Assertion failure: UncheckedUnwrap(weakRef)->is<WeakRefObject>(), at builtin/WeakRefObject.cpp:217
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr68 | --- | unaffected |
| firefox72 | --- | unaffected |
| firefox73 | --- | wontfix |
| firefox74 | --- | fixed |
People
(Reporter: decoder, Assigned: allstars.chh)
References
(Regression)
Details
(4 keywords, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(1 file, 1 obsolete file)
The following testcase crashes on mozilla-central revision 20191222-ca5ff9e3c66e (build with --enable-debug, run with --fuzzing-safe --ion-offthread-compile=off --enable-weak-refs):
newGlobal();
nukeAllCCWs();
var g28 = newGlobal({
newCompartment: true
});
let wr6 = new g28.WeakRef(newGlobal());
new WeakRef(wr6);
Backtrace:
received signal SIGSEGV, Segmentation fault.
0x0000555555ea51d1 in js::gc::GCRuntime::registerWeakRef(JS::Handle<JSObject*>, JS::Handle<JSObject*>) ()
#0 0x0000555555ea51d1 in js::gc::GCRuntime::registerWeakRef(JS::Handle<JSObject*>, JS::Handle<JSObject*>) ()
#1 0x0000555555ea4909 in js::WeakRefObject::construct(JSContext*, unsigned int, JS::Value*) ()
#2 0x00005555558eff42 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
[...]
#14 0x0000555555772c31 in main ()
rax 0x555556ef5b05 93825019108101
rbx 0x7fffffffb9a8 140737488337320
rcx 0x555557f0b838 93825035974712
rdx 0x0 0
rsi 0x7ffff6efd770 140737336301424
rdi 0x7ffff6efc540 140737336296768
rbp 0x7fffffffb960 140737488337248
rsp 0x7fffffffb8b0 140737488337072
r8 0x7ffff6efd770 140737336301424
r9 0x7ffff7f98d00 140737353714944
r10 0x58 88
r11 0x7ffff6ba47a0 140737332791200
r12 0x7ffff5e27020 140737318645792
r13 0x7fffffffb9c8 140737488337352
r14 0x7fffffffb990 140737488337296
r15 0x7ffff5e27000 140737318645760
rip 0x555555ea51d1 <js::gc::GCRuntime::registerWeakRef(JS::Handle<JSObject*>, JS::Handle<JSObject*>)+721>
=> 0x555555ea51d1 <_ZN2js2gc9GCRuntime15registerWeakRefEN2JS6HandleIP8JSObjectEES6_+721>: movl $0xd9,0x0
0x555555ea51dc <_ZN2js2gc9GCRuntime15registerWeakRefEN2JS6HandleIP8JSObjectEES6_+732>: callq 0x5555557f79ea <abort>
autobisectjs shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/d1ac49b9eb3e
user: Yoshi Cheng-Hao Huang
date: Thu Dec 12 21:19:11 2019 +0000
summary: Bug 1587093 - Implement WeakRef object in js shell. r=jonco
Definitely WeakRefs-related, setting needinfo? from Yoshi as a start.
|
||
Updated•4 years ago
|
|
Assignee | |
Updated•4 years ago
|
|
|
Assignee | |
Comment 2•4 years ago
|
||
|
|
Assignee | |
Updated•4 years ago
|
|
||
Updated•4 years ago
|
|
|
Assignee | |
Comment 3•4 years ago
|
||
|
||
Updated•4 years ago
|
|
|
||
Updated•4 years ago
|
Pushed by allstars.chh@gmail.com: https://hg.mozilla.org/integration/autoland/rev/048554c9449e Check if it's a dead wrapper in WeakRef constructor. r=jonco
|
||
Comment 5•4 years ago
|
||
Backed out changeset 048554c9449e (bug 1605633) for causing high frequency spidermonkey bustages
push that caused the backout: https://treeherder.mozilla.org/#/jobs?repo=autoland&searchStr=windows%2C2012%2Cx64%2Cdebug%2Cspidermonkey%2Cbuilds%2Cspidermonkey-sm-compacting-win64%2Fdebug%2Csm%28cgc%29&revision=048554c9449e103f296b6d66bb265ed370fd4d17
backout: https://hg.mozilla.org/integration/autoland/rev/c46a34b79b5dad2ca11e7d089a5c4c7a8788aaf0
|
||
Comment 6•4 years ago
|
||
This also caused bug 1606935 on mozilla-central.
Pushed by allstars.chh@gmail.com: https://hg.mozilla.org/integration/autoland/rev/9be6fc42a26f Check if it's a dead wrapper in WeakRef constructor. r=jonco
|
||
Updated•4 years ago
|
|
||
Comment 10•4 years ago
|
||
| bugherder | ||
|
||
Comment 11•4 years ago
|
||
Given the regressing bug, it sounds like this issue is shell-only and doesn't need uplift. Please nominate for Beta approval if that's incorrect, however.
Description
•