Crash [@ PushMarkStack] or [@ js::GCMarker::processMarkStackTop] or Assertion failure: IsObjectValueInCompartment(value, compartment()), at vm/ObjectImpl.h

RESOLVED DUPLICATE of bug 952885

Status

()

Core
JavaScript Engine
--
critical
RESOLVED DUPLICATE of bug 952885
4 years ago
4 years ago

People

(Reporter: gkw, Unassigned)

Tracking

(Blocks: 1 bug, 4 keywords)

Trunk
x86_64
All
assertion, crash, regression, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [fuzzblocker][jsbugmon:update], crash signature)

Attachments

(2 attachments)

(Reporter)

Description

4 years ago
Created attachment 8350457 [details]
lldb stack

evaluate('', {
    global: newGlobal(),
    element: {}
})

asserts js debug shell on m-c changeset eabe3f50b083 without any CLI arguments at Assertion failure: IsObjectValueInCompartment(value, compartment()), at vm/ObjectImpl.h

My configure flags are:

CC="clang -Qunused-arguments" AR=ar CXX="clang++ -Qunused-arguments" sh ./configure --target=x86_64-apple-darwin12.5.0 --enable-optimize --enable-debug --enable-profiling --enable-gczeal --enable-debug-symbols --enable-methodjit --enable-type-inference --disable-tests --with-ccache --disable-threadsafe

Full credit for this goes to :jimb who mentioned this to us and Jesse then put support for this into jsfunfuzz.
(Reporter)

Updated

4 years ago
Component: JavaScript Engine: JIT → JavaScript Engine
(Reporter)

Comment 1

4 years ago
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/a15ba1bc98c5
user:        Eddy Bruel
date:        Thu Nov 21 13:25:15 2013 -0800
summary:     Bug 637572: Implement Debugger.Source.prototype.element (v7) r=sfink

Eddy, is bug 637572 a likely regressor?
Flags: needinfo?(ejpbruel)
(Reporter)

Updated

4 years ago
Blocks: 637572
OS: Mac OS X → All
(Reporter)

Comment 2

4 years ago
for (f in ["", ""])
for (f in ["", "", ""])

function f(code) {
    Function(code)()
}

f("\
    x = {};\
    evaluate(\"[]\", ({\
        global: evalcx(''),\
        element: x,\
    }))\
");
f("\
    x = schedulegc(Set);\
    gc('compartment');\
")

This testcase asserts similarly, but crashes opt shell at PushMarkStack. (when compiled with --enable-exact-rooting)

CC="clang -Qunused-arguments" AR=ar CXX="clang++ -Qunused-arguments" sh ./configure --target=x86_64-apple-darwin12.5.0 --enable-optimize --disable-debug --enable-profiling --enable-gczeal --enable-debug-symbols --enable-methodjit --enable-type-inference --disable-tests --enable-more-deterministic --enable-exact-rooting --enable-elf-hack --enable-stdcxx-compat --enable-warnings-as-errors --enable-signmar --disable-elf-hack --enable-js-diagnostics --with-intl-api=build --enable-ctypes --disable-shared-js --enable-jemalloc --with-ccache --enable-threadsafe <other NSPR flags>
Keywords: crash
Summary: Assertion failure: IsObjectValueInCompartment(value, compartment()), at vm/ObjectImpl.h → Crash [@ PushMarkStack] or Assertion failure: IsObjectValueInCompartment(value, compartment()), at vm/ObjectImpl.h
(Reporter)

Comment 3

4 years ago
Created attachment 8351056 [details]
stack for testcase in comment 2
(Reporter)

Updated

4 years ago
Crash Signature: [@ PushMarkStack] [@ js::GCMarker::processMarkStackTop]
Summary: Crash [@ PushMarkStack] or Assertion failure: IsObjectValueInCompartment(value, compartment()), at vm/ObjectImpl.h → Crash [@ PushMarkStack] or [@ js::GCMarker::processMarkStackTop] or Assertion failure: IsObjectValueInCompartment(value, compartment()), at vm/ObjectImpl.h
(Reporter)

Comment 4

4 years ago
I have seen quite a few GC-related crash signatures associated with "element:" - may have to suspend fuzzing it if this is not fixed soon, as it hides other GC bugs.
Flags: needinfo?(jimb)
Whiteboard: [jsbugmon:update] → [fuzzblocker][jsbugmon:update]
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #1)
> autoBisect shows this is probably related to the following changeset:
> 
> The first bad revision is:
> changeset:   http://hg.mozilla.org/mozilla-central/rev/a15ba1bc98c5
> user:        Eddy Bruel
> date:        Thu Nov 21 13:25:15 2013 -0800
> summary:     Bug 637572: Implement Debugger.Source.prototype.element (v7)
> r=sfink
> 
> Eddy, is bug 637572 a likely regressor?

Hard to tell for sure, but I'd say it's definitely possible.

Comment 6

4 years ago
I'm pretty sure this is because we're trying to provide elements in one compartment for compilations in a different compartment. Marking dup.
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Flags: needinfo?(jimb)
Resolution: --- → DUPLICATE
Duplicate of bug: 952885
Clearing the needinfo on this bug since it's been marked as resolved.
Flags: needinfo?(ejpbruel)
You need to log in before you can comment on or make changes to this bug.