Closed Bug 1295172 Opened 8 years ago Closed 8 years ago

Crash [@ js::CheckTracedThing<js::Shape>] with Proxy and evalcx

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1282746
Tracking Flags:
Tracking Status
firefox51 --- fixed

People

(Reporter: decoder, Unassigned)

References

Details

(5 keywords, Whiteboard: [jsbugmon:update,ignore][adv-main51-])

Crash Data

The following testcase crashes on mozilla-central revision 6e191a55c3d2 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize, run with --fuzzing-safe):

gczeal(14);
x = (evalcx('lazy'))
var t = x;
var p = new Proxy(t, {});
Object.setPrototypeOf(t, p);



Backtrace:

 received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff48fb700 (LWP 20888)]
0x0000000000d0d4a2 in js::CheckTracedThing<js::Shape> (trc=trc@entry=0x7ffff48faca8, thing=0x7ffff06b7330) at js/src/gc/Marking.cpp:188
#0  0x0000000000d0d4a2 in js::CheckTracedThing<js::Shape> (trc=trc@entry=0x7ffff48faca8, thing=0x7ffff06b7330) at js/src/gc/Marking.cpp:188
#1  0x0000000000d36a8f in DoCallback<js::Shape*> (trc=0x7ffff48faca0, thingp=0x7ffff069b048, name=0x1025ca6 "ProxyObject_shape") at js/src/gc/Tracer.cpp:49
#2  0x00000000009d6334 in js::ProxyObject::trace (trc=0x7ffff48faca8, obj=0x7ffff069b040) at js/src/proxy/Proxy.cpp:620
#3  0x000000000095b48f in js::Class::doTrace (this=<optimized out>, obj=0x7ffff069b040, trc=0x7ffff48faca8) at /srv/jenkins/jobs/mozilla-central-build-jsshell/workspace/arch/64/compiler/gcc/sanitizer/none/type/debug/dist/include/js/Class.h:815
#4  JSObject::traceChildren (this=this@entry=0x7ffff069b040, trc=trc@entry=0x7ffff48faca8) at js/src/jsobj.cpp:3885
#5  0x00000000008f8faf in UpdateCellPointers<JSObject> (cell=<optimized out>, trc=0xe695927c7c486100) at js/src/jsgc.cpp:2204
#6  UpdateArenaPointersTyped<JSObject> (trc=trc@entry=0x7ffff48faca0, arena=<optimized out>, traceKind=JS::TraceKind::Object) at js/src/jsgc.cpp:2212
#7  0x00000000008ffbec in UpdateArenaPointers (arena=0x7ffff069b000, trc=0x7ffff48faca0) at js/src/jsgc.cpp:2228
#8  js::gc::UpdatePointersTask::updateArenas (this=this@entry=0x7fffffffbd88) at js/src/jsgc.cpp:2352
#9  0x0000000000900250 in js::gc::UpdatePointersTask::run (this=0x7fffffffbd88) at js/src/jsgc.cpp:2359
#10 0x0000000000a83228 in js::GCParallelTask::runFromHelperThread (this=0x7fffffffbd88, locked=...) at js/src/vm/HelperThreads.cpp:1058
#11 0x0000000000a8b06e in js::HelperThread::handleGCParallelWorkload (this=this@entry=0x7ffff69279e0, locked=...) at js/src/vm/HelperThreads.cpp:1089
#12 0x0000000000a8e190 in js::HelperThread::threadLoop (this=0x7ffff69279e0) at js/src/vm/HelperThreads.cpp:1694
#13 0x0000000000a97552 in js::detail::ThreadTrampoline<void (&)(void*), js::HelperThread*>::callMain<0ul> (this=0x7ffff69200a0) at js/src/threading/Thread.h:236
#14 js::detail::ThreadTrampoline<void (&)(void*), js::HelperThread*>::Start (aPack=0x7ffff69200a0) at js/src/threading/Thread.h:229
#15 0x00007ffff7bc16fa in start_thread (arg=0x7ffff48fb700) at pthread_create.c:333
#16 0x00007ffff6c38b5d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109
rax	0xbad0bad1	3134241489
rbx	0x7ffff48faca8	140737296444584
rcx	0x0	0
rdx	0x1025ca6	16932006
rsi	0x7ffff06b7330	140737226961712
rdi	0x7ffff48faca8	140737296444584
rbp	0x7ffff48faa90	140737296444048
rsp	0x7ffff48faa70	140737296444016
r8	0x0	0
r9	0x51	81
r10	0x0	0
r11	0x246	582
r12	0x7ffff06b7330	140737226961712
r13	0x1025ca6	16932006
r14	0x7ffff069b040	140737226846272
r15	0x1d88440	30966848
rip	0xd0d4a2 <js::CheckTracedThing<js::Shape>(JSTracer*, js::Shape*)+50>
=> 0xd0d4a2 <js::CheckTracedThing<js::Shape>(JSTracer*, js::Shape*)+50>:	cmp    %rax,(%rsi)
   0xd0d4a5 <js::CheckTracedThing<js::Shape>(JSTracer*, js::Shape*)+53>:	je     0xd0d600 <js::CheckTracedThing<js::Shape>(JSTracer*, js::Shape*)+400>


GC related crash and we're reading a non-zero memory address, marking s-s until further investigated.
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/35cc4a2451cc
user:        Morgan Phillips
date:        Mon Jun 06 11:59:41 2016 -0700
summary:     Bug 1054906 - Implement ES6 Symbol.hasInstance 1/2; r=evilpie,bz

This iteration took 218.448 seconds to run.
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision ad3c62c42039).
Morgan, is bug 1054906 a likely regressor?
Flags: needinfo?(winter2718)
This is very odd, I don't see where the test case would be touching the changes in this patch at first glance. Because it's a gc issue, I wonder what terrance might think of the traceback.
Flags: needinfo?(winter2718) → needinfo?(terrence)
I can reproduce on the given revision but not on tip. Jon fixed a bug recently in how we sweep shapes, maybe this is the same thing?
Flags: needinfo?(terrence) → needinfo?(jcoppeard)
Keywords: sec-high
Bisection revealed that efaust fixed this one in bug 1282746.
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: needinfo?(jcoppeard)
Resolution: --- → DUPLICATE
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:update,ignore][adv-main51-]
Group: javascript-core-security
You need to log in before you can comment on or make changes to this bug.