Closed Bug 1479430 Opened 6 years ago Closed 6 years ago

Assertion failure: cx->realm() == group->realm(), at js/src/vm/TypeInference.cpp:3853

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla63
Tracking Flags:
Tracking Status
firefox-esr52 --- unaffected
firefox-esr60 --- unaffected
firefox61 --- unaffected
firefox62 --- unaffected
firefox63 --- fixed

People

(Reporter: decoder, Assigned: jandem)

References

Details

(4 keywords, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

Make sure TypeNewScript::maybeAnalyze is called in the group's realm
1.90 KB, patch
luke
: review+
Details | Diff | Splinter Review 
The following testcase crashes on mozilla-central revision 0be4463d2915 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-eager --ion-offthread-compile=off):

assertEq = function(a) {
    a.toString();
}
var g = newGlobal({
    sameCompartmentAs: this
});
g.evaluate("function Obj() {}");
assertEq(assertEq(new g.Obj()));


Backtrace:

received signal SIGSEGV, Segmentation fault.
0x0000000000d19490 in js::TypeNewScript::maybeAnalyze (this=0x7ffff5fad100, cx=<optimized out>, group=<optimized out>, group@entry=0x7ffff4dbc0d0, regenerate=regenerate@entry=0x0, force=force@entry=true) at js/src/vm/TypeInference.cpp:3853
#0  0x0000000000d19490 in js::TypeNewScript::maybeAnalyze (this=0x7ffff5fad100, cx=<optimized out>, group=<optimized out>, group@entry=0x7ffff4dbc0d0, regenerate=regenerate@entry=0x0, force=force@entry=true) at js/src/vm/TypeInference.cpp:3853
#1  0x00000000007eaecb in js::jit::IonCompile (cx=<optimized out>, cx@entry=0x7ffff5f17000, script=<optimized out>, baselineFrame=baselineFrame@entry=0x7fffffffbd18, osrPc=osrPc@entry=0x0, recompile=<optimized out>, optimizationLevel=<optimized out>) at js/src/jit/Ion.cpp:2108
#2  0x00000000007eb366 in js::jit::Compile (cx=cx@entry=0x7ffff5f17000, script=script@entry=..., osrFrame=osrFrame@entry=0x7fffffffbd18, osrPc=osrPc@entry=0x0, forceRecompile=forceRecompile@entry=false) at js/src/jit/Ion.cpp:2375
#3  0x00000000007ebbc2 in BaselineCanEnterAtEntry (frame=0x7fffffffbd18, script=..., cx=0x7ffff5f17000) at js/src/jit/Ion.cpp:2491
#4  js::jit::IonCompileScriptForBaseline (cx=<optimized out>, frame=0x7fffffffbd18, pc=<optimized out>) at js/src/jit/Ion.cpp:2613
#5  0x0000035a4cca08b2 in ?? ()
#6  0x2000000000000000 in ?? ()
#7  0x00007fffffffbce8 in ?? ()
#8  0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x7ffff5fad100	140737320243456
rcx	0x7ffff6c282ad	140737333330605
rdx	0x0	0
rsi	0x7ffff6ef7770	140737336276848
rdi	0x7ffff6ef6540	140737336272192
rbp	0x7fffffffb9b0	140737488337328
rsp	0x7fffffffb7b0	140737488336816
r8	0x7ffff6ef7770	140737336276848
r9	0x7ffff7fe4780	140737354024832
r10	0x58	88
r11	0x7ffff6b9e7a0	140737332766624
r12	0x1	1
r13	0x7ffff5fad100	140737320243456
r14	0x7fffffffb830	140737488336944
r15	0x7ffff4dbc0d0	140737301430480
rip	0xd19490 <js::TypeNewScript::maybeAnalyze(JSContext*, js::ObjectGroup*, bool*, bool)+2000>
=> 0xd19490 <js::TypeNewScript::maybeAnalyze(JSContext*, js::ObjectGroup*, bool*, bool)+2000>:	movl   $0x0,0x0
   0xd1949b <js::TypeNewScript::maybeAnalyze(JSContext*, js::ObjectGroup*, bool*, bool)+2011>:	ud2
Same-compartment-realms issue. Should be easy to fix, I'll get to it soonish.
Blocks: same-compartment-realms
status-firefox63: affecteddisabled
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/ca6490693cad
user:        Jan de Mooij
date:        Tue Jun 26 09:42:06 2018 +0200
summary:     Bug 1470250 part 5 - Use AutoRealm when calling natives or resolve hooks. r=luke

This iteration took 291.500 seconds to run.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED

        Attachment #9001556 -
        Flags: review?(luke)

    
    

    
  
Comment on attachment 9001556 [details] [diff] [review]
Make sure TypeNewScript::maybeAnalyze is called in the group's realm

Review of attachment 9001556 [details] [diff] [review]:
-----------------------------------------------------------------

(Sorry for the delay; back from PTO)

        Attachment #9001556 -
        Flags: review?(luke) → review+

    
    

    
  
Pushed by jandemooij@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/8695f16b39ed
Make sure TypeNewScript::maybeAnalyze is called in the group's realm. r=luke

    
    

    
  
(In reply to Luke Wagner [:luke] from comment #4)
> (Sorry for the delay; back from PTO)

No problem, not urgent at all.

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/8695f16b39ed
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla63

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: