Closed Bug 1521001 Opened 5 years ago Closed 5 years ago

Crash [@ JSObject::compartment] or Assertion failure: gc::IsCellPointerValid(value.toGCThing()), at js/src/jit/x86-shared/Assembler-x86-shared.cpp:55

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1519140
Tracking Flags:
Tracking Status
firefox66 --- fixed

People

(Reporter: gkw, Unassigned)

References

Details

(5 keywords, Whiteboard: [jsbugmon:update][adv-main66-])

Attachments

(2 files)

Detailed Crash Information
8.97 KB, text/plain
Details
Opt shell stack
3.18 KB, text/plain
Details

The following testcase crashes on mozilla-central revision 081c6ac45c5d (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --ion-eager):

// jsfunfuzz-generated
options("strict_mode");
try {
    Function `Object.e(this, '')`()
} catch {}
for (v of [0]) {
    schedulegc(this);
}
try {
    // Adapted from randomly chosen test: js/src/jit-test/tests/gc/bug-1515993.js
    Function(`
        var g = newGlobal({
            newCompartment: true
        });
        var dbg = Debugger(g);
        var topLevel;
        dbg.onNewScript = function(s) {
            topLevel = s;
        }
        g.eval('import(1);');
        gczeal(14, 10);
        Object.defineProperty(this, '', {});
    `)();
} catch (e) {}
gczeal(0);
gcslice(1);

Backtrace:

#0 js::jit::AssemblerX86Shared::TraceDataRelocations (trc=0x7f24ad41d668, code=0x1461d48dc038, reader=...) at js/src/jit/x86-shared/Assembler-x86-shared.cpp:54
#1 0x000055d6adae317e in js::jit::JitCode::traceChildren (this=0x1461d48dc038, trc=0x7f24ad41d668) at js/src/jit/Ion.cpp:710
#2 0x000055d6ad817449 in js::GCMarker::processMarkStackTop (this=0x7f24ad41d668, budget=...) at js/src/gc/Marking.cpp:1746
#3 0x000055d6ad7dec6c in js::GCMarker::markUntilBudgetExhausted (this=0x7f24ad41d668, budget=...) at js/src/gc/Marking.cpp:1628
#4 0x000055d6ad809e30 in js::gc::GCRuntime::drainMarkStack (this=<optimized out>) at js/src/gc/GC.cpp:5889
/snip

For detailed crash information, see attachment.

Setting s-s because this is a GC assert. Also crashes opt shells at JSObject::compartment.

autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/85c9dc639077
user: Jon Coppeard
date: Thu Jan 03 10:06:00 2019 +0000
summary: Bug 1342012 - Store a CCW to the introuction script's script source object r=jandem

Jon, is bug 1342012 a likely regressor?

Blocks: 1342012
Flags: needinfo?(jcoppeard)
Status: NEW → RESOLVED
Closed: 5 years ago
Flags: needinfo?(jcoppeard)
Resolution: --- → DUPLICATE
Whiteboard: [jsbugmon:update] → [jsbugmon:update][adv-main66-]
Group: javascript-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: