1488163 - Assertion failure: cx->zone() == zone(), at js/src/vm/Shape.cpp:118 with Debugger

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision b75561ff5ffe (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --cpu-count=2):

evaluate(`
  var g = newGlobal();
  g.parent = this;
  g.eval(\`
    var dbg = new Debugger(parent);
    dbg.onEnterFrame = frame => {};
  \`);
  lfAsync();
  lfAsync();
  async function lfAsync() {
    function wasmEvalText(str, imports) {}
    function wasmValidateText(str) {}
    function wasmFailValidateText(str, pattern) {}
    function mismatchError(actual, expect) {}
    function jsify(wasmVal) {}
    function _augmentSrc(src, assertions) {}
    function wasmAssert(src, assertions, maybeImports = {}) {}
    function wasmFullPass(text, expected, maybeImports, ...args) {}
    function wasmFullPassI64(text, expected, maybeImports, ...args) {}
    function wasmRunWithDebugger(wast, lib, init, done) {}
  } lfAsync();
`);


Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x0000000000cf9bc8 in js::Shape::makeOwnBaseShape (this=this@entry=0x7ffff59aec40, cx=cx@entry=0x7ffff5f16000) at js/src/vm/Shape.cpp:118
#1  0x0000000000d0410b in js::Shape::ensureOwnBaseShape (cx=0x7ffff5f16000, this=0x7ffff59aec40) at js/src/vm/Shape.h:804
#2  js::Shape::hashify (cx=cx@entry=0x7ffff5f16000, shape=shape@entry=0x7ffff59aec40) at js/src/vm/Shape.cpp:158
#3  0x0000000000a1279b in js::Shape::maybeCreateTableForLookup (cx=0x7ffff5f16000, this=0x7ffff59aec40) at js/src/vm/Shape-inl.h:65
#4  js::Shape::search<(js::MaybeAdding)0> (cx=0x7ffff5f16000, start=0x7ffff59aec40, id=...) at js/src/vm/Shape-inl.h:93
#5  0x0000000000bd5cab in js::NativeObject::lookup (name=<optimized out>, cx=0x7ffff5f16000, this=0x7ffff5a00ec0) at js/src/vm/NativeObject.h:854
#6  js::GetGeneratorObjectForFrame (cx=0x7ffff5f16000, frame=...) at js/src/vm/GeneratorObject.cpp:110
#7  0x0000000000b805d8 in js::Debugger::fireEnterFrame (this=this@entry=0x7ffff5f70800, cx=<optimized out>, cx@entry=0x7ffff5f16000, vp=..., vp@entry=...) at js/src/vm/Debugger.cpp:1827
#8  0x0000000000b80cec in js::Debugger::<lambda(js::Debugger*)>::operator() (dbg=0x7ffff5f70800, __closure=<synthetic pointer>) at js/src/vm/Debugger.cpp:870
#9  js::Debugger::dispatchHook<js::Debugger::slowPathOnEnterFrame(JSContext*, js::AbstractFramePtr)::<lambda(js::Debugger*)>, js::Debugger::slowPathOnEnterFrame(JSContext*, js::AbstractFramePtr)::<lambda(js::Debugger*)> > (fireHook=..., hookIsEnabled=..., cx=0x7ffff5f16000) at js/src/vm/Debugger.cpp:1921
#10 js::Debugger::slowPathOnEnterFrame (cx=cx@entry=0x7ffff5f16000, frame=...) at js/src/vm/Debugger.cpp:871
#11 0x00000000005e7bbb in js::Debugger::onEnterFrame (cx=0x7ffff5f16000, frame=...) at js/src/vm/Debugger-inl.h:51
#12 0x00000000005d19b8 in Interpret (cx=0x7ffff5f16000, state=...) at js/src/vm/Interpreter.cpp:4315
#13 0x00000000005def86 in js::RunScript (cx=0x7ffff5f16000, state=...) at js/src/vm/Interpreter.cpp:429
#14 0x00000000005df52f in js::InternalCallOrConstruct (cx=<optimized out>, cx@entry=0x7ffff5f16000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:561
#15 0x00000000005dfa8d in InternalCall (cx=cx@entry=0x7ffff5f16000, args=...) at js/src/vm/Interpreter.cpp:588
#16 0x00000000005dfc10 in js::Call (cx=cx@entry=0x7ffff5f16000, fval=..., fval@entry=..., thisv=..., thisv@entry=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:607
#17 0x0000000000ce7b92 in js::CallSelfHostedFunction (cx=0x7ffff5f16000, name=..., name@entry=..., thisv=..., thisv@entry=..., args=..., rval=..., rval@entry=...) at js/src/vm/SelfHosting.cpp:1853
#18 0x0000000000b1938e in AsyncFunctionResume (cx=<optimized out>, cx@entry=0x7ffff5f16000, resultPromise=resultPromise@entry=..., generatorVal=..., generatorVal@entry=..., kind=kind@entry=ResumeKind::Normal, valueOrReason=...) at js/src/vm/AsyncFunction.cpp:186
#19 0x0000000000b23aca in AsyncFunctionStart (generatorVal=..., resultPromise=..., cx=0x7ffff5f16000) at js/src/vm/AsyncFunction.cpp:199
#20 WrappedAsyncFunction (cx=0x7ffff5f16000, argc=<optimized out>, vp=<optimized out>) at js/src/vm/AsyncFunction.cpp:86
#21 0x00000000005ead01 in CallJSNative (cx=0x7ffff5f16000, native=0xb23760 <WrappedAsyncFunction(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/Interpreter.cpp:449
[...]
#32 0x000000000046c237 in Evaluate (cx=<optimized out>, argc=<optimized out>, vp=<optimized out>) at js/src/shell/js.cpp:2053
#33 0x00000000005ead01 in CallJSNative (cx=0x7ffff5f16000, native=0x46b6e0 <Evaluate(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/Interpreter.cpp:449
[...]
#47 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:9967
rax	0x0	0
rbx	0x7ffff5f16000	140737319624704
rcx	0x7ffff6c1c2dd	140737333281501
rdx	0x0	0
rsi	0x7ffff6eeb770	140737336227696
rdi	0x7ffff6eea540	140737336223040
rbp	0x7fffffffa590	140737488332176
rsp	0x7fffffffa570	140737488332144
r8	0x7ffff6eeb770	140737336227696
r9	0x7ffff7fe6780	140737354033024
r10	0x58	88
r11	0x7ffff6b927a0	140737332717472
r12	0x7ffff59aec40	140737313958976
r13	0x7ffff5523000	140737309192192
r14	0x0	0
r15	0x7ffff5f16000	140737319624704
rip	0xcf9bc8 <js::Shape::makeOwnBaseShape(JSContext*)+424>
=> 0xcf9bc8 <js::Shape::makeOwnBaseShape(JSContext*)+424>:	movl   $0x0,0x0
   0xcf9bd3 <js::Shape::makeOwnBaseShape(JSContext*)+435>:	ud2

Comment 1

[Fuzzing Team]

JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/87509a363c9e
user:        Jason Orendorff
date:        Wed Aug 15 15:09:30 2018 -0500
summary:     Bug 1475417 - Part 2: Fire onEnterFrame when resuming a generator or async function. r=jandem, r=jimb

This iteration took 289.781 seconds to run.

Comment 2

[Jason Orendorff [:jorendorff]]

Attachment: Bug 1488163 - Fix an compartment assertion that failed while evaluating another assertion. r?jimb

Comment 3

[Jim Blandy :jimb]

Comment on attachment 9007337 [details]
Bug 1488163 - Fix an compartment assertion that failed while evaluating another assertion. r?jimb

Jim Blandy :jimb has approved the revision.

Comment 4

[Pascal Chevrel:pascalc (PTO until April 26)]

Jason, when you land your patch, could you evaluate if an uplift to beta is required? Thanks

Comment 5

[Pulsebot]

Pushed by jorendorff@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/a577413d62ba
Fix an compartment assertion that failed while evaluating another assertion. r=jimb

Comment 6

[Jason Orendorff [:jorendorff]]

Comment on attachment 9007337 [details]
Bug 1488163 - Fix an compartment assertion that failed while evaluating another assertion. r?jimb

Approval Request Comment
[Feature/Bug causing the regression]: Bug 1475417
[User impact if declined]: Crashes after debugging code that uses async functions.
[Is this code covered by automated tests?]: Yes.
[Has the fix been verified in Nightly?]: No.
[Needs manual test from QE? If yes, steps to reproduce]: No.
[List of other uplifts needed for the feature/fix]: None. (Beta is the only remaining branch affected.)
[Is the change risky?]: No.
[Why is the change risky/not risky?]: The bug is well understood--it was just a mistake--and the fix is a tiny patch, also well understood.
[String changes made/needed]: None.

Comment 7

[Arthur Iakab [arthur_iakab]]

https://hg.mozilla.org/mozilla-central/rev/a577413d62ba

Comment 8

[Pascal Chevrel:pascalc (PTO until April 26)]

Comment on attachment 9007337 [details]
Bug 1488163 - Fix an compartment assertion that failed while evaluating another assertion. r?jimb

Uplift approved for 63 beta 8, thanks.

Comment 9

[Narcis Beleuzu [:NarcisB]]

https://hg.mozilla.org/releases/mozilla-beta/rev/71b13044d9c4