Closed Bug 1564012 Opened 5 months ago Closed 4 months ago

Assertion failure: comp == compartment || (srcKind == JS::TraceKind::Object && InCrossCompartmentMap(static_cast<JSObject*>(src), thing)), at js/src/gc/GC.cpp:4257

Categories

(Core :: JavaScript Engine, defect, P1, critical)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla70
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox-esr68 --- unaffected
firefox68 --- unaffected
firefox69 --- wontfix
firefox70 --- fixed

People

(Reporter: gkw, Assigned: jonco)

References

(Blocks 2 open bugs, Regression)

Details

(4 keywords, Whiteboard: [jsbugmon:update,ignore])

Attachments

(2 files)

Detailed Crash Information
8.19 KB, text/plain
Details
Bug 1564012 - Add fuzz test for cross compartment pointers from debugger frame generator info to scripts r=jimb?
47 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 483d687212fb (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-baseline --no-ion):

// jsfunfuzz-generated
fullcompartmentchecks(true);
// Adapted from randomly chosen test: js/src/jit-test/tests/debug/Frame-identity-05.js
var g = newGlobal({
    newCompartment: true
});
g.eval("function*f(){debugger;yield}");
var dbg = new Debugger(g);
dbg.onDebuggerStatement = function(frame) {};
g.f().next();

Backtrace:

#0  CompartmentCheckTracer::onChild (this=<optimized out>, thing=...) at js/src/gc/GC.cpp:4255
#1  0x000055dc035cf285 in JS::CallbackTracer::onScriptEdge (this=<optimized out>, scriptp=<optimized out>) at /home/ubuntu/shell-cache/js-dbg-64-dm-linux-x86_64-483d687212fb/objdir-js/dist/include/js/TracingAPI.h:164
#2  0x000055dc03a90ab0 in JS::CallbackTracer::dispatchToOnEdge (this=0x7ffe1d515628, scriptp=0x7fb8a0b1b1f8) at /home/ubuntu/shell-cache/js-dbg-64-dm-linux-x86_64-483d687212fb/objdir-js/dist/include/js/TracingAPI.h:261
#3  DoCallback<JSScript> (trc=0x7ffe1d515628, thingp=0x7fb8a0b1b1f8, name=0x55dc01f391b7 "Debugger.Frame generator script") at js/src/gc/Tracer.cpp:45
#4  0x000055dc03430633 in js::Class::doTrace (this=<optimized out>, trc=<optimized out>, obj=<optimized out>) at /home/ubuntu/shell-cache/js-dbg-64-dm-linux-x86_64-483d687212fb/objdir-js/dist/include/js/Class.h:872
/snip

For detailed crash information, see attachment.

autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/1dd4e16a1a96
user: Jim Blandy
date: Sat Jul 06 00:01:24 2019 +0000
summary: Bug 1560754: Remove DebuggeeFrameGeneratorScript. r=jorendorff

Jim, is bug 1560754 a likely regressor?

Flags: needinfo?(jimb)
Regressed by: 1560754

autobisectjs shows this is probably related to the following changeset:

The first good revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/597a43be8c60
user: Jon Coppeard
date: Thu Aug 01 16:09:40 2019 +0000
summary: Bug 1564178 - Don't create cross compartment wrappers for debugger wrapper objects r=jimb

Jim/Jon, is bug 1564178 a likely fix?

Flags: needinfo?(jcoppeard)

(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #3)
Yes it is. I'll add the test.

Flags: needinfo?(jcoppeard)
Assignee: nobody → jcoppeard
Flags: needinfo?(jimb)
Priority: -- → P1
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision a28a338396c3).
Pushed by jcoppeard@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/8a54e897db7c
Add fuzz test for cross compartment pointers from debugger frame generator info to scripts r=jimb?

https://hg.mozilla.org/mozilla-central/rev/8a54e897db7c

Status: NEW → RESOLVED
Closed: 4 months ago
status-firefox70: fix-optionalfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla70
You need to log in before you can comment on or make changes to this bug.