1289058 - Crash [@ JS_HoldPrincipals] with captureFirstSubsumedFrame shell function

Status: VERIFIED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision e0bc88708ffe (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize, run with --fuzzing-safe --no-threads):

const g1 = newGlobal({});
const g2 = newGlobal(newGlobal);
g1.g2obj = g2.eval("new Object");
g1.evaluate(`
  const global = this;
  function capture(shouldIgnoreSelfHosted = true) {
    return captureFirstSubsumedFrame(global.g2obj, shouldIgnoreSelfHosted);
  }
  (function iife1() {
    const captureTrueStack = capture(true);
  }());
`, {
});



Backtrace:

 received signal SIGSEGV, Segmentation fault.
JS_HoldPrincipals (principals=principals@entry=0x0) at js/src/jsapi.cpp:3278
#0  JS_HoldPrincipals (principals=principals@entry=0x0) at js/src/jsapi.cpp:3278
#1  0x0000000000c53ba3 in JS::FirstSubsumedFrame::FirstSubsumedFrame (ignoreSelfHostedFrames=true, p=<optimized out>, ctx=0x7ffff6965000, this=<optimized out>) at js/src/jsapi.h:5939
#2  CaptureFirstSubsumedFrame (cx=cx@entry=0x7ffff6965000, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/TestingFunctions.cpp:1168
#3  0x0000000000ab2b44 in js::CallJSNative (cx=cx@entry=0x7ffff6965000, native=0xc53a80 <CaptureFirstSubsumedFrame(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:232
[...]
#34 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:7519
rax	0x7ffff6956800	140737330374656
rbx	0x0	0
rcx	0x10ac101	17481985
rdx	0x1	1
rsi	0x1	1
rdi	0x0	0
rbp	0x7fffffffb830	140737488336944
rsp	0x7fffffffb830	140737488336944
r8	0x35	53
r9	0x7ffff6955800	140737330370560
r10	0x1d48420	30704672
r11	0x1d485d0	30705104
r12	0x7ffff6965000	140737330434048
r13	0x7fffffffb870	140737488337008
r14	0x7fffffffb930	140737488337200
r15	0x7ffff500b240	140737303851584
rip	0x8a82b4 <JS_HoldPrincipals(JSPrincipals*)+4>
=> 0x8a82b4 <JS_HoldPrincipals(JSPrincipals*)+4>:	lock addl $0x1,0x8(%rdi)
   0x8a82b9 <JS_HoldPrincipals(JSPrincipals*)+9>:	pop    %rbp


Happening quite often, marking as fuzzblocker.

Comment 1

[Fuzzing Team]

JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/0916f44729ff
user:        Nick Fitzgerald
date:        Thu Jul 21 23:40:59 2016 -0400
summary:     Bug 1280818 part 1 - Add the ability to capture the stack until the first non-self-hosted frame with the given principals; r=bz,jimb

This iteration took 225.837 seconds to run.

Comment 2

[Nick Fitzgerald [:fitzgen] [⏰PST; UTC-8]]

Attachment: Null check principals before holding them in JS::FirstSubsumedFrame

Try push: https://treeherder.mozilla.org/#/jobs?repo=try&revision=4fe9398ccc19

Comment 3

[Pulsebot]

Pushed by nfitzgerald@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/0d3a0369254a
Null check principals before holding them in JS::FirstSubsumedFrame; r=jimb

Comment 4

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/mozilla-central/rev/0d3a0369254a

Comment 5

[Andrei Vaida [:avaida]]

I believe we can safely mark this verified fixed on Fx50, based on the crash
data available for the last 2 months.

  SIGNATURE   | JS_HoldPrincipals
  ------------------------------------------
  CRASH STATS | http://tinyurl.com/h58xz47
  ------------------------------------------
  OVERVIEW    | 0 crashes on nightly 52
	      | 0 crashes on nightly 51
	      | 0 crashes on aurora 51
	      | 0 crashes on nightly 50
	      | 0 crashes on aurora 50
	      | 0 crashes on beta 50