1461319 - Assertion failure: MaybeForwarded(frameobj.get())->getPrivate(), at js/src/vm/Debugger.cpp:3200

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision a7461494a7a0 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --without-intl-api --enable-optimize --target=i686-pc-linux-gnu, run with --fuzzing-safe):

gczeal(14);
var g = newGlobal();
g.eval('function f(a) { evaluate("f(" + " - 1);", {newContext: true}); }');
var dbg = new Debugger(g);
dbg.onEnterFrame = function(frame) {};
g.f();


Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x08716f76 in js::Debugger::trace (this=0xf6e21800, trc=0xf63f9a3c) at js/src/vm/Debugger.cpp:3200
#1  0x087bd444 in js::Class::doTrace (this=<optimized out>, obj=0xf5b6b160, trc=0xf63f9a3c) at dist/include/js/Class.h:869
#2  JSObject::traceChildren (this=0xf5b6b160, trc=0xf63f9a3c) at js/src/vm/JSObject.cpp:4005
#3  0x08b01134 in UpdateCellPointers<JSObject> (cell=0xf5b6b160, trc=0xf63f99b8) at js/src/gc/GC.cpp:2592
#4  UpdateArenaPointersTyped<JSObject> (trc=trc@entry=0xf63f9a38, arena=arena@entry=0xf5b6b000) at js/src/gc/GC.cpp:2600
#5  0x08b0120a in UpdateArenaPointers (arena=0xf5b6b000, trc=0xf63f9a38) at js/src/gc/GC.cpp:2616
#6  js::gc::UpdatePointersTask::updateArenas (this=0xfffc23bc) at js/src/gc/GC.cpp:2738
#7  0x08b018ba in js::gc::UpdatePointersTask::run (this=0xfffc23bc) at js/src/gc/GC.cpp:2748
#8  0x0878526d in js::GCParallelTask::runTask (this=0xfffc23bc) at js/src/gc/GCParallelTask.h:127
#9  js::GCParallelTask::runFromHelperThread (this=0xfffc23bc, lock=...) at js/src/vm/HelperThreads.cpp:1586
[...]
eax	0x0	0
ebx	0x8ea4000	149569536
ecx	0xf7d9f864	-136710044
edx	0x0	0
esi	0xf63f990c	-163604212
edi	0xf5833040	-175951808
ebp	0xf63f9948	4131363144
esp	0xf63f98e0	4131363040
eip	0x8716f76 <js::Debugger::trace(JSTracer*)+278>
=> 0x8716f76 <js::Debugger::trace(JSTracer*)+278>:	movl   $0x0,0x0
   0x8716f80 <js::Debugger::trace(JSTracer*)+288>:	ud2



Only reproduces on 32-bit for me.

Comment 1

[Jon Coppeard (:jonco)]

Attachment: bug1461319-frame-trace

Patch to fix a couple of places we access the shape of an associated object in the debugger object trace hook.  This is just caused by an assertion so I don't think there's any security impact here.

Comment 2

[Steve Fink [:sfink] [:s:]]

Comment on attachment 8975526 [details] [diff] [review]
bug1461319-frame-trace

Review of attachment 8975526 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/vm/NativeObject.h
@@ +742,5 @@
>      // Get the number of fixed slots when the shape pointer may have been
> +    // forwarded by a moving GC. You need to use this rather that
> +    // numFixedSlots() in a trace hook if you access an object that is not the
> +    // object being traced, since it may have a stale shape pointer.
> +    inline uint32_t numFixedSlotsMaybeForwarded() const;

That's a very useful comment update, thanks!

Comment 3

[Pulsebot]

Pushed by jcoppeard@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/4b6c733447b8
Fix assertion failure accessing shape of associated object when tracing debugger object in a moving GC r=sfink

Comment 4

[Stefan Hindli [:stefan_hindli]]

https://hg.mozilla.org/mozilla-central/rev/4b6c733447b8