Assertion failure: cx->compartment() != untaggedReferent->compartment(), at js/src/vm/Debugger.cpp:5271

RESOLVED FIXED in Firefox 63

Status

()

defect
--
critical
RESOLVED FIXED
Last year
Last year

People

(Reporter: decoder, Assigned: jandem)

Tracking

(Blocks 1 bug, 4 keywords)

Trunk
mozilla63
x86_64
Linux
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox-esr52 unaffected, firefox-esr60 unaffected, firefox61 unaffected, firefox62 unaffected, firefox63 fixed)

Details

(Whiteboard: [jsbugmon:update])

Attachments

(1 attachment)

The following testcase crashes on mozilla-central revision cc3401e78e8b (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe min.js):

var g1 = newGlobal({
    sameCompartmentAs: this
});
var dbg = new Debugger();
var dg1 = dbg.addDebuggee(g1);
scripts = dbg.findScripts({});


Backtrace:

received signal SIGSEGV, Segmentation fault.
0x0000000000b6b0d0 in js::Debugger::wrapVariantReferent<mozilla::Variant<JSScript*, js::WasmInstanceObject*>, JSScript*, js::DebuggerWeakMap<JSScript*, false> > (this=this@entry=0x7ffff5f4c800, cx=cx@entry=0x7ffff5f17000, map=..., key=..., key@entry=..., referent=...) at js/src/vm/Debugger.cpp:5271
#0  0x0000000000b6b0d0 in js::Debugger::wrapVariantReferent<mozilla::Variant<JSScript*, js::WasmInstanceObject*>, JSScript*, js::DebuggerWeakMap<JSScript*, false> > (this=this@entry=0x7ffff5f4c800, cx=cx@entry=0x7ffff5f17000, map=..., key=..., key@entry=..., referent=...) at js/src/vm/Debugger.cpp:5271
#1  0x0000000000b37c89 in js::Debugger::wrapVariantReferent (this=this@entry=0x7ffff5f4c800, cx=0x7ffff5f17000, referent=..., referent@entry=...) at js/src/vm/Debugger.cpp:5304
#2  0x0000000000b38bbd in js::Debugger::wrapScript (this=this@entry=0x7ffff5f4c800, cx=<optimized out>, script=...) at js/src/vm/Debugger.cpp:5320
#3  0x0000000000b3a069 in js::Debugger::findScripts (cx=<optimized out>, argc=<optimized out>, vp=<optimized out>) at js/src/vm/Debugger.cpp:4745
#4  0x00000000005bbc67 in CallJSNative (cx=0x7ffff5f17000, native=0xb39a30 <js::Debugger::findScripts(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/Interpreter.cpp:443
#5  0x00000000005b0547 in js::InternalCallOrConstruct (cx=<optimized out>, cx@entry=0x7ffff5f17000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:531
#6  0x00000000005b0b6d in InternalCall (cx=0x7ffff5f17000, args=...) at js/src/vm/Interpreter.cpp:582
#7  0x00000000005a3a47 in js::CallFromStack (args=..., cx=<optimized out>) at js/src/vm/Interpreter.cpp:588
#8  Interpret (cx=0x7ffff5f17000, state=...) at js/src/vm/Interpreter.cpp:3195
#9  0x00000000005b0066 in js::RunScript (cx=0x7ffff5f17000, state=...) at js/src/vm/Interpreter.cpp:423
#10 0x00000000005b33cd in js::ExecuteKernel (cx=<optimized out>, script=..., script@entry=..., envChainArg=..., newTargetValue=..., evalInFrame=..., evalInFrame@entry=..., result=result@entry=0x0) at js/src/vm/Interpreter.cpp:771
#11 0x00000000005b3789 in js::Execute (cx=<optimized out>, cx@entry=0x7ffff5f17000, script=script@entry=..., envChainArg=..., rval=rval@entry=0x0) at js/src/vm/Interpreter.cpp:804
#12 0x0000000000a39e62 in ExecuteScript (cx=0x7ffff5f17000, scope=scope@entry=..., script=..., rval=rval@entry=0x0) at js/src/jsapi.cpp:4656
#13 0x0000000000a4b758 in JS_ExecuteScript (cx=<optimized out>, cx@entry=0x7ffff5f17000, scriptArg=scriptArg@entry=...) at js/src/jsapi.cpp:4689
#14 0x000000000043071e in RunFile (compileOnly=false, file=<optimized out>, filename=<optimized out>, cx=0x7ffff5f17000) at js/src/shell/js.cpp:847
#15 Process (cx=0x7ffff5f17000, filename=<optimized out>, forceTTY=forceTTY@entry=false, kind=kind@entry=FileScript) at js/src/shell/js.cpp:1317
#16 0x000000000043162f in ProcessArgs (cx=<optimized out>, op=op@entry=0x7fffffffe4d0) at js/src/shell/js.cpp:8593
#17 0x00000000004438e5 in Shell (envp=<optimized out>, op=0x7fffffffe4d0, cx=<optimized out>) at js/src/shell/js.cpp:8983
#18 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:9461
rax	0x0	0
rbx	0x7ffff5f4ca28	140737319848488
rcx	0x7ffff6c212dd	140737333301981
rdx	0x0	0
rsi	0x7ffff6ef0770	140737336248176
rdi	0x7ffff6eef540	140737336243520
rbp	0x7fffffffd0b0	140737488343216
rsp	0x7fffffffcfa0	140737488342944
r8	0x7ffff6ef0770	140737336248176
r9	0x7ffff7fe4780	140737354024832
r10	0x58	88
r11	0x7ffff6b977a0	140737332737952
r12	0x7fffffffd198	140737488343448
r13	0x7ffff5f17000	140737319628800
r14	0x7fffffffd108	140737488343304
r15	0x7ffff5f4c800	140737319847936
rip	0xb6b0d0 <js::Debugger::wrapVariantReferent<mozilla::Variant<JSScript*, js::WasmInstanceObject*>, JSScript*, js::DebuggerWeakMap<JSScript*, false> >(JSContext*, js::DebuggerWeakMap<JSScript*, false>&, JS::Handle<js::CrossCompartmentKey>, JS::Handle<mozilla::Variant<JSScript*, js::WasmInstanceObject*> >)+1424>
=> 0xb6b0d0 <js::Debugger::wrapVariantReferent<mozilla::Variant<JSScript*, js::WasmInstanceObject*>, JSScript*, js::DebuggerWeakMap<JSScript*, false> >(JSContext*, js::DebuggerWeakMap<JSScript*, false>&, JS::Handle<js::CrossCompartmentKey>, JS::Handle<mozilla::Variant<JSScript*, js::WasmInstanceObject*> >)+1424>:	movl   $0x0,0x0
   0xb6b0db <js::Debugger::wrapVariantReferent<mozilla::Variant<JSScript*, js::WasmInstanceObject*>, JSScript*, js::DebuggerWeakMap<JSScript*, false> >(JSContext*, js::DebuggerWeakMap<JSScript*, false>&, JS::Handle<js::CrossCompartmentKey>, JS::Handle<mozilla::Variant<JSScript*, js::WasmInstanceObject*> >)+1435>:	ud2
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/6bbae91a2eaf
user:        Jan de Mooij
date:        Thu Jun 07 10:02:10 2018 +0200
summary:     Bug 1466501 part 1 - Refactor ZoneSpecifier and add a sameCompartmentAs option to newGlobal in the shell. r=luke

This iteration took 1.300 seconds to run.
Jan, are you looking at this as part of the work on 1357862, or will it be re-assigned to someone else?
Flags: needinfo?(jdemooij)
(In reply to David Durst [:ddurst] (REO for 63) from comment #2)
> Jan, are you looking at this as part of the work on 1357862, or will it be
> re-assigned to someone else?

I'll fix it at some point, but it's not a blocker for 63 because this is not enabled in the browser.
Flags: needinfo?(jdemooij)
We were checking for cross-compartment wrappers in the Debugger constructor, but this patch also fixes addDebuggee and addAllGlobalsAsDebuggees.
Attachment #9001568 - Attachment is obsolete: true
Attachment #9001568 - Attachment is obsolete: false
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Comment on attachment 9001568 [details]
Bug 1473957 - Require debugger and debuggee to be in different compartments. r=jimb

Jim Blandy :jimb has approved the revision.
Attachment #9001568 - Flags: review+
Pushed by jandemooij@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/bb1559053685
Require debugger and debuggee to be in different compartments. r=jimb
https://hg.mozilla.org/mozilla-central/rev/bb1559053685
Status: ASSIGNED → RESOLVED
Closed: Last year
Resolution: --- → FIXED
Target Milestone: --- → mozilla63
You need to log in before you can comment on or make changes to this bug.