Closed Bug 1522314 Opened 8 months ago Closed 8 months ago

Assertion failure: comp->invisibleToDebugger() == invisibleToDebugger, at js/src/gc/GC.cpp:7955

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla67
Tracking Status
firefox-esr60 --- unaffected
firefox65 --- unaffected
firefox66 --- fixed
firefox67 --- fixed

People

(Reporter: gkw, Assigned: jandem)

References

(Blocks 2 open bugs)

Details

(4 keywords, Whiteboard: [jsbugmon:update])

Attachments

(2 files)

The following testcase crashes on mozilla-central revision 4f1ff0e34dd5 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-baseline --no-ion):

// jsfunfuzz-generated
evalcx("\
        evalcx(\")\")\
    ", newGlobal({
        // Adapted from randomly chosen test: js/src/jit-test/tests/basic/testThrowWhileWrappingException.js
        sameZoneAs: this,
        invisibleToDebugger: true
    })
)

Backtrace:

#0 js::NewRealm (cx=0x7fec3c519000, principals=0x0, options=...) at js/src/gc/GC.cpp:7955
#1 0x000055929ef87108 in js::GlobalObject::new_ (cx=0x7fec3c519000, clasp=0x55929ffa9168 <sandbox_class>, principals=0x0, hookOption=JS::DontFireOnNewGlobalHook, options=...) at js/src/vm/GlobalObject.cpp:561
#2 0x000055929ecd5294 in NewSandbox (cx=<optimized out>, lazy=<optimized out>) at js/src/shell/js.cpp:3778
#3 EvalInContext (cx=0x7fec3c519000, argc=<optimized out>, vp=<optimized out>) at js/src/shell/js.cpp:3842
#4 0x000055929ed7e6e0 in CallJSNative (cx=0x7fec3c519000, native=0x55929ecd4e80 <EvalInContext(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/Interpreter.cpp:441
/snip

For detailed crash information, see attachment.

autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/6ec84030fb70
user: Jan de Mooij
date: Tue Jan 15 20:03:43 2019 +0000
summary: Bug 1520093 - Make evalcx work with same-compartment realms. r=jorendorff

Jan, is bug 1520093 a likely regressor?

Blocks: 1520093
Flags: needinfo?(jdemooij)

Sigh, I hate the evalcx shell function.

Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Pushed by jdemooij@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/a87b310b7be6
Apply realm checks for newGlobal() also to evalcx(). r=jorendorff
Status: ASSIGNED → RESOLVED
Closed: 8 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla67

Would you like to request uplift to beta? We are still early in beta 66 so it might be good to get in.

Flags: needinfo?(jdemooij)

Comment on attachment 9038827 [details]
Bug 1522314 - Apply realm checks for newGlobal() also to evalcx(). r?jorendorff!

This is only a problem in the JS shell and doesn't affect the browser at all.

Requesting approval because it might help fuzzing or future test uplifts and is very low risk.

Flags: needinfo?(jdemooij)
Attachment #9038827 - Flags: approval-mozilla-beta?

Comment on attachment 9038827 [details]
Bug 1522314 - Apply realm checks for newGlobal() also to evalcx(). r?jorendorff!

Fix for assertion, should help in future beta fuzzing.
OK to uplift for beta 6.

Attachment #9038827 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.