Closed
Bug 1698557
Opened 3 years ago
Closed 3 years ago
Assertion failure: comp == compartment || (srcKind == JS::TraceKind::Object && InCrossCompartmentMap(runtime(), static_cast<JSObject*>(src), thing)), at gc/GC.cpp:3924
Categories
(Core :: JavaScript: GC, defect)
Tracking
()
VERIFIED
FIXED
88 Branch
| Tracking | Status | |
|---|---|---|
| firefox-esr78 | --- | unaffected |
| firefox86 | --- | unaffected |
| firefox87 | --- | unaffected |
| firefox88 | --- | verified |
People
(Reporter: decoder, Assigned: jandem)
References
(Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])
Attachments
(2 files)
The following testcase crashes on mozilla-central revision 20210315-29ed711969d6 (debug build, run with --fuzzing-safe --more-compartments --no-threads):
for (tghtno = 128; tghtno > 0; tghtno--) {
g2 = newGlobal({ sameZoneAs: new RegExp()});
fullcompartmentchecks(true);
g2.Set.prototype.values;
startgc(118895976);
}
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 0x00005555573ef702 in CompartmentCheckTracer::onChild(JS::GCCellPtr const&) ()
#1 0x0000555556ccf128 in JS::CallbackTracer::onShapeEdge(js::Shape*) ()
#2 0x0000555557487dc9 in bool DoCallback<js::Shape>(js::GenericTracer*, js::Shape**, char const*) ()
#3 0x000055555744cee8 in void js::TraceSameZoneCrossCompartmentEdge<js::Shape*>(JSTracer*, js::WriteBarriered<js::Shape*> const*, char const*) ()
#4 0x0000555557774d6f in void js::jit::TraceCacheIRStub<js::jit::ICCacheIRStub>(JSTracer*, js::jit::ICCacheIRStub*, js::jit::CacheIRStubInfo const*) ()
#5 0x000055555756e2e7 in js::jit::ICCacheIRStub::trace(JSTracer*) ()
#6 0x000055555756e19b in js::jit::ICEntry::trace(JSTracer*) ()
#7 0x0000555557949395 in js::jit::ICScript::trace(JSTracer*) ()
#8 0x0000555557949249 in js::jit::JitScript::trace(JSTracer*) ()
#9 0x0000555556eb2629 in js::ScriptWarmUpData::trace(JSTracer*) ()
#10 0x0000555557451c0d in js::BaseScript::traceChildren(JSTracer*) ()
#11 0x00005555574aeb70 in JS::TraceChildren(JSTracer*, JS::GCCellPtr) ()
#12 0x00005555573efde7 in js::gc::GCRuntime::checkForCompartmentMismatches() ()
#13 0x00005555573f4838 in js::gc::GCRuntime::endPreparePhase(JS::GCReason) ()
#14 0x0000555557409e8e in js::gc::GCRuntime::incrementalSlice(js::SliceBudget&, mozilla::Maybe<JSGCInvocationKind> const&, JS::GCReason) ()
#15 0x000055555740cffd in js::gc::GCRuntime::gcCycle(bool, js::SliceBudget const&, mozilla::Maybe<JSGCInvocationKind> const&, JS::GCReason) ()
#16 0x000055555740e36c in js::gc::GCRuntime::collect(bool, js::SliceBudget const&, mozilla::Maybe<JSGCInvocationKind> const&, JS::GCReason) ()
#17 0x000055555740f6e1 in js::gc::GCRuntime::startDebugGC(JSGCInvocationKind, js::SliceBudget&) ()
#18 0x00005555570852a3 in StartGC(JSContext*, unsigned int, JS::Value*) ()
#19 0x0000555556b85201 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
#20 0x0000555556b84940 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) ()
#21 0x0000555556b85d61 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) ()
#22 0x000055555757a97a in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) ()
#23 0x00003a2945b70443 in ?? ()
[...]
#49 0x0000000000000000 in ?? ()
rax 0x555555820cde 93824995167454
rbx 0x4 4
rcx 0x555557ff1088 93825036914824
rdx 0x0 0
rsi 0x7ffff7105770 140737338431344
rdi 0x7ffff7104540 140737338426688
rbp 0x7fffffffabc0 140737488333760
rsp 0x7fffffffab60 140737488333664
r8 0x7ffff7105770 140737338431344
r9 0x7ffff7f99840 140737353717824
r10 0x58 88
r11 0x7ffff6dac7a0 140737334921120
r12 0x7fffffffabd0 140737488333776
r13 0x60240ab5cd4 6606744673492
r14 0x7fffffffae18 140737488334360
r15 0x7fffffffae20 140737488334368
rip 0x5555573ef702 <CompartmentCheckTracer::onChild(JS::GCCellPtr const&)+770>
=> 0x5555573ef702 <_ZN22CompartmentCheckTracer7onChildERKN2JS9GCCellPtrE+770>: movl $0xf54,0x0
0x5555573ef70d <_ZN22CompartmentCheckTracer7onChildERKN2JS9GCCellPtrE+781>: callq 0x555556a7e364 <abort>
|
Reporter | |
Comment 1•3 years ago
|
||
|
||
Comment 2•3 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210315091836-29ed711969d6.
The bug appears to have been introduced in the following build range:
Start: 14445d08a3a414c568ee985bec7684c55761ea35 (20210306001811)
End: 4197952997ba47f2b4d1968d57230a4c448ddaa3 (20210306010831)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=14445d08a3a414c568ee985bec7684c55761ea35&tochange=4197952997ba47f2b4d1968d57230a4c448ddaa3
Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]
|
||
Comment 3•3 years ago
|
||
Comment 2 says this is a regression from bug 1689413.
Flags: needinfo?(jdemooij)
|
Assignee | |
Comment 4•3 years ago
|
||
Not security sensitive, the CompartmentCheckTracer is overzealous in this case.
Group: javascript-core-security
|
|
Assignee | |
Comment 5•3 years ago
|
||
|
||
Updated•3 years ago
|
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
|
|
Assignee | |
Updated•3 years ago
|
Flags: needinfo?(jdemooij)
Pushed by jdemooij@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/174571ba6cca Disable CompartmentCheckTracer check too for TraceSameZoneCrossCompartmentEdge. r=jonco
|
||
Comment 7•3 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → 88 Branch
|
|
||
Comment 8•3 years ago
|
||
Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20210319215733-e8ee87ef82c3.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
|
||
Updated•3 years ago
|
status-firefox86:
--- → unaffected
status-firefox87:
--- → unaffected
status-firefox-esr78:
--- → unaffected
Flags: in-testsuite+
Regressed by: 1689413
|
||
Updated•3 years ago
|
Has Regression Range: --- → yes
You need to log in
before you can comment on or make changes to this bug.
Description
•