Closed Bug 1889531 Opened 1 year ago Closed 1 year ago

Assertion failure: this->is<T>(), at vm/JSObject.h:497

Categories

(Core :: JavaScript: GC, defect)

Product:
Core
Component:
JavaScript: GC
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1889355

People

(Reporter: lukas.bernhard, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: reporter-external)

Attachments

(2 files)

crash.js
2.63 KB, text/plain
Details
nodebugger.diff
620 bytes, text/plain
Details
Attached file crash.js

Steps to reproduce:

On git commit 8340afd1fb3e7b2727d2efb47df1bd3112db7213 in encountered a flaky assert when invoking the js-shell as obj-lto/dist/bin/js --fast-warmup --fuzzing-safe --gc-zeal=10,83 --ion-offthread-compile=off --no-cgc --cpu-count=2 crash.js with the attached sample.
Unfortunately, the sample did not properly minimize due to its flakyness. Running with rr record --chaos made it easier (on my machine) to observe the crash; I also uploaded a trace: https://pernos.co/debug/rTkhuJsbt-nw9V3YpegAEw/index.html

#0  JSObject::as<js::NativeObject> (this=0x1e6091ac0060) at js/src/vm/JSObject.h:497
#1  js::GCMarker::processMarkStackTop<0u> (this=this@entry=0x29f636e28e20, budget=...)
    at js/src/gc/Marking.cpp:1527
#2  0x000060866b9de812 in js::GCMarker::markOneColor<0u, (js::gc::MarkColor)2> (this=this@entry=0x29f636e28e20, 
    budget=...) at js/src/gc/Marking.cpp:1387
#3  0x000060866b9c3d34 in js::GCMarker::doMarking<0u> (this=this@entry=0x29f636e28e20, budget=..., 
    reportTime=js::gc::ReportMarkTime) at js/src/gc/Marking.cpp:1344
#4  0x000060866b9abc83 in js::GCMarker::markUntilBudgetExhausted (this=0x29f636e28e20, budget=..., 
    reportTime=js::gc::ReportMarkTime) at js/src/gc/Marking.cpp:1335
#5  0x000060866b966ce3 in js::gc::GCRuntime::markUntilBudgetExhausted (this=this@entry=0x29f636e2f798, sliceBudget=..., 
    allowParallelMarking=<optimized out>, reportTime=js::gc::ReportMarkTime)
    at js/src/gc/GC.cpp:3119
#6  0x000060866b96af01 in js::gc::GCRuntime::incrementalSlice (this=this@entry=0x29f636e2f798, budget=..., 
    reason=reason@entry=JS::GCReason::DEBUG_GC, budgetWasIncreased=<optimized out>)
    at js/src/gc/GC.cpp:3755
#7  0x000060866b96e30e in js::gc::GCRuntime::gcCycle (this=this@entry=0x29f636e2f798, nonincrementalByAPI=false, 
    budgetArg=..., reason=reason@entry=JS::GCReason::DEBUG_GC) at js/src/gc/GC.cpp:4322
#8  0x000060866b96fc54 in js::gc::GCRuntime::collect (this=this@entry=0x29f636e2f798, nonincrementalByAPI=false, 
    budget=..., reason=reason@entry=JS::GCReason::DEBUG_GC) at js/src/gc/GC.cpp:4513
#9  0x000060866b93c1e7 in js::gc::GCRuntime::runDebugGC (this=this@entry=0x29f636e2f798)
    at js/src/gc/GC.cpp:4976
#10 0x000060866b973cb0 in js::gc::CellAllocator::PreAllocChecks<(js::AllowGC)1> (cx=0x29f636e3d200, 
    kind=kind@entry=js::gc::AllocKind::SHAPE) at js/src/gc/Allocator.cpp:257
#11 0x000060866b974775 in js::gc::CellAllocator::AllocTenuredCell<(js::AllowGC)1> (
    cx=0x74287ae008e0 <_IO_stdfile_2_lock>, kind=<optimized out>, size=32)
    at js/src/gc/Allocator.cpp:135
#12 0x000060866b29f415 in js::gc::CellAllocator::NewTenuredCell<js::SharedShape, (js::AllowGC)1, JS::Handle<js::BaseShape*>&, js::EnumFlags<js::ObjectFlag>&, unsigned int&, JS::Handle<js::SharedPropMap*>&, unsigned int&> (cx=0x29f636e3d200, 
    args=<optimized out>, args=<optimized out>, args=<optimized out>, args=<optimized out>, args=<optimized out>)
    at js/src/gc/Allocator-inl.h:152
#13 js::gc::CellAllocator::NewCell<js::SharedShape, (js::AllowGC)1, JS::Handle<js::BaseShape*>&, js::EnumFlags<js::ObjectFlag>&, unsigned int&, JS::Handle<js::SharedPropMap*>&, unsigned int&> (cx=0x29f636e3d200, args=<optimized out>, 
    args=<optimized out>, args=<optimized out>, args=<optimized out>, args=<optimized out>)
    at js/src/gc/Allocator-inl.h:57
#14 JSContext::newCell<js::SharedShape, (js::AllowGC)1, JS::Handle<js::BaseShape*>&, js::EnumFlags<js::ObjectFlag>&, unsigned int&, JS::Handle<js::SharedPropMap*>&, unsigned int&> (this=0x29f636e3d200, args=<optimized out>, 
    args=<optimized out>, args=<optimized out>, args=<optimized out>, args=<optimized out>)
    at js/src/vm/JSContext-inl.h:359
#15 js::SharedShape::new_ (cx=0x29f636e3d200, base=..., objectFlags=..., nfixed=4, mapLength=0, map=...)
    at js/src/vm/Shape.cpp:1115
#16 js::SharedShape::getInitialShape (cx=cx@entry=0x29f636e3d200, clasp=clasp@entry=0x60866cafd2a0 <js::FunctionClass>, 
    realm=0x29f636ee4b00, proto=..., proto@entry=..., nfixed=nfixed@entry=4, objectFlags=objectFlags@entry=...)
    at js/src/vm/Shape.cpp:1430
#17 0x000060866b29d206 in js::Shape::replaceShape (cx=0x29f636e3d200, obj=..., objectFlags=..., proto=..., nfixed=4)
    at js/src/vm/Shape.cpp:56
#18 0x000060866b2ac109 in JSObject::setFlag (cx=0x74287ae008e0 <_IO_stdfile_2_lock>, cx@entry=0x29f636e3d200, obj=...,
    obj@entry=..., flag=flag@entry=js::ObjectFlag::IsUsedAsPrototype)
    at js/src/vm/Shape.cpp:1008
#19 0x000060866b2acc99 in JSObject::setIsUsedAsPrototype (cx=0x29f636e3d200, obj=...)
    at js/src/vm/JSObject.h:191
#20 SetObjectIsUsedAsPrototype (cx=cx@entry=0x29f636e3d200, proto=proto@entry=...)
    at js/src/vm/Shape.cpp:1022
#21 0x000060866b29f6a6 in js::SharedShape::getInitialShape (cx=0x29f636e3d200,
    clasp=0x60866cafd2a0 <js::FunctionClass>, realm=0x29f636ee4b00, proto=..., nfixed=4, objectFlags=...)
    at js/src/vm/Shape.cpp:1398
#22 0x000060866b05f8a3 in js::NewFunctionWithProto (cx=cx@entry=0x29f636e3d200,
    native=0x60866b05bfa0 <js::Function(JSContext*, unsigned int, JS::Value*)>, nargs=nargs@entry=1, flags=flags@entry=..., enclosingEnv=...,
    atom=..., proto=..., allocKind=js::gc::AllocKind::FUNCTION, newKind=js::TenuredObject)
    at js/src/vm/JSFunction.cpp:1698
#23 0x000060866b0ab225 in CreateFunctionConstructor (cx=0x29f636e3d200, key=<optimized out>)
    at js/src/vm/JSFunction.cpp:758
#24 0x000060866afc56e0 in js::GlobalObject::resolveConstructor (cx=0x29f636e3d200, global=..., key=JSProto_Function, mode=<optimized out>)
    at js/src/vm/GlobalObject.cpp:375
#25 0x000060866ae54834 in js::GlobalObject::ensureConstructor (cx=0x29f636e3d200, global=..., key=JSProto_Function)
    at js/src/vm/GlobalObject.h:344
#26 CreateObjectConstructor (cx=0x29f636e3d200, key=<optimized out>) at js/src/builtin/Object.cpp:2487
#27 0x000060866afc56e0 in js::GlobalObject::resolveConstructor (cx=0x29f636e3d200, global=..., key=key@entry=JSProto_Object,
    mode=mode@entry=js::GlobalObject::IfClassIsDisabled::Throw) at js/src/vm/GlobalObject.cpp:375
#28 0x000060866afc93ba in js::GlobalObject::ensureConstructor (cx=0x29f636e3d200, global=..., key=JSProto_Object)
    at js/src/vm/GlobalObject.h:344
#29 js::GlobalObject::new_ (cx=0x29f636e3d200, clasp=<optimized out>, principals=<optimized out>, hookOption=JS::DontFireOnNewGlobalHook,
    options=...) at js/src/vm/GlobalObject.cpp:664
#30 0x000060866ac03032 in NewGlobalObject (cx=0x29f636e3d200, options=..., principals=0x74287adff743 <_IO_2_1_stderr_+131>, principals@entry=0x0,
    kind=ShellGlobalKind::WindowProxy, immutablePrototype=true) at js/src/shell/js.cpp:10791
#31 0x000060866ac196ff in NewGlobal (cx=0x29f636e3d200, argc=<optimized out>, vp=<optimized out>)
    at js/src/shell/js.cpp:6952
#32 0x000060866acfaf87 in CallJSNative (cx=cx@entry=0x29f636e3d200,
    native=native@entry=0x60866ac18d60 <NewGlobal(JSContext*, unsigned int, JS::Value*)>, reason=reason@entry=js::CallReason::Call, args=...)
    at js/src/vm/Interpreter.cpp:479
#33 0x000060866acfa1a2 in js::InternalCallOrConstruct (cx=0x29f636e3d200, args=..., construct=construct@entry=js::NO_CONSTRUCT,
    reason=js::CallReason::Call) at js/src/vm/Interpreter.cpp:573
#34 0x000060866acfbef6 in InternalCall (cx=0x74287ae008e0 <_IO_stdfile_2_lock>, args=..., reason=1835613264)
    at js/src/vm/Interpreter.cpp:640
#35 0x000060866acfbe25 in js::CallFromStack (cx=0x74287ae008e0 <_IO_stdfile_2_lock>, cx@entry=0x29f636e3d200, args=..., reason=2061498179,
    reason@entry=js::CallReason::Call) at js/src/vm/Interpreter.cpp:645
#36 0x000060866bb69055 in js::jit::DoCallFallback (cx=0x29f636e3d200, frame=0x7ffd690bec48, stub=0x176f331a3028, argc=1, vp=0x7ffd690bebe0,
    res=...) at js/src/jit/BaselineIC.cpp:1659
#37 0x00005cdb1dee6a5f in ?? ()
#38 0xaaaaaaaa00010002 in ?? ()
#39 0xfff9800000000000 in ?? ()
Blocks: l11d-js-fuzzing
Group: firefox-core-security → core-security
Component: Untriaged → JavaScript: GC
Product: Firefox → Core
Attachment #9394921 - Attachment mime type: application/x-javascript → text/plain

Might be the same issue as bug 1825975 but with a better reproducer.

Attached file nodebugger.diff

Reproducing might require to not defining the debugger object, see the attached patch. I suspect this is due to a very specific GC/allocation state; the lack of debugger object should not be the root cause at all.

Group: core-security → javascript-core-security

The stack trace suggests the mark stack has a native object slots/elements range but at some point we swap the object with a non-native object (the test uses transplantableObject) but still assume it's native?

Flags: needinfo?(jcoppeard)

(In reply to Jan de Mooij [:jandem] from comment #4)
Sounds like the same thing as bug 1889355.

I can't reproduce using this testcase but it's clear from the pernosco trace that this is the same as 1889355.

Status: NEW → RESOLVED
Closed: 1 year ago
Duplicate of bug: 1889355
Flags: needinfo?(jcoppeard)
Resolution: --- → DUPLICATE
Group: javascript-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: