Closed
Bug 1021286
Opened 10 years ago
Closed 10 years ago
crash in JS::AutoAssertOnGC::VerifyIsSafeToGC (NewObject signature)
Categories
(Core :: JavaScript: GC, defect)
Tracking
()
RESOLVED
FIXED
mozilla33
Tracking | Status | |
---|---|---|
firefox32 | --- | wontfix |
firefox33 | --- | fixed |
b2g-v1.4 | --- | unaffected |
People
(Reporter: jbecerra, Assigned: terrence)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, crash)
Crash Data
Attachments
(1 file)
1.10 KB,
patch
|
luke
:
review+
|
Details | Diff | Splinter Review |
This bug was filed from the Socorro interface and is report bp-7e6fba60-029c-4039-873c-000a52140602. ============================================================= This a recent signature that first appeared in nightly 32.0a1 on 5/15, but started spiking aroudn 5/30. It affects Win7 and Win 8/8.1 installations. There's only one comment so far, but there is little information to go by. More reports at: https://crash-stats.mozilla.com/report/list?product=Firefox&signature=NewObject 0 mozjs.dll NewObject js/src/jsobj.cpp 1 mozjs.dll js::NewObjectWithGivenProto(js::ExclusiveContext *,js::Class const *,js::TaggedProto,JSObject *,js::gc::AllocKind,js::NewObjectKind) js/src/jsobj.cpp 2 mozjs.dll js::NewObjectWithClassProtoCommon(js::ExclusiveContext *,js::Class const *,JSObject *,JSObject *,js::gc::AllocKind,js::NewObjectKind) js/src/jsobj.cpp 3 mozjs.dll JS_NewObject(JSContext *,JSClass const *,JS::Handle<JSObject *>,JS::Handle<JSObject *>) js/src/jsapi.cpp 4 xul.dll XPCWrappedNative::Init(JS::Handle<JSObject *>,XPCNativeScriptableCreateInfo const *) js/xpconnect/src/XPCWrappedNative.cpp 5 xul.dll XPCWrappedNative::GetNewOrUsed(xpcObjectHelper &,XPCWrappedNativeScope *,XPCNativeInterface *,XPCWrappedNative * *) js/xpconnect/src/XPCWrappedNative.cpp 6 xul.dll XPCConvert::NativeInterface2JSObject(JS::MutableHandle<JS::Value>,nsIXPConnectJSObjectHolder * *,xpcObjectHelper &,nsID const *,XPCNativeInterface * *,bool,tag_nsresult *) js/xpconnect/src/XPCConvert.cpp 7 xul.dll nsXPConnect::WrapNative(JSContext *,JSObject *,nsISupports *,nsID const &,nsIXPConnectJSObjectHolder * *) js/xpconnect/src/nsXPConnect.cpp 8 xul.dll xpc_NewIDObject(JSContext *,JS::Handle<JSObject *>,nsID const &) js/xpconnect/src/XPCJSID.cpp 9 xul.dll nsXPCWrappedJSClass::CallQueryInterfaceOnJSObject(JSContext *,JSObject *,nsID const &) js/xpconnect/src/XPCWrappedJSClass.cpp 10 xul.dll nsXPCWrappedJSClass::DelegatedQueryInterface(nsXPCWrappedJS *,nsID const &,void * *) js/xpconnect/src/XPCWrappedJSClass.cpp 11 xul.dll nsXPCWrappedJS::QueryInterface(nsID const &,void * *) js/xpconnect/src/XPCWrappedJS.cpp 12 xul.dll nsXPTCStubBase::QueryInterface(nsID const &,void * *) xpcom/reflect/xptcall/src/xptcall.cpp 13 xul.dll nsCOMPtr_base::assign_from_qi_with_error(nsQueryInterfaceWithError const &,nsID const &) xpcom/glue/nsCOMPtr.cpp 14 xul.dll nsCOMPtr<nsISupportsWeakReference>::nsCOMPtr<nsISupportsWeakReference>(nsQueryInterfaceWithError const &) xpcom/glue/nsCOMPtr.h 15 xul.dll nsIOService::CacheProtocolHandler(char const *,nsIProtocolHandler *) netwerk/base/src/nsIOService.cpp 16 xul.dll nsIOService::GetProtocolHandler(char const *,nsIProtocolHandler * *) netwerk/base/src/nsIOService.cpp 17 xul.dll NS_GetDefaultPort(char const *,nsIIOService *) obj-firefox/dist/include/nsNetUtil.h 18 xul.dll NS_GetRealPort(nsIURI *) obj-firefox/dist/include/nsNetUtil.h 19 xul.dll NS_SecurityCompareURIs(nsIURI *,nsIURI *,bool) obj-firefox/dist/include/nsNetUtil.h 20 xul.dll nsPrincipal::Equals(nsIPrincipal *,bool *) caps/src/nsPrincipal.cpp 21 xul.dll nsPrincipal::Subsumes(nsIPrincipal *,bool *) caps/src/nsPrincipal.cpp 22 xul.dll nsScriptSecurityManager::JSPrincipalsSubsume(JSPrincipals *,JSPrincipals *) caps/src/nsScriptSecurityManager.cpp 23 mozjs.dll js::FrameIter::settleOnActivation() js/src/vm/Stack.cpp 24 mozjs.dll js::FrameIter::popActivation() js/src/vm/Stack.cpp 25 mozjs.dll js::FrameIter::popInterpreterFrame() js/src/vm/Stack.cpp 26 mozjs.dll js::FrameIter::operator++() js/src/vm/Stack.cpp 27 mozjs.dll js::ComputeStackString(JSContext *) js/src/jsexn.cpp 28 mozjs.dll js_ErrorToException(JSContext *,char const *,JSErrorReport *,JSErrorFormatString const * (*)(void *,char const *,unsigned int),void *) js/src/jsexn.cpp 29 mozjs.dll ReportError js/src/jscntxt.cpp 30 mozjs.dll js_ReportErrorNumberVA(JSContext *,unsigned int,JSErrorFormatString const * (*)(void *,char const *,unsigned int),void *,unsigned int,js::ErrorArgumentsType,char *) js/src/jscntxt.cpp 31 mozjs.dll JS_ReportErrorNumberVA(JSContext *,JSErrorFormatString const * (*)(void *,char const *,unsigned int),void *,unsigned int,char *) js/src/jsapi.cpp 32 mozjs.dll JS_ReportErrorNumber(JSContext *,JSErrorFormatString const * (*)(void *,char const *,unsigned int),void *,unsigned int,...) js/src/jsapi.cpp 33 mozjs.dll js_ReportIsNotDefined(JSContext *,char const *) js/src/jscntxt.cpp 34 mozjs.dll js::FetchName<0>(JSContext *,JS::Handle<JSObject *>,JS::Handle<JSObject *>,JS::Handle<js::PropertyName *>,JS::Handle<js::Shape *>,JS::MutableHandle<JS::Value>) js/src/vm/Interpreter-inl.h 35 mozjs.dll NameOperation js/src/vm/Interpreter.cpp 36 mozjs.dll Interpret js/src/vm/Interpreter.cpp 37 mozjs.dll js::RunScript(JSContext *,js::RunState &) js/src/vm/Interpreter.cpp 38 mozjs.dll js::ExecuteKernel(JSContext *,JS::Handle<JSScript *>,JSObject &,JS::Value const &,js::ExecuteType,js::AbstractFramePtr,JS::Value *) js/src/vm/Interpreter.cpp 39 mozjs.dll js::Execute(JSContext *,JS::Handle<JSScript *>,JSObject &,JS::Value *) js/src/vm/Interpreter.cpp 40 mozjs.dll Evaluate js/src/jsapi.cpp 41 mozjs.dll JS::Evaluate(JSContext *,JS::Handle<JSObject *>,JS::ReadOnlyCompileOptions const &,JS::SourceBufferHolder &,JS::MutableHandle<JS::Value>) js/src/jsapi.cpp 42 xul.dll nsJSUtils::EvaluateString(JSContext *,JS::SourceBufferHolder &,JS::Handle<JSObject *>,JS::CompileOptions &,nsJSUtils::EvaluateOptions const &,JS::MutableHandle<JS::Value>,void * *) dom/base/nsJSUtils.cpp 43 xul.dll nsJSUtils::EvaluateString(JSContext *,nsAString_internal const &,JS::Handle<JSObject *>,JS::CompileOptions &,nsJSUtils::EvaluateOptions const &,JS::MutableHandle<JS::Value>,void * *) dom/base/nsJSUtils.cpp 44 xul.dll mozilla::plugins::parent::_evaluate(_NPP *,NPObject *,_NPString *,_NPVariant *) dom/plugins/base/nsNPAPIPlugin.cpp 45 xul.dll mozilla::plugins::PluginScriptableObjectParent::AnswerNPN_Evaluate(nsCString const &,mozilla::plugins::Variant *,bool *) dom/plugins/ipc/PluginScriptableObjectParent.cpp 46 xul.dll mozilla::plugins::PPluginScriptableObjectParent::OnCallReceived(IPC::Message const &,IPC::Message * &) obj-firefox/ipc/ipdl/PPluginScriptableObjectParent.cpp 47 xul.dll mozilla::plugins::PPluginModuleParent::OnCallReceived(IPC::Message const &,IPC::Message * &) obj-firefox/ipc/ipdl/PPluginModuleParent.cpp 48 xul.dll mozilla::ipc::MessageChannel::DispatchInterruptMessage(IPC::Message const &,unsigned int) ipc/glue/MessageChannel.cpp 49 xul.dll mozilla::ipc::MessageChannel::InterruptCall(IPC::Message *,IPC::Message *) ipc/glue/MessageChannel.cpp 50 xul.dll mozilla::ipc::MessageChannel::Call(IPC::Message *,IPC::Message *) ipc/glue/MessageChannel.cpp 51 xul.dll mozilla::plugins::PPluginScriptableObjectParent::CallHasProperty(mozilla::plugins::PPluginIdentifierParent *,bool *) obj-firefox/ipc/ipdl/PPluginScriptableObjectParent.cpp 52 xul.dll mozilla::plugins::PluginScriptableObjectParent::ScriptableHasProperty(NPObject *,void *) dom/plugins/ipc/PluginScriptableObjectParent.cpp 53 xul.dll NPObjWrapper_NewResolve dom/plugins/base/nsJSNPRuntime.cpp 54 mozjs.dll GetPropertyOperation js/src/vm/Interpreter.cpp 55 mozjs.dll Interpret js/src/vm/Interpreter.cpp 56 mozjs.dll js::RunScript(JSContext *,js::RunState &) js/src/vm/Interpreter.cpp 57 mozjs.dll js::Invoke(JSContext *,JS::CallArgs,js::MaybeConstruct) js/src/vm/Interpreter.cpp 58 mozjs.dll js::CallOrConstructBoundFunction(JSContext *,unsigned int,JS::Value *) js/src/jsfun.cpp 59 mozjs.dll js::Invoke(JSContext *,JS::CallArgs,js::MaybeConstruct) js/src/vm/Interpreter.cpp 60 mozjs.dll js::Invoke(JSContext *,JS::Value const &,JS::Value const &,unsigned int,JS::Value const *,JS::MutableHandle<JS::Value>) js/src/vm/Interpreter.cpp 61 mozjs.dll JS::Call(JSContext *,JS::Handle<JS::Value>,JS::Handle<JS::Value>,JS::HandleValueArray const &,JS::MutableHandle<JS::Value>) js/src/jsapi.cpp 62 xul.dll mozilla::dom::Function::Call(JSContext *,JS::Handle<JS::Value>,nsTArray<JS::Value> const &,mozilla::ErrorResult &) obj-firefox/dom/bindings/FunctionBinding.cpp 63 xul.dll mozilla::dom::Function::Call<nsCOMPtr<nsISupports> >(nsCOMPtr<nsISupports> const &,nsTArray<JS::Value> const &,mozilla::ErrorResult &,mozilla::dom::CallbackObject::ExceptionHandling) obj-firefox/dist/include/mozilla/dom/FunctionBinding.h 64 xul.dll nsGlobalWindow::RunTimeoutHandler(nsTimeout *,nsIScriptContext *) dom/base/nsGlobalWindow.cpp 65 xul.dll nsGlobalWindow::RunTimeout(nsTimeout *) dom/base/nsGlobalWindow.cpp 66 xul.dll nsGlobalWindow::TimerCallback(nsITimer *,void *) dom/base/nsGlobalWindow.cpp 67 xul.dll nsTimerImpl::Fire() xpcom/threads/nsTimerImpl.cpp 68 xul.dll nsTimerEvent::Run() xpcom/threads/nsTimerImpl.cpp 69 xul.dll nsThread::ProcessNextEvent(bool,bool *) xpcom/threads/nsThread.cpp 70 xul.dll NS_ProcessNextEvent(nsIThread *,bool) xpcom/glue/nsThreadUtils.cpp 71 xul.dll mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate *) ipc/glue/MessagePump.cpp 72 xul.dll MessageLoop::RunHandler() ipc/chromium/src/base/message_loop.cc 73 xul.dll MessageLoop::Run() ipc/chromium/src/base/message_loop.cc 74 xul.dll nsBaseAppShell::Run() widget/xpwidgets/nsBaseAppShell.cpp 75 xul.dll nsAppShell::Run() widget/windows/nsAppShell.cpp 76 xul.dll nsAppStartup::Run() toolkit/components/startup/nsAppStartup.cpp 77 xul.dll XREMain::XRE_mainRun() toolkit/xre/nsAppRunner.cpp 78 xul.dll XREMain::XRE_main(int,char * * const,nsXREAppData const *) toolkit/xre/nsAppRunner.cpp 79 xul.dll XRE_main toolkit/xre/nsAppRunner.cpp 80 firefox.exe do_main browser/app/nsBrowserApp.cpp 81 firefox.exe NS_internal_main(int,char * *) browser/app/nsBrowserApp.cpp 82 firefox.exe wmain toolkit/xre/nsWindowsWMain.cpp 83 firefox.exe __tmainCRTStartup f:/dd/vctools/crt_bld/self_x86/crt/src/crtexe.c:552 84 kernel32.dll BaseThreadInitThunk 85 ntdll.dll __RtlUserThreadStart 86 ntdll.dll _RtlUserThreadStart
cmp dword ptr [eax+0C5Ch],0 jle mozjs!NewObject+0x2d5 (67b11e05) int 3 There is some serious inlining, but this looks like: JS::AutoAssertOnGC::VerifyIsSafeToGC(JSRuntime *rt) { if (rt->gc.inUnsafeRegion > 0) MOZ_CRASH("[AutoAssertOnGC] possible GC in GC-unsafe region"); } at JS::AutoAssertOnGC::VerifyIsSafeToGC CheckAllocatorState js::gc::AllocateObject<1> JSObject::create NewObject The crashes stop on June 3rd, right when that code was removed from opt builds by bug 1018568.
Terrence, is your team interested in this? It's no longer crashing, but I imagine that the underlying issue may still be present.
Flags: needinfo?(terrence)
Assignee | ||
Comment 4•10 years ago
|
||
Oh yes, this may be very bad. Steve, I'm traveling today, can you take a look? I thought we had a SuppressGC in ReportErrorMumble, maybe this path isn't hitting that, the AssertOnGC is higher or maybe we're just checking in the wrong order and this is actually okay? In any case, thanks for needinfoing me, David!
Blocks: GC.stability
Group: core-security, javascript-core-security
Flags: needinfo?(terrence) → needinfo?(sphink)
Updated•10 years ago
|
Summary: crash in NewObject → crash in JS::AutoAssertOnGC::VerifyIsSafeToGC (NewObject signature)
Updated•10 years ago
|
Component: JavaScript Engine → JavaScript: GC
I duped bug 1021082 to this, but please double check. Maybe it's a different issue tripping the same assert (I don't see ReportError on the stack for that one).
Assignee | ||
Comment 6•10 years ago
|
||
Just verified that we are actually checking suppressGC before making this assertion. This means that we have an AutoAssertOnGC somewhere where this is simply not true. The good news is that we should be able to find it in that stack... somewhere.
Assignee | ||
Comment 7•10 years ago
|
||
Found it. StackIter::settleOnActivation calls subsumes with a supression, which appears to trigger GC in practice. I've kicked off a static analysis build, which should tell us how hard this is going to be to root across. https://tbpl.mozilla.org/?tree=Try&rev=d1e94478e7f0
Assignee | ||
Comment 8•10 years ago
|
||
Hopefully on a less broken tip this time: https://tbpl.mozilla.org/?tree=Try&rev=23423db532df
Assignee | ||
Comment 9•10 years ago
|
||
Okay, Hf should /really/ not be green without the suppression, given that this clearly does GC in practice. Steve, could you take a look?
Assignee | ||
Comment 10•10 years ago
|
||
The hazard may just be gone. I'll do archeology to see why it was added.
Flags: needinfo?(sphink)
Assignee | ||
Comment 11•10 years ago
|
||
The AutoSuppressGCAnalysis was added by Luke in bug 924905 in comment 45, in order to make the Hf failures stop. Presumably he also assumed that subsumes would not ever GC. Unfortunately, the exact hazard he saw has been lost in a long-ago try reset, so we have no way of checking. I think in this case we're just going to have to trust the analysis. 1 - https://bugzilla.mozilla.org/show_bug.cgi?id=924905#c45
Assignee | ||
Comment 12•10 years ago
|
||
This simply removes the suppression. The hazard analysis is still green, so whatever hazard it was added to ignore has since been rooted or otherwise removed.
Assignee | ||
Comment 13•10 years ago
|
||
Also, this bug is not sec-sensitive, just an incorrect assertion firing.
Group: core-security, javascript-core-security
Updated•10 years ago
|
Attachment #8437831 -
Flags: review?(luke) → review+
Assignee | ||
Comment 14•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/e34edf1ea296
Comment 15•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/e34edf1ea296
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla33
Comment 16•10 years ago
|
||
Terrence: should this fix be uplifted to Aurora 32? The original crash was reported for Nightly 32.
status-firefox32:
--- → affected
status-firefox33:
--- → fixed
tracking-firefox32:
--- → ?
Flags: needinfo?(terrence)
Updated•10 years ago
|
status-b2g-v1.4:
--- → unaffected
Assignee | ||
Comment 17•10 years ago
|
||
It's just an assertion, so will not impact releases and is unlikely to trigger even in debug builds. I'd say uplifting is not urgent, although it is a trivial patch so would not be hard to uplift either.
Flags: needinfo?(terrence)
Updated•10 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•