Closed Bug 1604469 Opened 6 years ago Closed 6 years ago

Hit MOZ_CRASH(*** Compartment mismatch 0x7ffff5e65420 vs. 0x7ffff5e65100 at argument 0) at vm/JSContext-inl.h:58

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1426385

People

(Reporter: decoder, Unassigned)

References

(Regression)

Details

(5 keywords, Whiteboard: [jsbugmon:update])

The following testcase crashes on mozilla-central revision 20191217-83fc8cf83221 (build with --enable-debug, run with --fuzzing-safe --ion-offthread-compile=off):

function evalWithCache(code, ctx) {
  ctx.global = newGlobal({ newCompartment: ctx.newCompartment });
  evaluate(code, ctx);
}
evalWithCache("", {
 envChainObject: function() {},
 newCompartment: true
});

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x00005555558fd7d4 in js::ContextChecks::check(JSObject*, int) ()
#1  0x0000555555b0cbbb in js::CreateObjectsForEnvironmentChain(JSContext*, JS::Handle<JS::StackGCVector<JSObject*, js::TempAllocPolicy> >, JS::Handle<JSObject*>, JS::MutableHandle<JSObject*>) ()
#2  0x0000555555b0c857 in js::CreateNonSyntacticEnvironmentChain(JSContext*, JS::Handle<JS::StackGCVector<JSObject*, js::TempAllocPolicy> >, JS::MutableHandle<JSObject*>, JS::MutableHandle<js::Scope*>) ()
#3  0x0000555555af5a64 in ExecuteScript(JSContext*, JS::Handle<JS::StackGCVector<JSObject*, js::TempAllocPolicy> >, JS::Handle<JSScript*>, JS::Value*) ()
#4  0x000055555578b71c in Evaluate(JSContext*, unsigned int, JS::Value*) ()
[...]
#16 0x000055555576ec31 in main ()
rax	0x555557ef8838	93825035896888
rbx	0x555557ef8840	93825035896896
rcx	0x7ffff6c2e2dd	140737333355229
rdx	0x0	0
rsi	0x7ffff6efd770	140737336301424
rdi	0x7ffff6efc540	140737336296768
rbp	0x7fffffffb4d0	140737488336080
rsp	0x7fffffffb4a0	140737488336032
r8	0x7ffff6efd770	140737336301424
r9	0x7ffff7f98d00	140737353714944
r10	0x58	88
r11	0x7ffff6ba47a0	140737332791200
r12	0x0	0
r13	0x555557e3a078	93825035116664
r14	0x0	0
r15	0x7fffffffb4f0	140737488336112
rip	0x5555558fd7d4 <js::ContextChecks::check(JSObject*, int)+260>
=> 0x5555558fd7d4 <_ZN2js13ContextChecks5checkEP8JSObjecti+260>:	movl   $0x3a,0x0
   0x5555558fd7df <_ZN2js13ContextChecks5checkEP8JSObjecti+271>:	callq  0x5555557f345e <abort>

Likely a shell-only problem.

Can we bisect this?

Flags: needinfo?(choller)

autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/40aafceb5e48
user: Andrew McCreight
date: Mon Aug 07 16:35:43 2017 -0700
summary: Bug 1388191 - Add way to test evaluation with envChain in the shell. r=jorendorff

Jan, does this help?

Flags: needinfo?(choller) → needinfo?(jdemooij)
Regressed by: 1388191
Has Regression Range: --- → yes
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]

Ugh. This is Bug 1426385. I'll put in the basic fix instead of wasting your time again. Sorry

Status: NEW → RESOLVED
Closed: 6 years ago
Flags: needinfo?(jdemooij)
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.