Closed Bug 1755874 Opened 3 years ago Closed 3 years ago

Assertion failure: comp == compartment || runtime()->mainContextFromOwnThread()->disableCompartmentCheckTracer || (srcKind == JS::TraceKind::Object && InCrossCompartmentMap(runtime(), static_cast<JSObject*>(src), thing))

Categories

(Core :: JavaScript: GC, defect)

Product:
Core
Component:
JavaScript: GC
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
99 Branch
Tracking Flags:
Tracking Status
firefox-esr91 --- unaffected
firefox97 --- unaffected
firefox98 --- unaffected
firefox99 --- verified

People

(Reporter: decoder, Assigned: jonco)

References

(Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])

Attachments

(4 files)

Detailed Crash Information
2.19 KB, text/plain
Details
Testcase
126 bytes, text/plain
Details
Bug 1755874 - Disable compartment checks when tracing finalization record wrappers from the finalization registry's global r?sfink
48 bytes, text/x-phabricator-request
Details | Review
Bug 1755874 - Fix non-unified build bustage r?Aryx
48 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 20220217-430986e11fd2 (debug build, run with --fuzzing-safe --ion-offthread-compile=off):

fullcompartmentchecks(true);
a = new FinalizationRegistry(b => {})
c = newGlobal({
    newCompartment: true
});
a.register(c);

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x00005555574f5c0f in CompartmentCheckTracer::onChild(JS::GCCellPtr) ()
#1  0x0000555556fd0208 in js::GenericTracerImpl<JS::CallbackTracer>::onObjectEdge(JSObject*) ()
#2  0x000055555755a9e8 in bool DoCallback<JSObject>(js::GenericTracer*, JSObject**, char const*) ()
#3  0x0000555557535d26 in void js::TraceManuallyBarrieredCrossCompartmentEdge<JSObject*>(JSTracer*, JSObject*, JSObject**, char const*) ()
#4  0x00005555574e753f in js::gc::FinalizationRegistryGlobalData::trace(JSTracer*, js::GlobalObject*) ()
#5  0x00005555571bbd54 in JS_GlobalObjectTraceHook(JSTracer*, JSObject*) ()
#6  0x0000555556ea258b in JSObject::traceChildren(JSTracer*) ()
#7  0x00005555575bf577 in JS::TraceChildren(JSTracer*, JS::GCCellPtr) ()
#8  0x00005555574f650b in js::gc::GCRuntime::checkForCompartmentMismatches() ()
#9  0x00005555574f9d86 in js::gc::GCRuntime::endPreparePhase(JS::GCReason) ()
#10 0x00005555574fe852 in js::gc::GCRuntime::incrementalSlice(js::SliceBudget&, JS::GCReason, bool) ()
#11 0x0000555557502628 in js::gc::GCRuntime::gcCycle(bool, js::SliceBudget const&, JS::GCReason) ()
#12 0x0000555557503876 in js::gc::GCRuntime::collect(bool, js::SliceBudget const&, JS::GCReason) ()
#13 0x00005555574d36a8 in js::gc::GCRuntime::gc(JS::GCOptions, JS::GCReason) ()
#14 0x0000555556feb29c in JSRuntime::destroyRuntime() ()
#15 0x0000555556e64f76 in js::DestroyContext(JSContext*) ()
#16 0x0000555556ad492f in main ()
rax	0x5555557b6abd	93824994732733
rbx	0x0	0
rcx	0x5555581a7898	93825038710936
rdx	0x0	0
rsi	0x7ffff7105770	140737338431344
rdi	0x7ffff7104540	140737338426688
rbp	0x7fffffffd5e0	140737488344544
rsp	0x7fffffffd580	140737488344448
r8	0x7ffff7105770	140737338431344
r9	0x7ffff7f99840	140737353717824
r10	0x0	0
r11	0x0	0
r12	0x7ffff6018000	140737320681472
r13	0x0	0
r14	0x169d7f83f030	24865705029680
r15	0x7ffff603f5d8	140737320842712
rip	0x5555574f5c0f <CompartmentCheckTracer::onChild(JS::GCCellPtr)+815>
=> 0x5555574f5c0f <_ZN22CompartmentCheckTracer7onChildEN2JS9GCCellPtrE+815>:	movl   $0x870,0x0
   0x5555574f5c1a <_ZN22CompartmentCheckTracer7onChildEN2JS9GCCellPtrE+826>:	callq  0x555556b6b1f7 <abort>
Attached file Testcase
Assignee: nobody → jcoppeard
Regressed by: 1749298
Has Regression Range: --- → yes

This also cleans up the assertion check to give a more readable error.

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220217094417-2b335bf2de3a.
The bug appears to have been introduced in the following build range:

Start: 1a579edbc613cf0151ea5f85b03ada1503c77712 (20220211110300)
End: e9a80289cc3be6b3ff4786cdf9f06493e1fe12c4 (20220211113101)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=1a579edbc613cf0151ea5f85b03ada1503c77712&tochange=e9a80289cc3be6b3ff4786cdf9f06493e1fe12c4

Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]
Pushed by jcoppeard@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/fe998b5c2b8b Disable compartment checks when tracing finalization record wrappers from the finalization registry's global r=sfink

Backed out for causing multiple build bustages

Backout link

Push with failures

Failure log // Failure log 2

Failure line(s): /builds/worker/checkouts/gecko/js/src/gc/FinalizationRegistry.cpp:320:37: error: unused variable 'adcct' [-Werror,-Wunused-variable]

Flags: needinfo?(jcoppeard)
Pushed by jcoppeard@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/76543a3c84c6 Disable compartment checks when tracing finalization record wrappers from the finalization registry's global r=sfink
Pushed by csabou@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/16cd4034327f Fix non-unified build bustage. r=aryx
Flags: needinfo?(jcoppeard)

Set release status flags based on info from the regressing bug 1749298

status-firefox97: --- → unaffected
status-firefox98: --- → unaffected
status-firefox-esr91: --- → unaffected

https://hg.mozilla.org/mozilla-central/rev/76543a3c84c6
https://hg.mozilla.org/mozilla-central/rev/16cd4034327f

Status: NEW → RESOLVED
Closed: 3 years ago
status-firefox99: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 99 Branch

Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20220218215229-b21fa00b5f33.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox99: fixedverified
Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: