Closed
Bug 1653974
Opened 4 years ago
Closed 4 years ago
Assertion failure: !js::UninlinedIsCrossCompartmentWrapper(this), at vm/JSObject.h:437 with Debugger
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
VERIFIED
FIXED
82 Branch
People
(Reporter: decoder, Assigned: denispal)
References
(Regression)
Details
(4 keywords, Whiteboard: [bugmon:update,bisected,confirmed])
Attachments
(2 files)
The following testcase crashes on mozilla-central revision 20200720-015515bcba1f (debug build, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off --more-compartments):
var g = newGlobal(6);
var dbg = new Debugger;
var gDO = dbg.addDebuggee(g);
var elt = new g.Object;
dbg.onDebuggerStatement = function(frame) {
var source = frame.script.source;
assertEq(source.element, eltDO);
};
(this).offThreadCompileScript('debugger;', {
element: elt,
elementAttributeName: 'mass'
});
g.runOffThreadScript();
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 0x00005555557d7b02 in JSContext::enterRealmOf(JSObject*) ()
#1 0x00005555557b8710 in GetElementCallback(JSContext*, JS::Handle<JS::Value>) ()
#2 0x0000555555c9606f in js::ScriptSourceObject::unwrappedElement(JSContext*) const ()
#3 0x000055555609287d in js::DebuggerSource::CallData::getElement() ()
#4 0x00005555560950f1 in bool js::DebuggerSource::CallData::ToNative<&js::DebuggerSource::CallData::getElement>(JSContext*, unsigned int, JS::Value*) ()
#5 0x00005555559473f2 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
#6 0x0000555555946cc9 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) ()
#7 0x000055555594835c in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) ()
#8 0x0000555555949362 in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) ()
#9 0x0000555555ce0d31 in bool GetExistingProperty<(js::AllowGC)1>(JSContext*, js::MaybeRooted<JS::Value, (js::AllowGC)1>::HandleType, js::MaybeRooted<js::NativeObject*, (js::AllowGC)1>::HandleType, js::MaybeRooted<js::Shape*, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::Value, (js::AllowGC)1>::MutableHandleType) ()
#10 0x0000555555ce19a3 in bool NativeGetPropertyInline<(js::AllowGC)1>(JSContext*, js::MaybeRooted<js::NativeObject*, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::Value, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::PropertyKey, (js::AllowGC)1>::HandleType, IsNameLookup, js::MaybeRooted<JS::Value, (js::AllowGC)1>::MutableHandleType) ()
#11 0x000055555581f038 in js::GetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::PropertyName*, JS::MutableHandle<JS::Value>) ()
#12 0x000055555594d44e in js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) ()
#13 0x00005555559383c9 in Interpret(JSContext*, js::RunState&) ()
#14 0x0000555555931932 in js::RunScript(JSContext*, js::RunState&) ()
#15 0x0000555555946bdf in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) ()
#16 0x000055555594835c in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) ()
#17 0x00005555559485d0 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) ()
#18 0x0000555555aa16df in js::Call(JSContext*, JS::Handle<JS::Value>, JSObject*, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) ()
#19 0x0000555555fcd133 in js::Debugger::fireDebuggerStatement(JSContext*, js::ResumeMode&, JS::MutableHandle<JS::Value>) ()
#20 0x0000555555fc734a in js::DebugAPI::slowPathOnDebuggerStatement(JSContext*, js::AbstractFramePtr) ()
#21 0x0000555555941f3a in Interpret(JSContext*, js::RunState&) ()
#22 0x0000555555931932 in js::RunScript(JSContext*, js::RunState&) ()
#23 0x00005555559499b5 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) ()
#24 0x000055555594a0c6 in js::Execute(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>) ()
#25 0x0000555555b26572 in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) ()
#26 0x0000555555b26386 in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) ()
#27 0x00005555557ea203 in runOffThreadScript(JSContext*, unsigned int, JS::Value*) ()
#28 0x00005555559473f2 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
[...]
#46 0x00005555557bbcea in main ()
rax 0x555556fd1a51 93825020009041
rbx 0x11e23cd009c8 19663380548040
rcx 0x5555583cb840 93825040955456
rdx 0x0 0
rsi 0x7ffff7105770 140737338431344
rdi 0x7ffff7104540 140737338426688
rbp 0x7fffffff9b00 140737488329472
rsp 0x7fffffff9af0 140737488329456
r8 0x7ffff7105770 140737338431344
r9 0x7ffff7f9bd40 140737353727296
r10 0x58 88
r11 0x7ffff6dac7a0 140737334921120
r12 0x7fffffff9b50 140737488329552
r13 0x7ffff6027060 140737320743008
r14 0x7ffff6027000 140737320742912
r15 0x7ffff567c800 140737310607360
rip 0x5555557d7b02 <JSContext::enterRealmOf(JSObject*)+146>
=> 0x5555557d7b02 <_ZN9JSContext12enterRealmOfEP8JSObject+146>: movl $0x1b5,0x0
0x5555557d7b0d <_ZN9JSContext12enterRealmOfEP8JSObject+157>: callq 0x55555584c42e <abort>
I've also seen this crash in several ways and it could be that we have one of the crashes on file already, but I couldn't find it immediately.
|
Reporter | |
Comment 1•4 years ago
|
||
|
||
Updated•4 years ago
|
Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]
|
|
||
Comment 2•4 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200720141506-630250c6e58d.
The bug appears to have been introduced in the following build range:
> Start: d3a637853a363b2b2ad4d16e84baa49398f15b8d (20200430161941)
> End: 4107b758e7aea25d4529511f47bbd54531640dc4 (20200430162438)
> Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=d3a637853a363b2b2ad4d16e84baa49398f15b8d&tochange=4107b758e7aea25d4529511f47bbd54531640dc4
|
||
Updated•4 years ago
|
status-firefox78:
--- → wontfix
status-firefox79:
--- → fix-optional
|
||
Comment 3•4 years ago
|
||
Denis, it looks like your patch in bug 1501608 is being blamed here.
|
|
||
Updated•4 years ago
|
Priority: P3 → P1
|
|
||
Comment 4•4 years ago
|
||
Denis, ping me if you can't tell what Debugger is trying to do here.
|
||
Comment 5•4 years ago
|
||
:decoder, since this bug is a regression, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.
Flags: needinfo?(choller)
|
||
Updated•4 years ago
|
|
||
Updated•4 years ago
|
Has Regression Range: --- → yes
|
||
Updated•4 years ago
|
|
Assignee | |
Updated•4 years ago
|
Assignee: nobody → dpalmeiro
Flags: needinfo?(dpalmeiro)
|
|
Assignee | |
Comment 6•4 years ago
|
||
The test in bug 1653974 fails because the debugee and debugger are in different compartments. Using a CCW fixes this.
|
||
Updated•4 years ago
|
Attachment #9172063 -
Attachment description: Use a CCW to get the element from the module info object → Unwrap the module info object before changing realms
Pushed by dpalmeiro@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/07c35d6ca21f
Unwrap the module info object before changing realms r=jonco
|
||
Comment 8•4 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 4 years ago
status-firefox82:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 82 Branch
|
|
||
Updated•4 years ago
|
|
|
||
Comment 9•4 years ago
|
||
Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20200827212940-109f3a4de567.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
|
||
Updated•4 years ago
|
|
|
||
Updated•4 years ago
|
status-firefox-esr68:
--- → unaffected
status-firefox-esr78:
--- → wontfix
You need to log in
before you can comment on or make changes to this bug.
Description
•