Closed
Bug 1365903
Opened 7 years ago
Closed 7 years ago
Crash [@ JSObject::compartment] or Assertion failure: !sweepKey, at gc/NurseryAwareHashMap.h:157 with nukeCCW and enableLastWarning
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1357022
Tracking | Status | |
---|---|---|
firefox55 | --- | fixed |
People
(Reporter: decoder, Unassigned)
Details
(6 keywords, Whiteboard: [jsbugmon:][adv-main55-])
Crash Data
The following testcase crashes on mozilla-central revision e66dedabe582 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --disable-debug --enable-optimize, run with --fuzzing-safe --thread-count=2 --disable-oom-functions --ion-offthread-compile=off --ion-eager --baseline-eager): lfLogBuffer = ` function testWarn(code) { enableLastWarning(); g = newGlobal(); g.code = code; g.eval('eval(code)'); warning = getLastWarning(); nukeCCW(warning) } testWarn("function f() 1") //corefuzzdcdendofdata //corefuzzdcdendofdata `.split('\n'); lfCodeBuffer = lfAccumulatedCode = ""; while (true) { line = lfLogBuffer.shift(); if (line) loadFile(lfCodeBuffer); lfCodeBuffer += line; } function loadFile(lfVarx) { eval(lfAccumulatedCode) lfAccumulatedCode = "try { evaluate(`\n" + lfVarx + "\n`) } catch(exc) {}\n" } Backtrace: received signal SIGSEGV, Segmentation fault. 0x000000000082b677 in JSObject::compartment (this=0x7ffff5300e28) at js/src/jsobj.h:175 #0 0x000000000082b677 in JSObject::compartment (this=0x7ffff5300e28) at js/src/jsobj.h:175 #1 js::CrossCompartmentKey::compartment()::GetCompartmentFunctor::operator()(JSObject**) const (this=<synthetic pointer>, tp=<optimized out>) at js/src/jscompartment.h:191 #2 decltype ({parm#1}(static_cast<JSObject**>((decltype(nullptr))0))) js::CrossCompartmentKey::applyToWrapped<js::CrossCompartmentKey::compartment()::GetCompartmentFunctor>(js::CrossCompartmentKey::compartment()::GetCompartmentFunctor)::WrappedMatcher::match(JSObject*&) (obj=<optimized out>, this=<synthetic pointer>) at js/src/jscompartment.h:165 #3 mozilla::detail::VariantImplementation<unsigned char, 0ul, JSObject*, JSString*, mozilla::Tuple<js::NativeObject*, JSScript*>, mozilla::Tuple<js::NativeObject*, JSObject*, js::CrossCompartmentKey::DebuggerObjectKind> >::match<decltype ({parm#1}(static_cast<JSObject**>((decltype(nullptr))0))) js::CrossCompartmentKey::applyToWrapped<js::CrossCompartmentKey::compartment()::GetCompartmentFunctor>(js::CrossCompartmentKey::compartment()::GetCompartmentFunctor)::WrappedMatcher&, mozilla::Variant<JSObject*, JSString*, mozilla::Tuple<js::NativeObject*, JSScript*>, mozilla::Tuple<js::NativeObject*, JSObject*, js::CrossCompartmentKey::DebuggerObjectKind> > >(decltype ({parm#1}(static_cast<JSObject**>((decltype(nullptr))0))) js::CrossCompartmentKey::applyToWrapped<js::CrossCompartmentKey::compartment()::GetCompartmentFunctor>(js::CrossCompartmentKey::compartment()::GetCompartmentFunctor)::WrappedMatcher&, mozilla::Variant<JSObject*, JSString*, mozilla::Tuple<js::NativeObject*, JSScript*>, mozilla::Tuple<js::NativeObject*, JSObject*, js::CrossCompartmentKey::DebuggerObjectKind> >&) (aV=..., aMatcher=<synthetic pointer>) at /srv/jenkins/jobs/mozilla-central-build-jsshell/workspace/arch/64/compiler/gcc/sanitizer/none/type/opt/dist/include/mozilla/Variant.h:266 #4 mozilla::Variant<JSObject*, JSString*, mozilla::Tuple<js::NativeObject*, JSScript*>, mozilla::Tuple<js::NativeObject*, JSObject*, js::CrossCompartmentKey::DebuggerObjectKind> >::match<decltype ({parm#1}(static_cast<JSObject**>((decltype(nullptr))0))) js::CrossCompartmentKey::applyToWrapped<js::CrossCompartmentKey::compartment()::GetCompartmentFunctor>(js::CrossCompartmentKey::compartment()::GetCompartmentFunctor)::WrappedMatcher&>(decltype ({parm#1}(static_cast<JSObject**>((decltype(nullptr))0))) js::CrossCompartmentKey::applyToWrapped<js::CrossCompartmentKey::compartment()::GetCompartmentFunctor>(js::CrossCompartmentKey::compartment()::GetCompartmentFunctor)::WrappedMatcher&) (aMatcher=<synthetic pointer>, this=0x7ffff6983ab8) at /srv/jenkins/jobs/mozilla-central-build-jsshell/workspace/arch/64/compiler/gcc/sanitizer/none/type/opt/dist/include/mozilla/Variant.h:625 #5 js::CrossCompartmentKey::applyToWrapped<js::CrossCompartmentKey::compartment()::GetCompartmentFunctor>(js::CrossCompartmentKey::compartment()::GetCompartmentFunctor) (f=..., this=<optimized out>) at js/src/jscompartment.h:170 #6 js::CrossCompartmentKey::compartment (this=<optimized out>) at js/src/jscompartment.h:197 #7 js::gc::GCRuntime::markCompartments (this=this@entry=0x7ffff695e410) at js/src/jsgc.cpp:4028 #8 0x000000000082bf04 in js::gc::GCRuntime::beginMarkPhase (this=this@entry=0x7ffff695e410, reason=reason@entry=JS::gcreason::ALLOC_TRIGGER, lock=...) at js/src/jsgc.cpp:3971 #9 0x00000000008414f5 in js::gc::GCRuntime::incrementalCollectSlice (this=this@entry=0x7ffff695e410, budget=..., reason=reason@entry=JS::gcreason::ALLOC_TRIGGER, lock=...) at js/src/jsgc.cpp:6147 #10 0x0000000000842571 in js::gc::GCRuntime::gcCycle (this=this@entry=0x7ffff695e410, nonincrementalByAPI=nonincrementalByAPI@entry=false, budget=..., reason=reason@entry=JS::gcreason::ALLOC_TRIGGER) at js/src/jsgc.cpp:6507 #11 0x00000000008429cd in js::gc::GCRuntime::collect (this=this@entry=0x7ffff695e410, nonincrementalByAPI=nonincrementalByAPI@entry=false, budget=..., reason=reason@entry=JS::gcreason::ALLOC_TRIGGER) at js/src/jsgc.cpp:6656 #12 0x00000000008443f2 in js::gc::GCRuntime::startGC (this=0x7ffff695e410, gckind=GC_NORMAL, reason=JS::gcreason::ALLOC_TRIGGER, millis=<optimized out>) at js/src/jsgc.cpp:6734 #13 0x00000000008444da in js::gc::GCRuntime::gcIfRequested (this=0x7ffff695e410) at js/src/jsgc.cpp:6932 #14 0x000000000098c14a in InvokeInterruptCallback (cx=0x7ffff694a000) at js/src/vm/Runtime.cpp:505 #15 0x0000099b2da51406 in ?? () [...] #25 0x0000000000000000 in ?? () rax 0x7ffff6983ab0 140737330559664 rbx 0x7fffffffc720 140737488340768 rcx 0x7ffff6983b40 140737330559808 rdx 0x2f2f2f2f2f2f2f2f 3399988123389603631 rsi 0x4 4 rdi 0x7fffffffc700 140737488340736 rbp 0x7ffff695e410 140737330406416 rsp 0x7fffffffc6d0 140737488340688 r8 0x7ffff695e448 140737330406472 r9 0x7ffff6a001a8 140737331069352 r10 0x7ffff6a00218 140737331069464 r11 0x340 832 r12 0x7ffff695e468 140737330406504 r13 0x1 1 r14 0x20 32 r15 0x7fffffffc700 140737488340736 rip 0x82b677 <js::gc::GCRuntime::markCompartments()+455> => 0x82b677 <js::gc::GCRuntime::markCompartments()+455>: mov 0x10(%rdx),%rdx 0x82b67b <js::gc::GCRuntime::markCompartments()+459>: test %rdx,%rdx This one was hard to reduce and still seems to be sensible to the number of iterations etc., as I was not able to simplify the loop further. Marking s-s because I don't know if this affects the browser and it's a GC issue with use-after-free.
Comment 1•7 years ago
|
||
The is probably related to the other nukeCCW bugs we have open.
Updated•7 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,ignore]
Comment 2•7 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 1bfa4578aa56). JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/d439fa74bf05 user: Tom Schuster date: Thu Feb 23 15:26:49 2017 +0100 summary: Bug 1319087 - Add nukeCCW to the shell and test it. r=jandem This iteration took 223.984 seconds to run.
Guessing likely related to bug 1357022.
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:bisectfix]
Updated•7 years ago
|
Whiteboard: [jsbugmon:bisectfix] → [jsbugmon:]
Comment 4•7 years ago
|
||
JSBugMon: Fix Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/e8d2fe983c62 user: Jon Coppeard date: Thu May 25 09:02:06 2017 -0400 summary: Bug 1357022 - Ensure nuked CCWs are removed from the wrapper map r=sfink This iteration took 227.831 seconds to run.
As per comment 1 and comment 4, this is likely a dupe of bug 1357022.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
Comment 6•7 years ago
|
||
Fixed in 55 in bug 1357022.
Updated•7 years ago
|
Whiteboard: [jsbugmon:] → [jsbugmon:][adv-main55-]
Updated•6 years ago
|
Group: javascript-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•