rdx
   0x82b67b <js::gc::GCRuntime::markCompartments()+459>:	test   %rdx,%rdx


This one was hard to reduce and still seems to be sensible to the number of iterations etc., as I was not able to simplify the loop further. Marking s-s because I don't know if this affects the browser and it's a GC issue with use-after-free.

Comment 1

[Jon Coppeard (:jonco)]

The is probably related to the other nukeCCW bugs we have open.

Comment 2

[Fuzzing Team]

JSBugMon: The testcase found in this bug no longer reproduces (tried revision 1bfa4578aa56).
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/d439fa74bf05
user:        Tom Schuster
date:        Thu Feb 23 15:26:49 2017 +0100
summary:     Bug 1319087 - Add nukeCCW to the shell and test it. r=jandem

This iteration took 223.984 seconds to run.

Comment 3

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Guessing likely related to bug 1357022.

Comment 4

[Fuzzing Team]

JSBugMon: Fix Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/e8d2fe983c62
user:        Jon Coppeard
date:        Thu May 25 09:02:06 2017 -0400
summary:     Bug 1357022 - Ensure nuked CCWs are removed from the wrapper map r=sfink

This iteration took 227.831 seconds to run.

Comment 5

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

As per comment 1 and comment 4, this is likely a dupe of bug 1357022.

Comment 6

[Liz Henry (:lizzard) (relman/hg->git project)]

Fixed in 55 in bug 1357022.