Compartment mismatch with JSD: lineToPc(1, PCMAP_PRETTYPRINT)

RESOLVED FIXED

Status

()

Core
JavaScript Engine
RESOLVED FIXED
8 years ago
8 years ago

People

(Reporter: sfink, Assigned: adrake)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [fixed-in-tracemonkey])

Attachments

(2 attachments, 2 obsolete attachments)

I was working on a fairly simple mochitest for JSD's functionHook and topLevelHook, and I made the mistake of calling jsdIScript.lineToPc with PCMAP_PRETTYPRINT, resulting in an immediate

  *** Compartment mismatch 0x7ff45b4db400 vs. 0x7ff464b53400
  Assertion failure: compartment mismatched, at /home/sfink/src/TM-singlestep/js/src/jscntxtinlines.h:541

Here's as much of the stack as gdb can do (it hits JM frames and wanders off into nonsense memory):

(gdb) bt
#0  0x0000003a504adbed in nanosleep () from /lib64/libc.so.6
#1  0x0000003a504ada7f in sleep () from /lib64/libc.so.6
#2  0x00007ff47e716744 in ah_crap_handler (signum=6) at /home/sfink/src/TM-singlestep/toolkit/xre/nsSigHandlers.cpp:132
#3  0x00007ff47e71af7f in nsProfileLock::FatalSignalHandler (signo=6, info=0x7fff09106ef0, context=0x7fff09106dc0) at nsProfileLock.cpp:226
#4  <signal handler called>
#5  0x0000003a5080f29b in raise () from /lib64/libpthread.so.0
#6  0x00007ff47db384f4 in JS_Assert (s=0x7ff47dc9e07c "compartment mismatched", file=0x7ff47dc9dee8 "/home/sfink/src/TM-singlestep/js/src/jscntxtinlines.h", ln=541) at /home/sfink/src/TM-singlestep/js/src/jsutil.cpp:83
#7  0x00007ff47d9ba943 in js::CompartmentChecker::fail (c1=0x7ff45b4db400, c2=0x7ff464b53400) at /home/sfink/src/TM-singlestep/js/src/jscntxtinlines.h:541
#8  0x00007ff47d9b0082 in JS_DecompileScript (cx=0x7ff45b2b8000, script=0x7ff4649e4a10, name=0x7ff4805691ee "ppscript", indent=4) at /home/sfink/src/TM-singlestep/js/src/jsapi.cpp:4778
#9  0x00007ff47f91c997 in jsdScript::CreatePPLineMap (this=0x7ff45ed3a160) at /home/sfink/src/TM-singlestep/js/jsd/jsd_xpc.cpp:1038
#10 0x00007ff47f91cc92 in jsdScript::PPLineToPc (this=0x7ff45ed3a160, aLine=1) at /home/sfink/src/TM-singlestep/js/jsd/jsd_xpc.cpp:1106
#11 0x00007ff47f91db35 in jsdScript::LineToPc (this=0x7ff45ed3a160, aLine=1, aPcmap=2, _rval=0x7fff091076c0) at /home/sfink/src/TM-singlestep/js/jsd/jsd_xpc.cpp:1454
#12 0x00007ff47fe6dcee in NS_InvokeByIndex_P (that=0x7ff45ed3a160, methodIndex=28, paramCount=3, params=0x7fff09107690) at /home/sfink/src/TM-singlestep/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:208
#13 0x00007ff47f62de58 in CallMethodHelper::Invoke() () from /home/sfink/src/TM-singlestep/obj/dist/bin/libxul.so
#14 0x00007ff47f62bdf1 in CallMethodHelper::Call() () from /home/sfink/src/TM-singlestep/obj/dist/bin/libxul.so
#15 0x00007ff47f627d5e in XPCWrappedNative::CallMethod (ccx=..., mode=XPCWrappedNative::CALL_METHOD) at /home/sfink/src/TM-singlestep/js/src/xpconnect/src/xpcwrappednative.cpp:2312
#16 0x00007ff47f637ba8 in XPC_WN_CallMethod (cx=0x7ff4680c7c00, argc=2, vp=0x7ff4725001a8) at /home/sfink/src/TM-singlestep/js/src/xpconnect/src/xpcwrappednativejsops.cpp:1594
#17 0x00007ff47da71cba in js::CallJSNative (cx=0x7ff4680c7c00, native=0x7ff47f637935 <XPC_WN_CallMethod(JSContext*, uintN, jsval*)>, argc=2, vp=0x7ff4725001a8) at /home/sfink/src/TM-singlestep/js/src/jscntxtinlines.h:684
#18 0x00007ff47dc4599e in js::mjit::stubs::UncachedCallHelper (f=..., argc=2, ucr=0x7fff09107ac0) at /home/sfink/src/TM-singlestep/js/src/methodjit/InvokeHelpers.cpp:491
#19 0x00007ff47dc456e8 in js::mjit::stubs::UncachedCall (f=..., argc=2) at /home/sfink/src/TM-singlestep/js/src/methodjit/InvokeHelpers.cpp:441
#20 0x00007ff47c01173f in ?? ()
#21 0x00007ff47c01a638 in ?? ()
#22 0x0000000000000000 in ?? ()

and here's a more complete stack dump, depending on the frame pointer, starting at real frame 3:

(gdb) dumbbt
Frame 0: 0x7fff09106db0 .. 0x7fff09106cf0 = 0x7ff47e71af7f <nsProfileLock::FatalSignalHandler(int, siginfo_t*, void*)+465>
Frame 1: 0x7fff09107260 .. 0x7fff09106db0 = 0x3a5080f3c0 <__restore_rt>
Frame 2: 0x7fff09107280 .. 0x7fff09107260 = 0x7ff47d9ba943 <js::CompartmentChecker::fail(JSCompartment*, JSCompartment*)+68>
Frame 3: 0x7fff091072f0 .. 0x7fff09107280 = 0x7ff47d9b0082 <JS_DecompileScript(JSContext*, JSScript*, char const*, uintN)+252>
Frame 4: 0x7fff09107420 .. 0x7fff091072f0 = 0x7ff47f91c997 <jsdScript::CreatePPLineMap()+665>
Frame 5: 0x7fff09107450 .. 0x7fff09107420 = 0x7ff47f91cc92 <jsdScript::PPLineToPc(PRUint32)+40>
Frame 6: 0x7fff09107490 .. 0x7fff09107450 = 0x7ff47f91db35 <jsdScript::LineToPc(PRUint32, PRUint32, PRUint32*)+127>
Frame 7: 0x7fff09107570 .. 0x7fff09107490 = 0x7ff47fe6dcee <NS_InvokeByIndex_P(nsISupports*, PRUint32, PRUint32, nsXPTCVariant*)+454>
Frame 8: 0x7fff091075d0 .. 0x7fff09107570 = 0x7ff47f62de58 <CallMethodHelper::Invoke()+120>
Frame 9: 0x7fff09107600 .. 0x7fff091075d0 = 0x7ff47f62bdf1 <CallMethodHelper::Call()+303>
Frame 10: 0x7fff09107860 .. 0x7fff09107600 = 0x7ff47f627d5e <XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode)+674>
Frame 11: 0x7fff091079e0 .. 0x7fff09107860 = 0x7ff47f637ba8 <XPC_WN_CallMethod(JSContext*, uintN, jsval*)+627>
Frame 12: 0x7fff09107a40 .. 0x7fff091079e0 = 0x7ff47da71cba <js::CallJSNative(JSContext*, js::Native, uintN, js::Value*)+106>
Frame 13: 0x7fff09107aa0 .. 0x7fff09107a40 = 0x7ff47dc4599e <js::mjit::stubs::UncachedCallHelper(js::VMFrame&, uint32, js::mjit::stubs::UncachedCallResult*)+381>
Frame 14: 0x7fff09107ae0 .. 0x7fff09107aa0 = 0x7ff47dc456e8 <js::mjit::stubs::UncachedCall(js::VMFrame&, uint32)+36>
Frame 15: 0x7fff09107b70 .. 0x7fff09107ae0 = 0x7ff47c01173f
Frame 16: 0x7fff09107bf0 .. 0x7fff09107b70 = 0x7ff47dbddfc3 <js::mjit::EnterMethodJIT(JSContext*, JSStackFrame*, void*, js::Value*)+231>
Frame 17: 0x7fff09107c40 .. 0x7fff09107bf0 = 0x7ff47dbde0d8 <CheckStackAndEnterMethodJIT(JSContext*, JSStackFrame*, void*)+129>
Frame 18: 0x7fff09107c90 .. 0x7fff09107c40 = 0x7ff47dbde1b4 <js::mjit::JaegerShot(JSContext*)+213>
Frame 19: 0x7fff09107cf0 .. 0x7fff09107c90 = 0x7ff47da7518e <js::RunScript(JSContext*, JSScript*, JSStackFrame*)+221>
Frame 20: 0x7fff09107dd0 .. 0x7fff09107cf0 = 0x7ff47da7567f <js::Invoke(JSContext*, js::CallArgs const&, uint32)+1206>
Frame 21: 0x7fff09107e60 .. 0x7fff09107dd0 = 0x7ff47da75d10 <js::ExternalInvoke(JSContext*, js::Value const&, js::Value const&, uintN, js::Value*, js::Value*)+363>
Frame 22: 0x7fff09107ec0 .. 0x7fff09107e60 = 0x7ff47d993bb8 <js::ExternalInvoke(JSContext*, JSObject*, js::Value const&, uintN, js::Value*, js::Value*)+88>
Frame 23: 0x7fff09107f60 .. 0x7fff09107ec0 = 0x7ff47d9b1037 <JS_CallFunctionValue(JSContext*, JSObject*, jsval, uintN, jsval*, jsval*)+351>
Frame 24: 0x7fff09108640 .. 0x7fff09107f60 = 0x7ff47f61e91e <nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, uint16, XPTMethodDescriptor const*, nsXPTCMiniVariant*)+5464>
Frame 25: 0x7fff091086b0 .. 0x7fff09108640 = 0x7ff47f61521e <nsXPCWrappedJS::CallMethod(PRUint16, XPTMethodDescriptor const*, nsXPTCMiniVariant*)+354>
Frame 26: 0x7fff09108810 .. 0x7fff091086b0 = 0x7ff47fe6e1c9 <PrepareAndDispatch(nsXPTCStubBase*, PRUint32, PRUint64*, PRUint64*, double*)+1185>
Frame 27: 0x7fff09108890 .. 0x7fff09108810 = 0x7ff47fe6e25d <SharedStub+91>
Frame 28: 0x7fff09108920 .. 0x7fff09108890 = 0x7ff47f91afc4 <jsds_CallHookProc(JSDContext*, JSDThreadState*, uintN, void*)+490>
Frame 29: 0x7fff09108980 .. 0x7fff09108920 = 0x7ff47f911914 <jsd_CallCallHook+100>
Frame 30: 0x7fff09108a30 .. 0x7fff09108980 = 0x7ff47f916278 <_callHook+1348>
Frame 31: 0x7fff09108ab0 .. 0x7fff09108a30 = 0x7ff47f9164a5 <jsd_TopLevelCallHook+251>
Frame 32: 0x7fff09108ba0 .. 0x7fff09108ab0 = 0x7ff47da764ef <js::Execute(JSContext*, JSObject*, JSScript*, JSStackFrame*, uintN, js::Value*)+1556>
Frame 33: 0x7fff09108c40 .. 0x7fff09108ba0 = 0x7ff47d9b07bd <JS_EvaluateUCScriptForPrincipals(JSContext*, JSObject*, JSPrincipals*, jschar const*, uintN, char const*, uintN, jsval*)+417>
Frame 34: 0x7fff09108cc0 .. 0x7fff09108c40 = 0x7ff47d9b0605 <JS_EvaluateUCScriptForPrincipalsVersion(JSContext*, JSObject*, JSPrincipals*, jschar const*, uintN, char const*, uintN, jsval*, JSVersion)+110>
Frame 35: 0x7fff09108e50 .. 0x7fff09108cc0 = 0x7ff47f06dc4c <nsJSContext::EvaluateString(nsAString_internal const&, void*, nsIPrincipal*, char const*, PRUint32, PRUint32, nsAString_internal*, PRBool*)+1542>
Frame 36: 0x7fff09108fb0 .. 0x7fff09108e50 = 0x7ff47edbcf1f <nsScriptLoader::EvaluateScript(nsScriptLoadRequest*, nsAFlatString const&)+969>
Frame 37: 0x7fff091090f0 .. 0x7fff09108fb0 = 0x7ff47edbc845 <nsScriptLoader::ProcessRequest(nsScriptLoadRequest*)+707>
Frame 38: 0x7fff09109130 .. 0x7fff091090f0 = 0x7ff47edbd312 <nsScriptLoader::ProcessPendingRequests()+490>
Frame 39: 0x7fff09109190 .. 0x7fff09109130 = 0x7ff47edbdf4b <nsScriptLoader::OnStreamComplete(nsIStreamLoader*, nsISupports*, nsresult, PRUint32, PRUint8 const*)+471>
Frame 40: 0x7fff091091f0 .. 0x7fff09109190 = 0x7ff47e795713 <nsStreamLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult)+169>
Frame 41: 0x7fff09109240 .. 0x7fff091091f0 = 0x7ff47e747be4 <nsBaseChannel::OnStopRequest(nsIRequest*, nsISupports*, nsresult)+166>
Frame 42: 0x7fff09109280 .. 0x7fff09109240 = 0x7ff47e75ce38 <nsInputStreamPump::OnStateStop()+288>
Frame 43: 0x7fff091092b0 .. 0x7fff09109280 = 0x7ff47e75c6d2 <nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*)+158>
Frame 44: 0x7fff091092e0 .. 0x7fff091092b0 = 0x7ff47fe22e75 <nsInputStreamReadyEvent::Run()+121>
Frame 45: 0x7fff091093c0 .. 0x7fff091092e0 = 0x7ff47fe4e3fc <nsThread::ProcessNextEvent(PRBool, PRBool*)+1006>
Frame 46: 0x7fff09109400 .. 0x7fff091093c0 = 0x7ff47fdd7fb4 <NS_ProcessNextEvent_P(nsIThread*, PRBool)+122>
Frame 47: 0x7fff09109470 .. 0x7fff09109400 = 0x7ff47fc1d94a <mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)+336>
Frame 48: 0x7fff091094b0 .. 0x7fff09109470 = 0x7ff47feb7f13 <MessageLoop::RunInternal()+121>
Frame 49: 0x7fff091094d0 .. 0x7fff091094b0 = 0x7ff47feb7e98 <MessageLoop::RunHandler()+24>
Frame 50: 0x7fff09109510 .. 0x7fff091094d0 = 0x7ff47feb7e29 <MessageLoop::Run()+43>
Frame 51: 0x7fff09109540 .. 0x7fff09109510 = 0x7ff47fab729d <nsBaseAppShell::Run()+105>
Frame 52: 0x7fff09109570 .. 0x7fff09109540 = 0x7ff47f7fe01d <nsAppStartup::Run()+123>
Frame 53: 0x7fff09109eb0 .. 0x7fff09109570 = 0x7ff47e70818a <XRE_main(int, char**, nsXREAppData const*)+12212>
Frame 54: 0x7fff09109f60 .. 0x7fff09109eb0 = 0x401d0c <main(int, char**)+814>
Created attachment 496428 [details] [diff] [review]
Mochitest that triggers compartment mismatch from script.lineToPc(1, PCMAP_PRETTYPRINT)

This is a mochitest that triggers the bug. It could be simplified, since it was really written for another purpose, but it's pretty small already.

I have not yet tried installing it and using it as a proper mochitest. It ought to work. But just in case, these are my current exact steps to reproduce:

1. Within <srcdir>/js/jsd/test:
  ln -s ../../../testing/mochitest/MochiKit
  ln -s ../../../testing/mochitest/tests
2. Start minefield
3. Navigate to file://<srcdir>/js/jsd/test/test_bug617870-callhooks.html
4. Allow it to have permissions
5. Examine the wreckage
Blocks: 563000
(Assignee)

Comment 2

8 years ago
Created attachment 497456 [details] [diff] [review]
Proposed patch v0

Add cross compartment call in the right spot in JSD. Fixes both of the above test cases, assuming the "fixed" condition for the reduced mochitest is not crashing, rather than an actual successful test. The FBTest succeeds as expected.
Assignee: general → adrake
Status: NEW → ASSIGNED
(Assignee)

Comment 3

8 years ago
Created attachment 497589 [details] [diff] [review]
Proposed patch v1

Covers an additional case masked by 609141.
Attachment #497456 - Attachment is obsolete: true
(Assignee)

Updated

8 years ago
Depends on: 614131
(Assignee)

Comment 4

8 years ago
Comment on attachment 497589 [details] [diff] [review]
Proposed patch v1

Patch merged in to 614131.
Attachment #497589 - Attachment is obsolete: true
Created attachment 498002 [details] [diff] [review]
Do proper cross-compartment calls for JSD

This bug, bug 614131, and 609141 have gotten rather tangled up at this point. I am stealing an r+'ed patch from 614131 and putting it here, because it does not fix the problem in bug 614131 and there's useful info in that bug. The patch resolves the problem in this bug, but is really mainly a fix for the problems remaining from bug 609141 (which has already been marked as resolved.)
http://hg.mozilla.org/tracemonkey/rev/6539f1fcda72

Not marking as resolved until I get the test case in, too.
Whiteboard: [fixed-in-tracemonkey]
http://hg.mozilla.org/mozilla-central/rev/6539f1fcda72
Status: ASSIGNED → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.