Hit MOZ_CRASH(*** Realm mismatch 0x7ffff5f7c800 vs. 0x7ffff5f8e800 at argument 0) at js/src/vm/JSContext-inl.h:42 with dis

RESOLVED FIXED in Firefox 66

Status

()

defect
--
critical
RESOLVED FIXED
4 months ago
4 months ago

People

(Reporter: decoder, Assigned: jandem)

Tracking

(Blocks 1 bug, 5 keywords)

Trunk
mozilla66
x86_64
Linux
Points:
---

Firefox Tracking Flags

(firefox-esr60 unaffected, firefox64 unaffected, firefox65 unaffected, firefox66 fixed)

Details

(Whiteboard: [jsbugmon:update])

Attachments

(1 attachment)

(Reporter)

Description

4 months ago

The following testcase crashes on mozilla-central revision edca8877b050 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --cpu-count=2):

const low = newGlobal();
low.eval(`function f() { 
     y();
}`);
f = low.f;
dis(f);

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0 MOZ_CrashOOL (aReason=0x555557bf52a0 <sPrintfCrashReason> "*** Realm mismatch 0x7ffff5f7c800 vs. 0x7ffff5f8e800 at argument 0", aLine=42, aFilename=0x555556ad12a0 "js/src/vm/JSContext-inl.h") at dist/include/mozilla/Assertions.h:314
#1 MOZ_CrashPrintf (aFilename=aFilename@entry=0x555556ad12a0 "js/src/vm/JSContext-inl.h", aLine=aLine@entry=42, aFormat=aFormat@entry=0x555556afebf8 "*** Realm mismatch %p vs. %p at argument %d") at mfbt/Assertions.cpp:53
#2 0x00005555559f3ade in js::ContextChecks::fail (argIndex=0, r2=<optimized out>, r1=<optimized out>) at js/src/vm/JSContext-inl.h:41
#3 js::ContextChecks::check (argIndex=0, r=<optimized out>, this=<optimized out>) at js/src/vm/JSContext-inl.h:55
#4 js::ContextChecks::check (argIndex=0, script=<optimized out>, this=<optimized out>) at js/src/vm/JSContext-inl.h:164
#5 JSContext::checkImpl<JS::Rooted<JSScript*>>(int, JS::Rooted<JSScript*> const&) (head=..., argIndex=0, this=0x7ffff5f19000) at js/src/vm/JSContext-inl.h:191
#6 JSContext::check<JS::Rooted<JSScript*> > (this=0x7ffff5f19000, args#0=...) at js/src/vm/JSContext-inl.h:199
#7 0x00005555559e16b3 in (anonymous namespace)::ExpressionDecompiler::init (this=0x7fffffffc120) at js/src/vm/BytecodeUtil.cpp:2128
#8 DecompileAtPCForStackDump (cx=<optimized out>, script=..., offsetAndDefIndex=..., sp=0x7fffffffc700) at js/src/vm/BytecodeUtil.cpp:2194
#9 0x00005555559e18f9 in <lambda()>::operator()(void) const (__closure=0x7fffffffc2d0) at js/src/vm/BytecodeUtil.cpp:1372
#10 0x00005555559e5c00 in Disassemble1 (cx=<optimized out>, script=..., pc=<optimized out>, pc@entry=0x7ffff57ff658 "\232", loc=<optimized out>, lines=lines@entry=false, parser=<optimized out>, parser@entry=0x7fffffffc440, sp=<optimized out>) at js/src/vm/BytecodeUtil.cpp:1607
#11 0x00005555559e6fff in DisassembleAtPC (cx=<optimized out>, scriptArg=<optimized out>, lines=<optimized out>, pc=<optimized out>, showAll=false, sp=0x7fffffffc700, showAll=false) at js/src/vm/BytecodeUtil.cpp:1094
#12 0x0000555555859f6a in DisassembleScript (cx=<optimized out>, script=..., fun=..., lines=<optimized out>, recursive=<optimized out>, sourceNotes=true, sp=0x7fffffffc700) at js/src/shell/js.cpp:3239
#13 0x000055555585a992 in DisassembleToSprinter (cx=<optimized out>, argc=<optimized out>, vp=<optimized out>, sprinter=0x7fffffffc700) at js/src/shell/js.cpp:3363
#14 0x000055555585acd1 in Disassemble (cx=cx@entry=0x7ffff5f19000, argc=<optimized out>, vp=0x7ffff57d20a0) at js/src/shell/js.cpp:3404
#15 0x00005555559018f9 in CallJSNative (cx=0x7ffff5f19000, native=0x55555585ac30 <Disassemble(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/Interpreter.cpp:444
[...]
#29 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:11327
rax 0x0 0
rbx 0x555556ad12a0 93825014764192
rcx 0x7ffff6c1c2dd 140737333281501
rdx 0x0 0
rsi 0x7ffff6eeb770 140737336227696
rdi 0x7ffff6eea540 140737336223040
rbp 0x7fffffffc030 140737488338992
rsp 0x7fffffffbf40 140737488338752
r8 0x7ffff6eeb770 140737336227696
r9 0x7ffff7fe6c80 140737354034304
r10 0x58 88
r11 0x7ffff6b927a0 140737332717472
r12 0x2a 42
r13 0x7fffffffc0e0 140737488339168
r14 0x7fffffffc148 140737488339272
r15 0x7fffffffc128 140737488339240
rip 0x55555582a5bf <MOZ_CrashPrintf(char const*, int, char const*, ...)+286>
=> 0x55555582a5bf <MOZ_CrashPrintf(char const*, int, char const*, ...)+286>: movl $0x0,0x0
0x55555582a5ca <MOZ_CrashPrintf(char const*, int, char const*, ...)+297>: ud2

Very likely a shell-only problem with the Disassemble native function.

Updated

4 months ago
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]

Comment 1

4 months ago
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/450b8f0cbb4e
user:        Jan de Mooij
date:        Sat Jan 12 10:48:00 2019 +0000
summary:     Bug 1518753 part 1 - Add --more-compartments JS shell flag, make same-compartment the default for newGlobal. r=jorendorff

This iteration took 532.443 seconds to run.
(Assignee)

Updated

4 months ago
Flags: needinfo?(jdemooij)
(Assignee)

Comment 3

4 months ago

Yeah, shell-only issue with dis().

Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)

Comment 4

4 months ago
Pushed by jdemooij@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/a8031a63f597
Enter the script's realm in DecompileAtPCForStackDump. r=arai

Comment 5

4 months ago
bugherder
Status: ASSIGNED → RESOLVED
Last Resolved: 4 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla66
You need to log in before you can comment on or make changes to this bug.