Closed Bug 1508966 Opened 7 years ago Closed 7 years ago

Hit MOZ_CRASH(*** Compartment mismatch 0x7ffff5f2e200 vs. 0x7ffff49e6280 at argument 0) at js/src/vm/JSContext-inl.h:56 with newGlobal and envChainObject

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1426385
Tracking Flags:
Tracking Status
firefox65 --- wontfix

People

(Reporter: decoder, Unassigned)

References

Details

(4 keywords, Whiteboard: [jsbugmon:update])

The following testcase crashes on mozilla-central revision eeddcefcdad8 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off): var global = newGlobal(); evaluate("unescape();", this); function envChainObject() {}; Backtrace: received signal SIGSEGV, Segmentation fault. #0 MOZ_CrashOOL (aReason=0x555557b4f4a0 <sPrintfCrashReason> "*** Compartment mismatch 0x7ffff5f2e200 vs. 0x7ffff49e6280 at argument 0", aLine=56, aFilename=0x555556a51320 "js/src/vm/JSContext-inl.h") at dist/include/mozilla/Assertions.h:311 #1 MOZ_CrashPrintf (aFilename=aFilename@entry=0x555556a51320 "js/src/vm/JSContext-inl.h", aLine=aLine@entry=56, aFormat=aFormat@entry=0x555556a5d238 "*** Compartment mismatch %p vs. %p at argument %d") at mfbt/Assertions.cpp:50 #2 0x000055555589bef6 in js::ContextChecks::fail (argIndex=0, c2=<optimized out>, c1=<optimized out>) at js/src/vm/JSContext-inl.h:55 #3 js::ContextChecks::check (this=this@entry=0x7fffffffc260, c=<optimized out>, argIndex=argIndex@entry=0) at js/src/vm/JSContext-inl.h:71 #4 0x00005555558bf325 in js::ContextChecks::check (argIndex=0, c=<optimized out>, this=0x7fffffffc260) at js/src/vm/JSContext-inl.h:70 #5 js::ContextChecks::check (this=this@entry=0x7fffffffc260, obj=<optimized out>, argIndex=argIndex@entry=0) at js/src/vm/JSContext-inl.h:85 #6 0x00005555559f6715 in JSContext::checkImpl<JS::MutableHandle<JSObject*>>(int, JS::MutableHandle<JSObject*> const&) (head=..., argIndex=0, this=<optimized out>) at js/src/vm/JSContext-inl.h:208 #7 JSContext::check<JS::MutableHandle<JSObject*> > (this=<optimized out>) at js/src/vm/JSContext-inl.h:217 #8 js::CreateObjectsForEnvironmentChain (cx=<optimized out>, chain=..., terminatingEnv=..., envObj=...) at js/src/vm/EnvironmentObject.cpp:3408 #9 0x00005555559f6a45 in js::CreateNonSyntacticEnvironmentChain (cx=<optimized out>, envChain=..., env=..., scope=scope@entry=...) at js/src/vm/EnvironmentObject.cpp:930 #10 0x00005555559b07eb in ExecuteScript (cx=<optimized out>, envChain=..., scriptArg=..., rval=0x7ffff483c090) at js/src/vm/CompilationAndEvaluation.cpp:473 #11 0x000055555582d607 in Evaluate (cx=<optimized out>, cx@entry=0x7ffff5f18000, argc=<optimized out>, vp=<optimized out>) at js/src/shell/js.cpp:2228 [...] #26 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:11420 rax 0x0 0 rbx 0x555556a51320 93825014240032 rcx 0x7ffff6c1c2dd 140737333281501 rdx 0x0 0 rsi 0x7ffff6eeb770 140737336227696 rdi 0x7ffff6eea540 140737336223040 rbp 0x7fffffffc1c0 140737488339392 rsp 0x7fffffffc0d0 140737488339152 r8 0x7ffff6eeb770 140737336227696 r9 0x7ffff7fe6cc0 140737354034368 r10 0x58 88 r11 0x7ffff6b927a0 140737332717472 r12 0x38 56 r13 0x7fffffffc260 140737488339552 r14 0x0 0 r15 0x7fffffffc7e0 140737488340960 rip 0x5555557f0d2b <MOZ_CrashPrintf(char const*, int, char const*, ...)+286> => 0x5555557f0d2b <MOZ_CrashPrintf(char const*, int, char const*, ...)+286>: movl $0x0,0x0 0x5555557f0d36 <MOZ_CrashPrintf(char const*, int, char const*, ...)+297>: ud2 I assume this is shell-only because the envChainObject function has to be called exactly that way and afaik that is a shell-only argument to evaluate normally.
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/40aafceb5e48 user: Andrew McCreight date: Mon Aug 07 16:35:43 2017 -0700 summary: Bug 1388191 - Add way to test evaluation with envChain in the shell. r=jorendorff This iteration took 1.408 seconds to run.
Not sure if bug 1388191 is the real regressor here, is it?
Blocks: 1388191
Flags: needinfo?(continuation)
Wait, or perhaps bug 1426385 or bug 1406153 are related?
Flags: needinfo?(tcampbell)
Yeah, dupe of Bug 1426385. Shell-only, but I should probably add a spot fix because I apparently never finished my rewrite.
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: needinfo?(tcampbell)
Flags: needinfo?(continuation)
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.