Closed
Bug 1473957
Opened 6 years ago
Closed 6 years ago
Assertion failure: cx->compartment() != untaggedReferent->compartment(), at js/src/vm/Debugger.cpp:5271
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla63
| Tracking | Status | |
|---|---|---|
| firefox-esr52 | --- | unaffected |
| firefox-esr60 | --- | unaffected |
| firefox61 | --- | unaffected |
| firefox62 | --- | unaffected |
| firefox63 | --- | fixed |
People
(Reporter: decoder, Assigned: jandem)
References
Details
(4 keywords, Whiteboard: [jsbugmon:update])
Attachments
(1 file)
The following testcase crashes on mozilla-central revision cc3401e78e8b (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe min.js):
var g1 = newGlobal({
sameCompartmentAs: this
});
var dbg = new Debugger();
var dg1 = dbg.addDebuggee(g1);
scripts = dbg.findScripts({});
Backtrace:
received signal SIGSEGV, Segmentation fault.
0x0000000000b6b0d0 in js::Debugger::wrapVariantReferent<mozilla::Variant<JSScript*, js::WasmInstanceObject*>, JSScript*, js::DebuggerWeakMap<JSScript*, false> > (this=this@entry=0x7ffff5f4c800, cx=cx@entry=0x7ffff5f17000, map=..., key=..., key@entry=..., referent=...) at js/src/vm/Debugger.cpp:5271
#0 0x0000000000b6b0d0 in js::Debugger::wrapVariantReferent<mozilla::Variant<JSScript*, js::WasmInstanceObject*>, JSScript*, js::DebuggerWeakMap<JSScript*, false> > (this=this@entry=0x7ffff5f4c800, cx=cx@entry=0x7ffff5f17000, map=..., key=..., key@entry=..., referent=...) at js/src/vm/Debugger.cpp:5271
#1 0x0000000000b37c89 in js::Debugger::wrapVariantReferent (this=this@entry=0x7ffff5f4c800, cx=0x7ffff5f17000, referent=..., referent@entry=...) at js/src/vm/Debugger.cpp:5304
#2 0x0000000000b38bbd in js::Debugger::wrapScript (this=this@entry=0x7ffff5f4c800, cx=<optimized out>, script=...) at js/src/vm/Debugger.cpp:5320
#3 0x0000000000b3a069 in js::Debugger::findScripts (cx=<optimized out>, argc=<optimized out>, vp=<optimized out>) at js/src/vm/Debugger.cpp:4745
#4 0x00000000005bbc67 in CallJSNative (cx=0x7ffff5f17000, native=0xb39a30 <js::Debugger::findScripts(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/Interpreter.cpp:443
#5 0x00000000005b0547 in js::InternalCallOrConstruct (cx=<optimized out>, cx@entry=0x7ffff5f17000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:531
#6 0x00000000005b0b6d in InternalCall (cx=0x7ffff5f17000, args=...) at js/src/vm/Interpreter.cpp:582
#7 0x00000000005a3a47 in js::CallFromStack (args=..., cx=<optimized out>) at js/src/vm/Interpreter.cpp:588
#8 Interpret (cx=0x7ffff5f17000, state=...) at js/src/vm/Interpreter.cpp:3195
#9 0x00000000005b0066 in js::RunScript (cx=0x7ffff5f17000, state=...) at js/src/vm/Interpreter.cpp:423
#10 0x00000000005b33cd in js::ExecuteKernel (cx=<optimized out>, script=..., script@entry=..., envChainArg=..., newTargetValue=..., evalInFrame=..., evalInFrame@entry=..., result=result@entry=0x0) at js/src/vm/Interpreter.cpp:771
#11 0x00000000005b3789 in js::Execute (cx=<optimized out>, cx@entry=0x7ffff5f17000, script=script@entry=..., envChainArg=..., rval=rval@entry=0x0) at js/src/vm/Interpreter.cpp:804
#12 0x0000000000a39e62 in ExecuteScript (cx=0x7ffff5f17000, scope=scope@entry=..., script=..., rval=rval@entry=0x0) at js/src/jsapi.cpp:4656
#13 0x0000000000a4b758 in JS_ExecuteScript (cx=<optimized out>, cx@entry=0x7ffff5f17000, scriptArg=scriptArg@entry=...) at js/src/jsapi.cpp:4689
#14 0x000000000043071e in RunFile (compileOnly=false, file=<optimized out>, filename=<optimized out>, cx=0x7ffff5f17000) at js/src/shell/js.cpp:847
#15 Process (cx=0x7ffff5f17000, filename=<optimized out>, forceTTY=forceTTY@entry=false, kind=kind@entry=FileScript) at js/src/shell/js.cpp:1317
#16 0x000000000043162f in ProcessArgs (cx=<optimized out>, op=op@entry=0x7fffffffe4d0) at js/src/shell/js.cpp:8593
#17 0x00000000004438e5 in Shell (envp=<optimized out>, op=0x7fffffffe4d0, cx=<optimized out>) at js/src/shell/js.cpp:8983
#18 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:9461
rax 0x0 0
rbx 0x7ffff5f4ca28 140737319848488
rcx 0x7ffff6c212dd 140737333301981
rdx 0x0 0
rsi 0x7ffff6ef0770 140737336248176
rdi 0x7ffff6eef540 140737336243520
rbp 0x7fffffffd0b0 140737488343216
rsp 0x7fffffffcfa0 140737488342944
r8 0x7ffff6ef0770 140737336248176
r9 0x7ffff7fe4780 140737354024832
r10 0x58 88
r11 0x7ffff6b977a0 140737332737952
r12 0x7fffffffd198 140737488343448
r13 0x7ffff5f17000 140737319628800
r14 0x7fffffffd108 140737488343304
r15 0x7ffff5f4c800 140737319847936
rip 0xb6b0d0 <js::Debugger::wrapVariantReferent<mozilla::Variant<JSScript*, js::WasmInstanceObject*>, JSScript*, js::DebuggerWeakMap<JSScript*, false> >(JSContext*, js::DebuggerWeakMap<JSScript*, false>&, JS::Handle<js::CrossCompartmentKey>, JS::Handle<mozilla::Variant<JSScript*, js::WasmInstanceObject*> >)+1424>
=> 0xb6b0d0 <js::Debugger::wrapVariantReferent<mozilla::Variant<JSScript*, js::WasmInstanceObject*>, JSScript*, js::DebuggerWeakMap<JSScript*, false> >(JSContext*, js::DebuggerWeakMap<JSScript*, false>&, JS::Handle<js::CrossCompartmentKey>, JS::Handle<mozilla::Variant<JSScript*, js::WasmInstanceObject*> >)+1424>: movl $0x0,0x0
0xb6b0db <js::Debugger::wrapVariantReferent<mozilla::Variant<JSScript*, js::WasmInstanceObject*>, JSScript*, js::DebuggerWeakMap<JSScript*, false> >(JSContext*, js::DebuggerWeakMap<JSScript*, false>&, JS::Handle<js::CrossCompartmentKey>, JS::Handle<mozilla::Variant<JSScript*, js::WasmInstanceObject*> >)+1435>: ud2
|
||
Updated•6 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
||
Comment 1•6 years ago
|
||
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/6bbae91a2eaf
user: Jan de Mooij
date: Thu Jun 07 10:02:10 2018 +0200
summary: Bug 1466501 part 1 - Refactor ZoneSpecifier and add a sameCompartmentAs option to newGlobal in the shell. r=luke
This iteration took 1.300 seconds to run.
|
Assignee | |
Updated•6 years ago
|
Blocks: same-compartment-realms
|
||
Comment 2•6 years ago
|
||
Jan, are you looking at this as part of the work on 1357862, or will it be re-assigned to someone else?
Flags: needinfo?(jdemooij)
|
|
Assignee | |
Comment 3•6 years ago
|
||
(In reply to David Durst [:ddurst] (REO for 63) from comment #2)
> Jan, are you looking at this as part of the work on 1357862, or will it be
> re-assigned to someone else?
I'll fix it at some point, but it's not a blocker for 63 because this is not enabled in the browser.
status-firefox63:
affected → ---
Flags: needinfo?(jdemooij)
|
|
Assignee | |
Updated•6 years ago
|
status-firefox61:
--- → unaffected
status-firefox62:
--- → unaffected
status-firefox63:
--- → unaffected
status-firefox-esr52:
--- → unaffected
status-firefox-esr60:
--- → unaffected
|
|
||
Updated•6 years ago
|
|
|
Assignee | |
Comment 4•6 years ago
|
||
We were checking for cross-compartment wrappers in the Debugger constructor, but this patch also fixes addDebuggee and addAllGlobalsAsDebuggees.
|
||
Updated•6 years ago
|
Attachment #9001568 -
Attachment is obsolete: true
|
|
||
Updated•6 years ago
|
Attachment #9001568 -
Attachment is obsolete: false
|
|
Assignee | |
Updated•6 years ago
|
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
|
||
Comment 5•6 years ago
|
||
Comment on attachment 9001568 [details]
Bug 1473957 - Require debugger and debuggee to be in different compartments. r=jimb
Jim Blandy :jimb has approved the revision.
Attachment #9001568 -
Flags: review+
Pushed by jandemooij@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/bb1559053685
Require debugger and debuggee to be in different compartments. r=jimb
|
||
Comment 7•6 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla63
You need to log in
before you can comment on or make changes to this bug.
Description
•