Closed
Bug 1501502
Opened 5 years ago
Closed 5 years ago
Assertion failure: IsObjectValueInCompartment(v, compartment()), at js/src/vm/NativeObject.h:1040 with ReadableStream
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
RESOLVED
FIXED
mozilla65
| Tracking | Status | |
|---|---|---|
| firefox-esr60 | --- | unaffected |
| firefox63 | --- | disabled |
| firefox64 | --- | disabled |
| firefox65 | --- | fixed |
People
(Reporter: decoder, Assigned: jorendorff)
References
(Blocks 1 open bug)
Details
(4 keywords, Whiteboard: [jsbugmon:update,bisect])
Attachments
(1 file)
The following testcase crashes on mozilla-central revision 6e96c7ec0d11 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off --enable-streams --ion-offthread-compile=off):
otherGlobal = newGlobal();
OtherReadableStream = otherGlobal.ReadableStream;
let chunk = {};
otherStream = new OtherReadableStream({
start(c) {
otherController = c;
},
});
stream = new ReadableStream({
start(c) {
controller = c;
}
}, {
size() {}
});
otherController.enqueue.call(controller, chunk);
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 0x00005555558241f8 in js::NativeObject::checkStoredValue (this=0x7ffff4e00990, v=...) at js/src/vm/NativeObject.h:1040
#1 0x0000555555a01ad8 in js::NativeObject::setFixedSlot (this=0x7ffff4e00990, slot=3, value=...) at js/src/vm/NativeObject.h:1135
#2 0x0000555555ca1900 in ReadableStreamErrorInternal (cx=<optimized out>, stream=stream@entry=..., e=...) at js/src/builtin/Stream.cpp:1840
#3 0x0000555555ca510f in ReadableStreamControllerError (cx=<optimized out>, controller=..., e=...) at js/src/builtin/Stream.cpp:3403
#4 0x0000555555ca5297 in ReadableStreamDefaultControllerErrorIfNeeded (cx=<optimized out>, controller=controller@entry=..., e=e@entry=...) at js/src/builtin/Stream.cpp:3424
#5 0x0000555555cb2a12 in ReadableStreamDefaultControllerEnqueue (cx=<optimized out>, cx@entry=0x7ffff5f18000, controller=controller@entry=..., chunk=...) at js/src/builtin/Stream.cpp:3350
#6 0x0000555555cb3445 in ReadableStreamDefaultController_enqueue_impl (cx=cx@entry=0x7ffff5f18000, args=...) at js/src/builtin/Stream.cpp:2814
#7 0x0000555555cb35fe in JS::CallNonGenericMethod<IsMaybeWrapped<js::ReadableStreamDefaultController>, ReadableStreamDefaultController_enqueue_impl> (args=..., cx=0x7ffff5f18000) at dist/include/js/CallNonGenericMethod.h:101
#8 ReadableStreamDefaultController_enqueue (cx=0x7ffff5f18000, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/Stream.cpp:2828
#9 0x000055555596cc05 in CallJSNative (cx=0x7ffff5f18000, native=0x555555cb3530 <ReadableStreamDefaultController_enqueue(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/Interpreter.cpp:468
#10 0x000055555595f327 in js::InternalCallOrConstruct (cx=<optimized out>, cx@entry=0x7ffff5f18000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:560
#11 0x000055555595f94d in InternalCall (cx=cx@entry=0x7ffff5f18000, args=...) at js/src/vm/Interpreter.cpp:614
#12 0x000055555595fad0 in js::Call (cx=cx@entry=0x7ffff5f18000, fval=..., fval@entry=..., thisv=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:633
#13 0x0000555555fdf794 in js::fun_call (cx=0x7ffff5f18000, argc=<optimized out>, vp=<optimized out>) at js/src/vm/JSFunction.cpp:1310
#14 0x000055555596cc05 in CallJSNative (cx=0x7ffff5f18000, native=0x555555fdf4f0 <js::fun_call(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/Interpreter.cpp:468
#15 0x000055555595f327 in js::InternalCallOrConstruct (cx=<optimized out>, cx@entry=0x7ffff5f18000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:560
#16 0x000055555595f94d in InternalCall (cx=cx@entry=0x7ffff5f18000, args=...) at js/src/vm/Interpreter.cpp:614
#17 0x000055555595fad0 in js::Call (cx=cx@entry=0x7ffff5f18000, fval=..., fval@entry=..., thisv=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:633
#18 0x0000555555ea6e15 in js::ForwardingProxyHandler::call (this=<optimized out>, cx=0x7ffff5f18000, proxy=..., args=...) at js/src/proxy/Wrapper.cpp:178
#19 0x0000555555e918c3 in js::CrossCompartmentWrapper::call (this=0x5555577bc790 <js::CrossCompartmentWrapper::singleton>, cx=<optimized out>, wrapper=..., args=...) at js/src/proxy/CrossCompartmentWrapper.cpp:355
#20 0x0000555555e9eba5 in js::Proxy::call (cx=0x7ffff5f18000, proxy=proxy@entry=..., args=...) at js/src/proxy/Proxy.cpp:560
#21 0x000055555595f7ae in js::InternalCallOrConstruct (cx=<optimized out>, cx@entry=0x7ffff5f18000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:535
#22 0x000055555595f94d in InternalCall (cx=0x7ffff5f18000, args=...) at js/src/vm/Interpreter.cpp:614
#23 0x0000555555951fec in js::CallFromStack (args=..., cx=<optimized out>) at js/src/vm/Interpreter.cpp:620
#24 Interpret (cx=0x7ffff5f18000, state=...) at js/src/vm/Interpreter.cpp:3462
#25 0x000055555595ee46 in js::RunScript (cx=0x7ffff5f18000, state=...) at js/src/vm/Interpreter.cpp:447
[...]
#34 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:10947
rax 0x0 0
rbx 0x7ffff4e00990 140737301711248
rcx 0x7ffff6c1c2dd 140737333281501
rdx 0x0 0
rsi 0x7ffff6eeb770 140737336227696
rdi 0x7ffff6eea540 140737336223040
rbp 0x7fffffffbde0 140737488338400
rsp 0x7fffffffbdc0 140737488338368
r8 0x7ffff6eeb770 140737336227696
r9 0x7ffff7fe6cc0 140737354034368
r10 0x58 88
r11 0x7ffff6b927a0 140737332717472
r12 0x7ffff4810980 140737295485312
r13 0x7fffffffc1a0 140737488339360
r14 0x7fffffffc1a0 140737488339360
r15 0x0 0
rip 0x5555558241f8 <js::NativeObject::checkStoredValue(JS::Value const&)+344>
=> 0x5555558241f8 <js::NativeObject::checkStoredValue(JS::Value const&)+344>: movl $0x0,0x0
0x555555824203 <js::NativeObject::checkStoredValue(JS::Value const&)+355>: ud2
|
Assignee | |
Updated•5 years ago
|
Assignee: nobody → jorendorff
Blocks: streams-enable
|
|
Assignee | |
Updated•5 years ago
|
Blocks: streams-meta
|
|
Assignee | |
Updated•5 years ago
|
Priority: -- → P1
|
|
Assignee | |
Comment 1•5 years ago
|
||
|
|
Assignee | |
Comment 2•5 years ago
|
||
Ted, another approach to this would have been: just make the patch for bug 1503718 and see if it shakes out. I think it would have. But I'm guessing that will shake out a satisfying amount of stuff regardless, and I want to knock out the easy stuff independently and try to flip the pref.
Pushed by jorendorff@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/2a3a7c533bc0 Assertion failure: IsObjectValueInCompartment(v, compartment()) with bogus queuing strategy object. r=tcampbell
|
||
Comment 4•5 years ago
|
||
Backed out changeset 2a3a7c533bc0 (Bug 1501502) for spidermonkey bustages on non262/ReadableStream/bug-1501502.js CLOSED TREE Push with failures: https://treeherder.mozilla.org/#/jobs?repo=autoland&resultStatus=testfailed%2Cbusted%2Cexception&classifiedState=unclassified&selectedJob=209542251&revision=2a3a7c533bc0a897051fe31e9fd85c2f7764e43f Failure log: https://treeherder.mozilla.org/logviewer.html#?job_id=209542251&repo=autoland&lineNumber=203045 Backout: https://hg.mozilla.org/integration/autoland/rev/7f054082806036d22e2fe7899a6be66e7706c515
Flags: needinfo?(jorendorff)
Pushed by jorendorff@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/d29131a84168 Assertion failure: IsObjectValueInCompartment(v, compartment()) with bogus queuing strategy object. r=tcampbell
|
|
Assignee | |
Updated•5 years ago
|
Flags: needinfo?(jorendorff)
|
||
Comment 6•5 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/d29131a84168
Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox65:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla65
|
||
Updated•5 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•