Closed
Bug 1406437
Opened 7 years ago
Closed 5 years ago
Assertion failure: cx->compartment() != untaggedReferent->compartment(), at js/src/vm/Debugger.cpp:5250 with clone
Categories
(Core :: JavaScript Engine, defect, P2)
Tracking
()
RESOLVED
DUPLICATE
of bug 1512509
People
(Reporter: decoder, Unassigned)
References
Details
(4 keywords, Whiteboard: [jsbugmon:update,ignore])
The following testcase crashes on mozilla-central revision 294f332a3553 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off):
var gv = newGlobal();
gv.f = (function() {});
gv.eval('f = clone(f);');
var dbg = new Debugger;
var gvw = dbg.addDebuggee(gv);
gvw.getOwnPropertyDescriptor('f').value.script.source;
Backtrace:
received signal SIGSEGV, Segmentation fault.
0x0000000000b96a40 in js::Debugger::wrapVariantReferent<mozilla::Variant<js::ScriptSourceObject*, js::WasmInstanceObject*>, js::ScriptSourceObject*, js::DebuggerWeakMap<JSObject*, true> > (this=this@entry=0x7ffff693c800, cx=cx@entry=0x7ffff6948000, map=..., key=..., key@entry=..., referent=referent@entry=...) at js/src/vm/Debugger.cpp:5250
#0 0x0000000000b96a40 in js::Debugger::wrapVariantReferent<mozilla::Variant<js::ScriptSourceObject*, js::WasmInstanceObject*>, js::ScriptSourceObject*, js::DebuggerWeakMap<JSObject*, true> > (this=this@entry=0x7ffff693c800, cx=cx@entry=0x7ffff6948000, map=..., key=..., key@entry=..., referent=referent@entry=...) at js/src/vm/Debugger.cpp:5250
#1 0x0000000000b6a1ad in js::Debugger::wrapVariantReferent (this=this@entry=0x7ffff693c800, cx=cx@entry=0x7ffff6948000, referent=referent@entry=...) at js/src/vm/Debugger.cpp:6923
#2 0x0000000000b6a684 in js::Debugger::wrapSource (source=..., cx=0x7ffff6948000, this=0x7ffff693c800) at js/src/vm/Debugger.cpp:6939
#3 DebuggerScriptGetSourceMatcher::match (script=..., this=<synthetic pointer>) at js/src/vm/Debugger.cpp:5492
#4 JS::detail::GCVariantImplementation<JSScript*, js::WasmInstanceObject*>::match<DebuggerScriptGetSourceMatcher, mozilla::Variant<JSScript*, js::WasmInstanceObject*> > (v=..., matcher=<synthetic pointer>) at dist/include/js/GCVariant.h:102
#5 js::MutableWrappedPtrOperations<mozilla::Variant<JSScript*, js::WasmInstanceObject*>, JS::Rooted<mozilla::Variant<JSScript*, js::WasmInstanceObject*> > >::match<DebuggerScriptGetSourceMatcher> (matcher=<synthetic pointer>, this=0x7fffffffc580) at dist/include/js/GCVariant.h:185
#6 DebuggerScript_getSource (cx=0x7ffff6948000, argc=<optimized out>, vp=<optimized out>) at js/src/vm/Debugger.cpp:5507
#7 0x000000000055d4e1 in js::CallJSNative (cx=0x7ffff6948000, native=0xb6a400 <DebuggerScript_getSource(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:293
#8 0x0000000000551d0f in js::InternalCallOrConstruct (cx=cx@entry=0x7ffff6948000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:495
#9 0x00000000005521ad in InternalCall (cx=cx@entry=0x7ffff6948000, args=...) at js/src/vm/Interpreter.cpp:540
#10 0x0000000000552310 in js::Call (cx=cx@entry=0x7ffff6948000, fval=..., fval@entry=..., thisv=..., thisv@entry=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:559
#11 0x00000000005524d9 in js::CallGetter (cx=0x7ffff6948000, thisv=thisv@entry=..., getter=getter@entry=..., rval=rval@entry=...) at js/src/vm/Interpreter.cpp:674
#12 0x0000000000bca36c in CallGetter (vp=..., shape=..., receiver=..., obj=..., cx=0x7ffff6948000) at js/src/vm/NativeObject.cpp:2121
#13 GetExistingProperty<(js::AllowGC)1> (cx=0x7ffff6948000, receiver=..., obj=..., shape=..., vp=...) at js/src/vm/NativeObject.cpp:2178
#14 0x0000000000bd0d54 in NativeGetPropertyInline<(js::AllowGC)1> (cx=cx@entry=0x7ffff6948000, obj=..., receiver=..., id=..., nameLookup=nameLookup@entry=NotNameLookup, vp=...) at js/src/vm/NativeObject.cpp:2377
#15 0x0000000000bd1490 in js::NativeGetProperty (cx=cx@entry=0x7ffff6948000, obj=..., receiver=..., receiver@entry=..., id=..., id@entry=..., vp=..., vp@entry=...) at js/src/vm/NativeObject.cpp:2413
#16 0x000000000055a844 in js::GetProperty (cx=0x7ffff6948000, obj=..., receiver=..., id=..., vp=...) at js/src/vm/NativeObject.h:1598
#17 0x000000000053f576 in js::GetProperty (vp=..., name=<optimized out>, receiver=..., obj=..., cx=0x7ffff6948000) at js/src/jsobj.h:813
#18 js::GetProperty (cx=0x7ffff6948000, v=..., name=..., vp=...) at js/src/vm/Interpreter.cpp:4426
#19 0x00000000005448d4 in GetPropertyOperation (vp=..., lval=..., pc=<optimized out>, script=..., fp=<optimized out>, cx=0x7ffff6948000) at js/src/vm/Interpreter.cpp:218
#20 Interpret (cx=0x7ffff6948000, state=...) at js/src/vm/Interpreter.cpp:2804
#21 0x0000000000551771 in js::RunScript (cx=0x7ffff6948000, state=...) at js/src/vm/Interpreter.cpp:435
[...]
#30 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:8668
rax 0x0 0
rbx 0x7ffff6948000 140737330315264
rcx 0x7ffff6c28a2d 140737333332525
rdx 0x0 0
rsi 0x7ffff6ef7770 140737336276848
rdi 0x7ffff6ef6540 140737336272192
rbp 0x7fffffffc430 140737488340016
rsp 0x7fffffffc320 140737488339744
r8 0x7ffff6ef7770 140737336276848
r9 0x7ffff7fe4740 140737354024768
r10 0x58 88
r11 0x7ffff6b9f750 140737332770640
r12 0x7fffffffc5c8 140737488340424
r13 0x7fffffffc470 140737488340080
r14 0x7ffff693cb18 140737330268952
r15 0x7fffffffc5c8 140737488340424
rip 0xb96a40 <js::Debugger::wrapVariantReferent<mozilla::Variant<js::ScriptSourceObject*, js::WasmInstanceObject*>, js::ScriptSourceObject*, js::DebuggerWeakMap<JSObject*, true> >(JSContext*, js::DebuggerWeakMap<JSObject*, true>&, JS::Handle<js::CrossCompartmentKey>, JS::Handle<mozilla::Variant<js::ScriptSourceObject*, js::WasmInstanceObject*> >)+944>
=> 0xb96a40 <js::Debugger::wrapVariantReferent<mozilla::Variant<js::ScriptSourceObject*, js::WasmInstanceObject*>, js::ScriptSourceObject*, js::DebuggerWeakMap<JSObject*, true> >(JSContext*, js::DebuggerWeakMap<JSObject*, true>&, JS::Handle<js::CrossCompartmentKey>, JS::Handle<mozilla::Variant<js::ScriptSourceObject*, js::WasmInstanceObject*> >)+944>: movl $0x0,0x0
0xb96a4b <js::Debugger::wrapVariantReferent<mozilla::Variant<js::ScriptSourceObject*, js::WasmInstanceObject*>, js::ScriptSourceObject*, js::DebuggerWeakMap<JSObject*, true> >(JSContext*, js::DebuggerWeakMap<JSObject*, true>&, JS::Handle<js::CrossCompartmentKey>, JS::Handle<mozilla::Variant<js::ScriptSourceObject*, js::WasmInstanceObject*> >)+955>: ud2
|
||
Comment 1•7 years ago
|
||
Nicolas please take a look and reassign/prioritize as appropriate.
Flags: needinfo?(nicolas.b.pierron)
Priority: -- → P2
|
||
Comment 2•7 years ago
|
||
Is this debugger only? If so, I recommend we not track 58.
Flags: needinfo?(nicolas.b.pierron)
|
||
Comment 3•7 years ago
|
||
(In reply to Mike Taylor [:miketaylr] (58 Regression Engineering Owner) from comment #2) > Is this debugger only? If so, I recommend we not track 58. Yeah this is just from me exposing clone() to the fuzzers, and that's finding some some weird edge cases. This one is likely debugger-only yes. We don't need to track this probably.
Flags: needinfo?(nicolas.b.pierron)
|
|
||
Comment 4•7 years ago
|
||
This is annoying. We have a debuggee compartment with a function that has a ScriptSourceObject that lives in the debugger compartment, thanks to clone(). Then the .source getter gets confused because it expects the ScriptSourceObject to live in a different compartment. Not sure what the best fix is. Cross-compartment clone() we should keep because XBL uses this API the same way. I guess we could make Debugger::wrapVariantReferent throw an exception instead of asserting...
Flags: needinfo?(jdemooij) → needinfo?(jorendorff)
|
||
Comment 5•7 years ago
|
||
Or we could just permit it. The Debugger API doesn't/shouldn't let you do anything untoward with a Debugger.Source.
|
||
Comment 6•6 years ago
|
||
https://wiki.mozilla.org/Bug_Triage/Projects/Bug_Handling/Bug_Husbandry#Move_fix-optionals
status-firefox59:
--- → ?
|
||
Comment 7•6 years ago
|
||
As another data point, I consistently get this crash the FIRST time I attach to my debug Nightly with a remote debugger with a fresh profile. After the first crash, future connections work.
|
|
||
Comment 8•6 years ago
|
||
(In reply to Brad Werth [:bradwerth] from comment #7) > As another data point, I consistently get this crash the FIRST time I attach > to my debug Nightly with a remote debugger with a fresh profile. After the > first crash, future connections work. Ugh, except now I'm getting this assert on ALL attempts to connect.
As per bug 1512509 comment 4, this should be fixed by the patch in bug 1512509.
Flags: needinfo?(jorendorff)
|
||
Updated•5 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
||
Comment 10•5 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/e56861273c64 user: Jan de Mooij date: Fri Sep 29 12:09:54 2017 +0200 summary: Bug 1403368 - Make clone() shell function fuzzing-safe. r=luke This iteration took 261.732 seconds to run.
|
|
||
Updated•5 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
|
|
||
Comment 12•5 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 3725bb5bafa0).
|
|
||
Comment 13•5 years ago
|
||
Fixed by bug 1512509.
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•