Closed
Bug 1461319
Opened 6 years ago
Closed 6 years ago
Assertion failure: MaybeForwarded(frameobj.get())->getPrivate(), at js/src/vm/Debugger.cpp:3200
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla62
Tracking | Status | |
---|---|---|
firefox-esr52 | --- | unaffected |
firefox-esr60 | --- | unaffected |
firefox60 | --- | unaffected |
firefox61 | --- | unaffected |
firefox62 | --- | fixed |
People
(Reporter: decoder, Assigned: jonco)
References
Details
(4 keywords, Whiteboard: [jsbugmon:update,bisect])
Attachments
(1 file)
3.16 KB,
patch
|
sfink
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision a7461494a7a0 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --without-intl-api --enable-optimize --target=i686-pc-linux-gnu, run with --fuzzing-safe): gczeal(14); var g = newGlobal(); g.eval('function f(a) { evaluate("f(" + " - 1);", {newContext: true}); }'); var dbg = new Debugger(g); dbg.onEnterFrame = function(frame) {}; g.f(); Backtrace: received signal SIGSEGV, Segmentation fault. #0 0x08716f76 in js::Debugger::trace (this=0xf6e21800, trc=0xf63f9a3c) at js/src/vm/Debugger.cpp:3200 #1 0x087bd444 in js::Class::doTrace (this=<optimized out>, obj=0xf5b6b160, trc=0xf63f9a3c) at dist/include/js/Class.h:869 #2 JSObject::traceChildren (this=0xf5b6b160, trc=0xf63f9a3c) at js/src/vm/JSObject.cpp:4005 #3 0x08b01134 in UpdateCellPointers<JSObject> (cell=0xf5b6b160, trc=0xf63f99b8) at js/src/gc/GC.cpp:2592 #4 UpdateArenaPointersTyped<JSObject> (trc=trc@entry=0xf63f9a38, arena=arena@entry=0xf5b6b000) at js/src/gc/GC.cpp:2600 #5 0x08b0120a in UpdateArenaPointers (arena=0xf5b6b000, trc=0xf63f9a38) at js/src/gc/GC.cpp:2616 #6 js::gc::UpdatePointersTask::updateArenas (this=0xfffc23bc) at js/src/gc/GC.cpp:2738 #7 0x08b018ba in js::gc::UpdatePointersTask::run (this=0xfffc23bc) at js/src/gc/GC.cpp:2748 #8 0x0878526d in js::GCParallelTask::runTask (this=0xfffc23bc) at js/src/gc/GCParallelTask.h:127 #9 js::GCParallelTask::runFromHelperThread (this=0xfffc23bc, lock=...) at js/src/vm/HelperThreads.cpp:1586 [...] eax 0x0 0 ebx 0x8ea4000 149569536 ecx 0xf7d9f864 -136710044 edx 0x0 0 esi 0xf63f990c -163604212 edi 0xf5833040 -175951808 ebp 0xf63f9948 4131363144 esp 0xf63f98e0 4131363040 eip 0x8716f76 <js::Debugger::trace(JSTracer*)+278> => 0x8716f76 <js::Debugger::trace(JSTracer*)+278>: movl $0x0,0x0 0x8716f80 <js::Debugger::trace(JSTracer*)+288>: ud2 Only reproduces on 32-bit for me.
Assignee | ||
Updated•6 years ago
|
Assignee: nobody → jcoppeard
Assignee | ||
Comment 1•6 years ago
|
||
Patch to fix a couple of places we access the shape of an associated object in the debugger object trace hook. This is just caused by an assertion so I don't think there's any security impact here.
Attachment #8975526 -
Flags: review?(sphink)
Comment 2•6 years ago
|
||
Comment on attachment 8975526 [details] [diff] [review] bug1461319-frame-trace Review of attachment 8975526 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/vm/NativeObject.h @@ +742,5 @@ > // Get the number of fixed slots when the shape pointer may have been > + // forwarded by a moving GC. You need to use this rather that > + // numFixedSlots() in a trace hook if you access an object that is not the > + // object being traced, since it may have a stale shape pointer. > + inline uint32_t numFixedSlotsMaybeForwarded() const; That's a very useful comment update, thanks!
Attachment #8975526 -
Flags: review?(sphink) → review+
Updated•6 years ago
|
status-firefox60:
--- → unaffected
status-firefox61:
--- → unaffected
Pushed by jcoppeard@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/4b6c733447b8 Fix assertion failure accessing shape of associated object when tracing debugger object in a moving GC r=sfink
Comment 4•6 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/4b6c733447b8
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla62
Updated•6 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•