1605348 - Assertion failure: comp == compartment || (srcKind == JS::TraceKind::Object && InCrossCompartmentMap(runtime(), static_cast<JSObject*>(src), thing)), at js/src/gc/GC.cpp:3731 with WeakRef

Status: RESOLVED FIXED

(Core :: JavaScript: GC, defect, P1)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 20191219-5e8b48c8cd93 (build with --enable-debug, run with --fuzzing-safe --ion-offthread-compile=off --enable-weak-refs):

fullcompartmentchecks(true);
var g37 = newGlobal({
    newCompartment: true
});
new g37.WeakRef({});

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x0000555556258f0f in CompartmentCheckTracer::onChild(JS::GCCellPtr const&) ()
#1  0x0000555555a5880e in JS::CallbackTracer::onObjectEdge(JSObject**) ()
#2  0x000055555631136f in bool DoCallback<JSObject>(JS::CallbackTracer*, JSObject**, char const*) ()
#3  0x0000555555ea1d39 in js::WeakRefObject::trace(JSTracer*, JSObject*) ()
#4  0x0000555555c50ce5 in JSObject::traceChildren(JSTracer*) ()
#5  0x0000555556259680 in js::gc::GCRuntime::checkForCompartmentMismatches() ()
#6  0x000055555625c623 in js::gc::GCRuntime::beginMarkPhase(JS::GCReason, js::gc::AutoGCSession&) ()
#7  0x000055555626f6fb in js::gc::GCRuntime::incrementalSlice(js::SliceBudget&, mozilla::Maybe<JSGCInvocationKind> const&, JS::GCReason, js::gc::AutoGCSession&) ()
#8  0x0000555556272898 in js::gc::GCRuntime::gcCycle(bool, js::SliceBudget, mozilla::Maybe<JSGCInvocationKind> const&, JS::GCReason) ()
#9  0x00005555562744ae in js::gc::GCRuntime::collect(bool, js::SliceBudget, mozilla::Maybe<JSGCInvocationKind> const&, JS::GCReason) ()
#10 0x0000555556231d3a in js::gc::GCRuntime::gc(JSGCInvocationKind, JS::GCReason) ()
#11 0x0000555555cfc6e5 in JSRuntime::destroyRuntime() ()
#12 0x0000555555c02282 in js::DestroyContext(JSContext*) ()
#13 0x000055555576f345 in main ()
rax	0x555556f398bf	93825019386047
rbx	0x0	0
rcx	0x555557ef9838	93825035900984
rdx	0x0	0
rsi	0x7ffff6efd770	140737336301424
rdi	0x7ffff6efc540	140737336296768
rbp	0x7fffffffd250	140737488343632
rsp	0x7fffffffd1e0	140737488343520
r8	0x7ffff6efd770	140737336301424
r9	0x7ffff7f98d00	140737353714944
r10	0x58	88
r11	0x7ffff6ba47a0	140737332791200
r12	0x7ffff5e65398	140737318900632
r13	0x20e12ee7e1a0	36151526678944
r14	0x20e12eebb040	36151526928448
r15	0x7ffff5e29000	140737318653952
rip	0x555556258f0f <CompartmentCheckTracer::onChild(JS::GCCellPtr const&)+287>
=> 0x555556258f0f <_ZN22CompartmentCheckTracer7onChildERKN2JS9GCCellPtrE+287>:	movl   $0xe93,0x0
   0x555556258f1a <_ZN22CompartmentCheckTracer7onChildERKN2JS9GCCellPtrE+298>:	callq  0x5555557f33fa <abort>

Comment 1

[Jon Coppeard (:jonco)]

Attachment: Bug 1605348 - Only trace the target of a WeakRef if the tracer requests weak edges r?sfink

The problem is the compartment checking tracer currently gets to see the target of a WeakRef, which may be in another compartment.

I think we should just not trace the target here.

Comment 2

[Pulsebot]

Pushed by jcoppeard@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/7060854d0302
Only trace the target of a WeakRef if the tracer requests weak edges r=sfink

Comment 3

[Natalia Csoregi [:nataliaCs]]

https://hg.mozilla.org/mozilla-central/rev/7060854d0302