Closed Bug 1444340 Opened 6 years ago Closed 6 years ago

Assertion failure: comp == compartment || runtime()->isAtomsCompartment(comp) || (srcKind == JS::TraceKind::Object && InCrossCompartmentMap(static_cast<JSObject*>(src), thing)), at js/src/gc/GC.cpp:4069

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1353351

People

(Reporter: decoder, Unassigned)

Details

(4 keywords, Whiteboard: [jsbugmon:update]) 

The following testcase crashes on mozilla-central revision a6a32fb286fa+ (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --no-threads --ion-eager):

fullcompartmentchecks(11);
newGlobal({
    sameZoneAs: []
}).constructor;


Backtrace:

received signal SIGSEGV, Segmentation fault.
0x0000000000e892d1 in CompartmentCheckTracer::onChild (this=0x7fffffffcf60, thing=...) at js/src/gc/GC.cpp:4067
#0  0x0000000000e892d1 in CompartmentCheckTracer::onChild (this=0x7fffffffcf60, thing=...) at js/src/gc/GC.cpp:4067
#1  0x00000000008af8c2 in JS::CallbackTracer::onObjectEdge (this=0x7fffffffcf60, objp=<optimized out>) at dist/include/js/TracingAPI.h:148
#2  0x0000000000ef649d in JS::CallbackTracer::dispatchToOnEdge (objp=0x7ffff5a67148, this=0x7fffffffcf60) at dist/include/js/TracingAPI.h:240
#3  DoCallback<JSObject*> (trc=0x7fffffffcf60, thingp=0x7ffff5a67148, name=0x12056c6 "cacheir-object") at js/src/gc/Tracer.cpp:46
#4  0x00000000006db571 in js::jit::TraceCacheIRStub<js::jit::ICStub> (trc=trc@entry=0x7fffffffcf68, stub=stub@entry=0x7ffff5a67100, stubInfo=0x7ffff5a35d30) at js/src/jit/CacheIRCompiler.cpp:963
#5  0x00000000008ce567 in js::jit::ICStub::trace (this=this@entry=0x7ffff5a67100, trc=trc@entry=0x7fffffffcf68) at js/src/jit/SharedIC.cpp:313
#6  0x00000000008ce7f3 in js::jit::ICEntry::traceEntry (trc=trc@entry=0x7fffffffcf68, this=<optimized out>) at js/src/jit/SharedIC.cpp:115
#7  js::jit::BaselineICEntry::trace (this=<optimized out>, trc=trc@entry=0x7fffffffcf68) at js/src/jit/SharedIC.cpp:106
#8  0x0000000000632540 in js::jit::BaselineScript::trace (trc=0x7fffffffcf68, this=0x7ffff5968ac0) at js/src/jit/BaselineJIT.cpp:434
#9  js::jit::BaselineScript::Trace (trc=0x7fffffffcf68, script=0x7ffff5968ac0) at js/src/jit/BaselineJIT.cpp:449
#10 0x0000000000ee7f6a in js::TraceChildren (trc=trc@entry=0x7fffffffcf68, thing=0x7ffff5d930d0, kind=kind@entry=JS::TraceKind::Script) at js/src/gc/Tracer.cpp:126
#11 0x0000000000e96acb in js::gc::GCRuntime::checkForCompartmentMismatches (this=<optimized out>) at js/src/gc/GC.cpp:4093
#12 0x0000000000ea8378 in js::gc::GCRuntime::beginMarkPhase (this=this@entry=0x7ffff5f1a780, reason=reason@entry=JS::gcreason::DESTROY_RUNTIME, session=...) at js/src/gc/GC.cpp:4276
#13 0x0000000000ea983c in js::gc::GCRuntime::incrementalCollectSlice (this=this@entry=0x7ffff5f1a780, budget=..., reason=reason@entry=JS::gcreason::DESTROY_RUNTIME, session=...) at js/src/gc/GC.cpp:7007
#14 0x0000000000eaacb9 in js::gc::GCRuntime::gcCycle (this=this@entry=0x7ffff5f1a780, nonincrementalByAPI=nonincrementalByAPI@entry=true, budget=..., reason=reason@entry=JS::gcreason::DESTROY_RUNTIME) at js/src/gc/GC.cpp:7395
#15 0x0000000000eab375 in js::gc::GCRuntime::collect (this=this@entry=0x7ffff5f1a780, nonincrementalByAPI=nonincrementalByAPI@entry=true, budget=..., reason=reason@entry=JS::gcreason::DESTROY_RUNTIME) at js/src/gc/GC.cpp:7538
#16 0x0000000000eab6b9 in js::gc::GCRuntime::gc (this=this@entry=0x7ffff5f1a780, gckind=gckind@entry=GC_NORMAL, reason=reason@entry=JS::gcreason::DESTROY_RUNTIME) at js/src/gc/GC.cpp:7608
#17 0x0000000000beaa2b in JSRuntime::destroyRuntime (this=0x7ffff5f1a000) at js/src/vm/Runtime.cpp:316
#18 0x0000000000b69db9 in js::DestroyContext (cx=0x7ffff5f16000) at js/src/vm/JSContext.cpp:252
#19 0x00000000009b1aaa in JS_DestroyContext (cx=<optimized out>) at js/src/jsapi.cpp:505
#20 0x00000000004446bf in main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:9425
rax	0x0	0
rbx	0x7fffffffcf60	140737488342880
rcx	0x7ffff6c282ad	140737333330605
rdx	0x0	0
rsi	0x7ffff6ef7770	140737336276848
rdi	0x7ffff6ef6540	140737336272192
rbp	0x7fffffffcd40	140737488342336
rsp	0x7fffffffcd30	140737488342320
r8	0x7ffff6ef7770	140737336276848
r9	0x7ffff7fe4780	140737354024832
r10	0x58	88
r11	0x7ffff6b9e7a0	140737332766624
r12	0x7fffffffcd50	140737488342352
r13	0xe89200	15241728
r14	0x20	32
r15	0x12c350c	19674380
rip	0xe892d1 <CompartmentCheckTracer::onChild(JS::GCCellPtr const&)+209>
=> 0xe892d1 <CompartmentCheckTracer::onChild(JS::GCCellPtr const&)+209>:	movl   $0x0,0x0
   0xe892dc <CompartmentCheckTracer::onChild(JS::GCCellPtr const&)+220>:	ud2


I assume this is a shell-only problem judging from the simple test.
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/6b718178f43f
user:        Tom Schuster
date:        Wed Feb 22 21:16:04 2017 +0100
summary:     Bug 1319087 - Implement a CrossCompartmentWrapper IC stub. r=bz,bholley,jandem

This iteration took 265.805 seconds to run.
Tom, could you take a look?
Flags: needinfo?(evilpies)
Priority: -- → P1
Mhm I feel like I had seen something like this shortly after landing bug 1319087. We can basically trace cross-compartment objects, but I thought InCrossCompartmentMap would protect against that assert firing. Maybe someone from GC can take a look?
Flags: needinfo?(evilpies) → needinfo?(sphink)
Jason, can you provide an owner for this p1?
status-firefox60: affected → ---
Flags: needinfo?(jorendorff)
Status: NEW → RESOLVED
Closed: 6 years ago
Flags: needinfo?(sphink)
Resolution: --- → DUPLICATE
Flags: needinfo?(jorendorff)
You need to log in before you can comment on or make changes to this bug.