1533927 - Assertion failure: heap == gc::TenuredHeap, at js/src/vm/JSObject.cpp:4288

Status: VERIFIED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 54ed5eac2abc (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off):

function testX() {
  "use strict";
  var x = 2;
  eval("function actX(action) {} actX;");
  var global3 = testX();
}
var resultsX = testX();

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  JSObject::debugCheckNewObject (group=0x21a87158aa60, shape=0x21a8715b6fb0, allocKind=<optimized out>, heap=heap@entry=js::gc::DefaultHeap) at js/src/vm/JSObject.cpp:4287
#1  0x00005555559d5bef in js::NativeObject::create (cx=0x7ffff5f17000, kind=<optimized out>, heap=js::gc::DefaultHeap, shape=..., group=...) at js/src/vm/NativeObject-inl.h:482
#2  0x0000555555ab93a6 in js::VarEnvironmentObject::create (cx=<optimized out>, shape=shape@entry=..., enclosing=enclosing@entry=..., heap=heap@entry=js::gc::DefaultHeap) at js/src/vm/EnvironmentObject.cpp:253
#3  0x0000555555abb98a in js::VarEnvironmentObject::create (cx=<optimized out>, cx@entry=0x7ffff5f17000, scope=..., frame=...) at js/src/vm/EnvironmentObject.cpp:288
#4  0x0000555555abbcb3 in js::PushVarEnvironmentObject (cx=cx@entry=0x7ffff5f17000, scope=..., frame=...) at js/src/vm/EnvironmentObject.cpp:3704
#5  0x0000555555c9381e in js::InterpreterFrame::pushVarEnvironment (this=<optimized out>, cx=0x7ffff5f17000, scope=...) at js/src/vm/Stack.cpp:286
#6  0x00005555558e33fa in Interpret (cx=0x7ffff5f17000, state=...) at js/src/vm/Interpreter.cpp:3993
#7  0x00005555558e9e66 in js::RunScript (cx=0x7ffff5f17000, state=...) at js/src/vm/Interpreter.cpp:420
#8  0x00005555558ed50d in js::ExecuteKernel (cx=<optimized out>, script=..., script@entry=..., envChainArg=..., newTargetValue=..., evalInFrame=..., evalInFrame@entry=..., result=result@entry=0x7fffffeea638) at js/src/vm/Interpreter.cpp:779
#9  0x0000555555929fa8 in js::DirectEvalStringFromIon (cx=<optimized out>, env=..., callerScript=..., newTargetValue=..., str=..., pc=<optimized out>, vp=...) at js/src/builtin/Eval.cpp:414
#10 0x000020157f797088 in ?? ()
#11 0x00007fffffeea638 in ?? ()
#12 0x00007fffffeea638 in ?? ()
#13 0x0000000000000000 in ?? ()
rax	0x555557c41240	93825033048640
rbx	0x555557baebc0	93825032448960
rcx	0x7ffff6c1c2dd	140737333281501
rdx	0x0	0
rsi	0x555556b2e930	93825015146800
rdi	0x7ffff6eea540	140737336223040
rbp	0x7fffffee97e0	140737487214560
rsp	0x7fffffee97b0	140737487214512
r8	0x7ffff6eeb770	140737336227696
r9	0x7ffff7fe6cc0	140737354034368
r10	0x58	88
r11	0x7ffff6b927a0	140737332717472
r12	0x21a8715b6fb0	37007340040112
r13	0x21a87158aa60	37007339858528
r14	0x7ffff5f17000	140737319628800
r15	0x7fffffee98b0	140737487214768
rip	0x555555b19e58 <JSObject::debugCheckNewObject(js::ObjectGroup*, js::Shape*, js::gc::AllocKind, js::gc::InitialHeap)+856>
=> 0x555555b19e58 <JSObject::debugCheckNewObject(js::ObjectGroup*, js::Shape*, js::gc::AllocKind, js::gc::InitialHeap)+856>:	movl   $0x0,0x0
   0x555555b19e63 <JSObject::debugCheckNewObject(js::ObjectGroup*, js::Shape*, js::gc::AllocKind, js::gc::InitialHeap)+867>:	ud2

Marking s-s due to GC assertion. This is likely the same as bug 1533873.

Comment 1

[Jason Orendorff [:jorendorff]]

Seems to have been fixed by the backout. ni?jonco as this is another test case.

Comment 2

[Fuzzing Team]

JSBugMon: This bug has been automatically verified fixed.

Comment 3

[Christian Holler (:decoder)]

Bug 1533873 comment 2 confirmed this was harmless, removing security flags.