The following testcase crashes on mozilla-central revision a7461494a7a0 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --without-intl-api --enable-optimize --target=i686-pc-linux-gnu, run with --fuzzing-safe): gczeal(14); var g = newGlobal(); g.eval('function f(a) { evaluate("f(" + " - 1);", {newContext: true}); }'); var dbg = new Debugger(g); dbg.onEnterFrame = function(frame) {}; g.f(); Backtrace: received signal SIGSEGV, Segmentation fault. #0 0x08716f76 in js::Debugger::trace (this=0xf6e21800, trc=0xf63f9a3c) at js/src/vm/Debugger.cpp:3200 #1 0x087bd444 in js::Class::doTrace (this=<optimized out>, obj=0xf5b6b160, trc=0xf63f9a3c) at dist/include/js/Class.h:869 #2 JSObject::traceChildren (this=0xf5b6b160, trc=0xf63f9a3c) at js/src/vm/JSObject.cpp:4005 #3 0x08b01134 in UpdateCellPointers<JSObject> (cell=0xf5b6b160, trc=0xf63f99b8) at js/src/gc/GC.cpp:2592 #4 UpdateArenaPointersTyped<JSObject> (trc=trc@entry=0xf63f9a38, arena=arena@entry=0xf5b6b000) at js/src/gc/GC.cpp:2600 #5 0x08b0120a in UpdateArenaPointers (arena=0xf5b6b000, trc=0xf63f9a38) at js/src/gc/GC.cpp:2616 #6 js::gc::UpdatePointersTask::updateArenas (this=0xfffc23bc) at js/src/gc/GC.cpp:2738 #7 0x08b018ba in js::gc::UpdatePointersTask::run (this=0xfffc23bc) at js/src/gc/GC.cpp:2748 #8 0x0878526d in js::GCParallelTask::runTask (this=0xfffc23bc) at js/src/gc/GCParallelTask.h:127 #9 js::GCParallelTask::runFromHelperThread (this=0xfffc23bc, lock=...) at js/src/vm/HelperThreads.cpp:1586 [...] eax 0x0 0 ebx 0x8ea4000 149569536 ecx 0xf7d9f864 -136710044 edx 0x0 0 esi 0xf63f990c -163604212 edi 0xf5833040 -175951808 ebp 0xf63f9948 4131363144 esp 0xf63f98e0 4131363040 eip 0x8716f76 <js::Debugger::trace(JSTracer*)+278> => 0x8716f76 <js::Debugger::trace(JSTracer*)+278>: movl $0x0,0x0 0x8716f80 <js::Debugger::trace(JSTracer*)+288>: ud2 Only reproduces on 32-bit for me.

Patch to fix a couple of places we access the shape of an associated object in the debugger object trace hook. This is just caused by an assertion so I don't think there's any security impact here.

Comment on attachment 8975526 [details] [diff] [review] bug1461319-frame-trace Review of attachment 8975526 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/vm/NativeObject.h @@ +742,5 @@ > // Get the number of fixed slots when the shape pointer may have been > + // forwarded by a moving GC. You need to use this rather that > + // numFixedSlots() in a trace hook if you access an object that is not the > + // object being traced, since it may have a stale shape pointer. > + inline uint32_t numFixedSlotsMaybeForwarded() const; That's a very useful comment update, thanks!

Pushed by jcoppeard@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/4b6c733447b8 Fix assertion failure accessing shape of associated object when tracing debugger object in a moving GC r=sfink