Closed
Bug 1473255
Opened 6 years ago
Closed 6 years ago
Assertion failure: cx->realm() == script->realm(), at js/src/vm/Stack.cpp:256 with sameCompartmentAs
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla63
| Tracking | Status | |
|---|---|---|
| firefox-esr52 | --- | unaffected |
| firefox-esr60 | --- | unaffected |
| firefox61 | --- | unaffected |
| firefox62 | --- | unaffected |
| firefox63 | --- | fixed |
People
(Reporter: decoder, Assigned: jandem)
References
Details
(4 keywords, Whiteboard: [jsbugmon:update])
Attachments
(1 file)
|
4.18 KB,
patch
|
evilpie
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision a0e47ebc4c06 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe):
var objs = [{}, {}];
for (var i = 0, sz = objs.length; i < sz; i++) {
var o = objs[i];
of (i + ' ' + o);
}
function of () {
var g = newGlobal({
sameCompartmentAs: this
});
g.f3 = function(x) {}
g.evaluate("function f4(x) { try { return f3(x); } finally { assertCorrectRealm(); } }");
for (var i = 0; i < 110; i++)
g.f4(i);
}
Backtrace:
received signal SIGSEGV, Segmentation fault.
0x0000000000cb4cc0 in js::InterpreterFrame::epilogue (this=0x7ffff488b0b0, cx=0x7ffff5f17000, pc=0x7ffff5f02b38 "\231t\v") at js/src/vm/Stack.cpp:256
#0 0x0000000000cb4cc0 in js::InterpreterFrame::epilogue (this=0x7ffff488b0b0, cx=0x7ffff5f17000, pc=0x7ffff5f02b38 "\231t\v") at js/src/vm/Stack.cpp:256
#1 0x00000000005aa6c9 in Interpret (cx=0x7ffff5f17000, state=...) at js/src/vm/Interpreter.cpp:4445
#2 0x00000000005afdb6 in js::RunScript (cx=0x7ffff5f17000, state=...) at js/src/vm/Interpreter.cpp:423
#3 0x00000000005b035f in js::InternalCallOrConstruct (cx=<optimized out>, cx@entry=0x7ffff5f17000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:555
#4 0x00000000005b08bd in InternalCall (cx=0x7ffff5f17000, args=...) at js/src/vm/Interpreter.cpp:582
#5 0x00000000005b0a0a in js::CallFromStack (cx=<optimized out>, args=...) at js/src/vm/Interpreter.cpp:588
#6 0x000000000069bc53 in js::jit::DoCallFallback (cx=<optimized out>, frame=0x7fffffffc598, stub_=<optimized out>, argc=<optimized out>, vp=0x7fffffffc530, res=...) at js/src/jit/BaselineIC.cpp:2657
#7 0x000014c7ea8f828c in ?? ()
[...]
rax 0x0 0
rbx 0x7ffff488b0b0 140737295986864
rcx 0x7ffff6c282ad 140737333330605
rdx 0x0 0
rsi 0x7ffff6ef7770 140737336276848
rdi 0x7ffff6ef6540 140737336272192
rbp 0x7fffffffb7b0 140737488336816
rsp 0x7fffffffb6f0 140737488336624
r8 0x7ffff6ef7770 140737336276848
r9 0x7ffff7fe4780 140737354024832
r10 0x58 88
r11 0x7ffff6b9e7a0 140737332766624
r12 0x7ffff5f17000 140737319628800
r13 0x7fffffffbf30 140737488338736
r14 0x7fffffffb710 140737488336656
r15 0x7ffff5f02b38 140737319545656
rip 0xcb4cc0 <js::InterpreterFrame::epilogue(JSContext*, unsigned char*)+848>
=> 0xcb4cc0 <js::InterpreterFrame::epilogue(JSContext*, unsigned char*)+848>: movl $0x0,0x0
0xcb4ccb <js::InterpreterFrame::epilogue(JSContext*, unsigned char*)+859>: ud2
|
||
Updated•6 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
||
Comment 1•6 years ago
|
||
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/ebbddded3292
user: Jan de Mooij
date: Tue Jun 26 18:26:39 2018 +0200
summary: Bug 1470904 part 1 - Switch realms before/after scripted calls if needed. r=luke
This iteration took 290.290 seconds to run.
|
Assignee | |
Comment 2•6 years ago
|
||
The interpreter has a cx->leaveRealm call after popping an inline frame, but it also needs to do this after it called into JIT code or if we throw an exception before we finish pushing the inline frame. This patch uses MakeScopeExit for that and adds some asserts.
|
|
Assignee | |
Updated•6 years ago
|
Blocks: same-compartment-realms
|
||
Comment 3•6 years ago
|
||
Comment on attachment 8989731 [details] [diff] [review]
Restore caller realm in the interpreter after calling a JITted function
Review of attachment 8989731 [details] [diff] [review]:
-----------------------------------------------------------------
::: js/src/vm/Interpreter.cpp
@@ +3250,5 @@
> funScript = fun->nonLazyScript();
>
> if (!activation.pushInlineFrame(args, funScript, construct))
> goto error;
> + leaveRealmGuard.release();
Add a comment about what leaves the frame.
Attachment #8989731 -
Flags: review?(evilpies) → review+
Pushed by jandemooij@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/f490048b0495
Restore caller realm in the interpreter after calling a JITted function. r=evilpie
|
||
Comment 5•6 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla63
|
||
Updated•6 years ago
|
status-firefox61:
--- → unaffected
status-firefox62:
--- → unaffected
status-firefox-esr52:
--- → unaffected
status-firefox-esr60:
--- → unaffected
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•