1021286 - crash in JS::AutoAssertOnGC::VerifyIsSafeToGC (NewObject signature)

Status: RESOLVED FIXED

(Core :: JavaScript: GC, defect)

Description

[juan becerra [:juanb]]

This bug was filed from the Socorro interface and is 
report bp-7e6fba60-029c-4039-873c-000a52140602.
=============================================================

This a recent signature that first appeared in nightly 32.0a1 on 5/15, but started spiking aroudn 5/30. It affects Win7 and Win 8/8.1 installations. There's only one comment so far, but there is little information to go by.

More reports at: https://crash-stats.mozilla.com/report/list?product=Firefox&signature=NewObject

0 	mozjs.dll 	NewObject 	js/src/jsobj.cpp
1 	mozjs.dll 	js::NewObjectWithGivenProto(js::ExclusiveContext *,js::Class const *,js::TaggedProto,JSObject *,js::gc::AllocKind,js::NewObjectKind) 	js/src/jsobj.cpp
2 	mozjs.dll 	js::NewObjectWithClassProtoCommon(js::ExclusiveContext *,js::Class const *,JSObject *,JSObject *,js::gc::AllocKind,js::NewObjectKind) 	js/src/jsobj.cpp
3 	mozjs.dll 	JS_NewObject(JSContext *,JSClass const *,JS::Handle<JSObject *>,JS::Handle<JSObject *>) 	js/src/jsapi.cpp
4 	xul.dll 	XPCWrappedNative::Init(JS::Handle<JSObject *>,XPCNativeScriptableCreateInfo const *) 	js/xpconnect/src/XPCWrappedNative.cpp
5 	xul.dll 	XPCWrappedNative::GetNewOrUsed(xpcObjectHelper &,XPCWrappedNativeScope *,XPCNativeInterface *,XPCWrappedNative * *) 	js/xpconnect/src/XPCWrappedNative.cpp
6 	xul.dll 	XPCConvert::NativeInterface2JSObject(JS::MutableHandle<JS::Value>,nsIXPConnectJSObjectHolder * *,xpcObjectHelper &,nsID const *,XPCNativeInterface * *,bool,tag_nsresult *) 	js/xpconnect/src/XPCConvert.cpp
7 	xul.dll 	nsXPConnect::WrapNative(JSContext *,JSObject *,nsISupports *,nsID const &,nsIXPConnectJSObjectHolder * *) 	js/xpconnect/src/nsXPConnect.cpp
8 	xul.dll 	xpc_NewIDObject(JSContext *,JS::Handle<JSObject *>,nsID const &) 	js/xpconnect/src/XPCJSID.cpp
9 	xul.dll 	nsXPCWrappedJSClass::CallQueryInterfaceOnJSObject(JSContext *,JSObject *,nsID const &) 	js/xpconnect/src/XPCWrappedJSClass.cpp
10 	xul.dll 	nsXPCWrappedJSClass::DelegatedQueryInterface(nsXPCWrappedJS *,nsID const &,void * *) 	js/xpconnect/src/XPCWrappedJSClass.cpp
11 	xul.dll 	nsXPCWrappedJS::QueryInterface(nsID const &,void * *) 	js/xpconnect/src/XPCWrappedJS.cpp
12 	xul.dll 	nsXPTCStubBase::QueryInterface(nsID const &,void * *) 	xpcom/reflect/xptcall/src/xptcall.cpp
13 	xul.dll 	nsCOMPtr_base::assign_from_qi_with_error(nsQueryInterfaceWithError const &,nsID const &) 	xpcom/glue/nsCOMPtr.cpp
14 	xul.dll 	nsCOMPtr<nsISupportsWeakReference>::nsCOMPtr<nsISupportsWeakReference>(nsQueryInterfaceWithError const &) 	xpcom/glue/nsCOMPtr.h
15 	xul.dll 	nsIOService::CacheProtocolHandler(char const *,nsIProtocolHandler *) 	netwerk/base/src/nsIOService.cpp
16 	xul.dll 	nsIOService::GetProtocolHandler(char const *,nsIProtocolHandler * *) 	netwerk/base/src/nsIOService.cpp
17 	xul.dll 	NS_GetDefaultPort(char const *,nsIIOService *) 	obj-firefox/dist/include/nsNetUtil.h
18 	xul.dll 	NS_GetRealPort(nsIURI *) 	obj-firefox/dist/include/nsNetUtil.h
19 	xul.dll 	NS_SecurityCompareURIs(nsIURI *,nsIURI *,bool) 	obj-firefox/dist/include/nsNetUtil.h
20 	xul.dll 	nsPrincipal::Equals(nsIPrincipal *,bool *) 	caps/src/nsPrincipal.cpp
21 	xul.dll 	nsPrincipal::Subsumes(nsIPrincipal *,bool *) 	caps/src/nsPrincipal.cpp
22 	xul.dll 	nsScriptSecurityManager::JSPrincipalsSubsume(JSPrincipals *,JSPrincipals *) 	caps/src/nsScriptSecurityManager.cpp
23 	mozjs.dll 	js::FrameIter::settleOnActivation() 	js/src/vm/Stack.cpp
24 	mozjs.dll 	js::FrameIter::popActivation() 	js/src/vm/Stack.cpp
25 	mozjs.dll 	js::FrameIter::popInterpreterFrame() 	js/src/vm/Stack.cpp
26 	mozjs.dll 	js::FrameIter::operator++() 	js/src/vm/Stack.cpp
27 	mozjs.dll 	js::ComputeStackString(JSContext *) 	js/src/jsexn.cpp
28 	mozjs.dll 	js_ErrorToException(JSContext *,char const *,JSErrorReport *,JSErrorFormatString const * (*)(void *,char const *,unsigned int),void *) 	js/src/jsexn.cpp
29 	mozjs.dll 	ReportError 	js/src/jscntxt.cpp
30 	mozjs.dll 	js_ReportErrorNumberVA(JSContext *,unsigned int,JSErrorFormatString const * (*)(void *,char const *,unsigned int),void *,unsigned int,js::ErrorArgumentsType,char *) 	js/src/jscntxt.cpp
31 	mozjs.dll 	JS_ReportErrorNumberVA(JSContext *,JSErrorFormatString const * (*)(void *,char const *,unsigned int),void *,unsigned int,char *) 	js/src/jsapi.cpp
32 	mozjs.dll 	JS_ReportErrorNumber(JSContext *,JSErrorFormatString const * (*)(void *,char const *,unsigned int),void *,unsigned int,...) 	js/src/jsapi.cpp
33 	mozjs.dll 	js_ReportIsNotDefined(JSContext *,char const *) 	js/src/jscntxt.cpp
34 	mozjs.dll 	js::FetchName<0>(JSContext *,JS::Handle<JSObject *>,JS::Handle<JSObject *>,JS::Handle<js::PropertyName *>,JS::Handle<js::Shape *>,JS::MutableHandle<JS::Value>) 	js/src/vm/Interpreter-inl.h
35 	mozjs.dll 	NameOperation 	js/src/vm/Interpreter.cpp
36 	mozjs.dll 	Interpret 	js/src/vm/Interpreter.cpp
37 	mozjs.dll 	js::RunScript(JSContext *,js::RunState &) 	js/src/vm/Interpreter.cpp
38 	mozjs.dll 	js::ExecuteKernel(JSContext *,JS::Handle<JSScript *>,JSObject &,JS::Value const &,js::ExecuteType,js::AbstractFramePtr,JS::Value *) 	js/src/vm/Interpreter.cpp
39 	mozjs.dll 	js::Execute(JSContext *,JS::Handle<JSScript *>,JSObject &,JS::Value *) 	js/src/vm/Interpreter.cpp
40 	mozjs.dll 	Evaluate 	js/src/jsapi.cpp
41 	mozjs.dll 	JS::Evaluate(JSContext *,JS::Handle<JSObject *>,JS::ReadOnlyCompileOptions const &,JS::SourceBufferHolder &,JS::MutableHandle<JS::Value>) 	js/src/jsapi.cpp
42 	xul.dll 	nsJSUtils::EvaluateString(JSContext *,JS::SourceBufferHolder &,JS::Handle<JSObject *>,JS::CompileOptions &,nsJSUtils::EvaluateOptions const &,JS::MutableHandle<JS::Value>,void * *) 	dom/base/nsJSUtils.cpp
43 	xul.dll 	nsJSUtils::EvaluateString(JSContext *,nsAString_internal const &,JS::Handle<JSObject *>,JS::CompileOptions &,nsJSUtils::EvaluateOptions const &,JS::MutableHandle<JS::Value>,void * *) 	dom/base/nsJSUtils.cpp
44 	xul.dll 	mozilla::plugins::parent::_evaluate(_NPP *,NPObject *,_NPString *,_NPVariant *) 	dom/plugins/base/nsNPAPIPlugin.cpp
45 	xul.dll 	mozilla::plugins::PluginScriptableObjectParent::AnswerNPN_Evaluate(nsCString const &,mozilla::plugins::Variant *,bool *) 	dom/plugins/ipc/PluginScriptableObjectParent.cpp
46 	xul.dll 	mozilla::plugins::PPluginScriptableObjectParent::OnCallReceived(IPC::Message const &,IPC::Message * &) 	obj-firefox/ipc/ipdl/PPluginScriptableObjectParent.cpp
47 	xul.dll 	mozilla::plugins::PPluginModuleParent::OnCallReceived(IPC::Message const &,IPC::Message * &) 	obj-firefox/ipc/ipdl/PPluginModuleParent.cpp
48 	xul.dll 	mozilla::ipc::MessageChannel::DispatchInterruptMessage(IPC::Message const &,unsigned int) 	ipc/glue/MessageChannel.cpp
49 	xul.dll 	mozilla::ipc::MessageChannel::InterruptCall(IPC::Message *,IPC::Message *) 	ipc/glue/MessageChannel.cpp
50 	xul.dll 	mozilla::ipc::MessageChannel::Call(IPC::Message *,IPC::Message *) 	ipc/glue/MessageChannel.cpp
51 	xul.dll 	mozilla::plugins::PPluginScriptableObjectParent::CallHasProperty(mozilla::plugins::PPluginIdentifierParent *,bool *) 	obj-firefox/ipc/ipdl/PPluginScriptableObjectParent.cpp
52 	xul.dll 	mozilla::plugins::PluginScriptableObjectParent::ScriptableHasProperty(NPObject *,void *) 	dom/plugins/ipc/PluginScriptableObjectParent.cpp
53 	xul.dll 	NPObjWrapper_NewResolve 	dom/plugins/base/nsJSNPRuntime.cpp
54 	mozjs.dll 	GetPropertyOperation 	js/src/vm/Interpreter.cpp
55 	mozjs.dll 	Interpret 	js/src/vm/Interpreter.cpp
56 	mozjs.dll 	js::RunScript(JSContext *,js::RunState &) 	js/src/vm/Interpreter.cpp
57 	mozjs.dll 	js::Invoke(JSContext *,JS::CallArgs,js::MaybeConstruct) 	js/src/vm/Interpreter.cpp
58 	mozjs.dll 	js::CallOrConstructBoundFunction(JSContext *,unsigned int,JS::Value *) 	js/src/jsfun.cpp
59 	mozjs.dll 	js::Invoke(JSContext *,JS::CallArgs,js::MaybeConstruct) 	js/src/vm/Interpreter.cpp
60 	mozjs.dll 	js::Invoke(JSContext *,JS::Value const &,JS::Value const &,unsigned int,JS::Value const *,JS::MutableHandle<JS::Value>) 	js/src/vm/Interpreter.cpp
61 	mozjs.dll 	JS::Call(JSContext *,JS::Handle<JS::Value>,JS::Handle<JS::Value>,JS::HandleValueArray const &,JS::MutableHandle<JS::Value>) 	js/src/jsapi.cpp
62 	xul.dll 	mozilla::dom::Function::Call(JSContext *,JS::Handle<JS::Value>,nsTArray<JS::Value> const &,mozilla::ErrorResult &) 	obj-firefox/dom/bindings/FunctionBinding.cpp
63 	xul.dll 	mozilla::dom::Function::Call<nsCOMPtr<nsISupports> >(nsCOMPtr<nsISupports> const &,nsTArray<JS::Value> const &,mozilla::ErrorResult &,mozilla::dom::CallbackObject::ExceptionHandling) 	obj-firefox/dist/include/mozilla/dom/FunctionBinding.h
64 	xul.dll 	nsGlobalWindow::RunTimeoutHandler(nsTimeout *,nsIScriptContext *) 	dom/base/nsGlobalWindow.cpp
65 	xul.dll 	nsGlobalWindow::RunTimeout(nsTimeout *) 	dom/base/nsGlobalWindow.cpp
66 	xul.dll 	nsGlobalWindow::TimerCallback(nsITimer *,void *) 	dom/base/nsGlobalWindow.cpp
67 	xul.dll 	nsTimerImpl::Fire() 	xpcom/threads/nsTimerImpl.cpp
68 	xul.dll 	nsTimerEvent::Run() 	xpcom/threads/nsTimerImpl.cpp
69 	xul.dll 	nsThread::ProcessNextEvent(bool,bool *) 	xpcom/threads/nsThread.cpp
70 	xul.dll 	NS_ProcessNextEvent(nsIThread *,bool) 	xpcom/glue/nsThreadUtils.cpp
71 	xul.dll 	mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate *) 	ipc/glue/MessagePump.cpp
72 	xul.dll 	MessageLoop::RunHandler() 	ipc/chromium/src/base/message_loop.cc
73 	xul.dll 	MessageLoop::Run() 	ipc/chromium/src/base/message_loop.cc
74 	xul.dll 	nsBaseAppShell::Run() 	widget/xpwidgets/nsBaseAppShell.cpp
75 	xul.dll 	nsAppShell::Run() 	widget/windows/nsAppShell.cpp
76 	xul.dll 	nsAppStartup::Run() 	toolkit/components/startup/nsAppStartup.cpp
77 	xul.dll 	XREMain::XRE_mainRun() 	toolkit/xre/nsAppRunner.cpp
78 	xul.dll 	XREMain::XRE_main(int,char * * const,nsXREAppData const *) 	toolkit/xre/nsAppRunner.cpp
79 	xul.dll 	XRE_main 	toolkit/xre/nsAppRunner.cpp
80 	firefox.exe 	do_main 	browser/app/nsBrowserApp.cpp
81 	firefox.exe 	NS_internal_main(int,char * *) 	browser/app/nsBrowserApp.cpp
82 	firefox.exe 	wmain 	toolkit/xre/nsWindowsWMain.cpp
83 	firefox.exe 	__tmainCRTStartup 	f:/dd/vctools/crt_bld/self_x86/crt/src/crtexe.c:552
84 	kernel32.dll 	BaseThreadInitThunk 	
85 	ntdll.dll 	__RtlUserThreadStart 	
86 	ntdll.dll 	_RtlUserThreadStart

Comment 1

[(Away)]

cmp     dword ptr [eax+0C5Ch],0
jle     mozjs!NewObject+0x2d5 (67b11e05)
int     3

There is some serious inlining, but this looks like:

JS::AutoAssertOnGC::VerifyIsSafeToGC(JSRuntime *rt)
{
    if (rt->gc.inUnsafeRegion > 0)
        MOZ_CRASH("[AutoAssertOnGC] possible GC in GC-unsafe region");
}

at

JS::AutoAssertOnGC::VerifyIsSafeToGC
CheckAllocatorState
js::gc::AllocateObject<1> 
JSObject::create
NewObject

The crashes stop on June 3rd, right when that code was removed from opt builds by bug 1018568.

Comment 2

[(Away)]

Terrence, is your team interested in this? It's no longer crashing, but I imagine that the underlying issue may still be present.

Comment 4

[Terrence Cole [:terrence]]

Oh yes, this may be very bad.

Steve, I'm traveling today, can you take a look? I thought we had a SuppressGC in ReportErrorMumble, maybe this path isn't hitting that, the AssertOnGC is higher or maybe we're just checking in the wrong order and this is actually okay?

In any case, thanks for needinfoing me, David!

Comment 5

[(Away)]

I duped bug 1021082 to this, but please double check. Maybe it's a different issue tripping the same assert (I don't see ReportError on the stack for that one).

Comment 6

[Terrence Cole [:terrence]]

Just verified that we are actually checking suppressGC before making this assertion. This means that we have an AutoAssertOnGC somewhere where this is simply not true. The good news is that we should be able to find it in that stack... somewhere.

Comment 7

[Terrence Cole [:terrence]]

Found it. StackIter::settleOnActivation calls subsumes with a supression, which appears to trigger GC in practice. I've kicked off a static analysis build, which should tell us how hard this is going to be to root across.

https://tbpl.mozilla.org/?tree=Try&rev=d1e94478e7f0

Comment 8

[Terrence Cole [:terrence]]

Hopefully on a less broken tip this time:
https://tbpl.mozilla.org/?tree=Try&rev=23423db532df

Comment 9

[Terrence Cole [:terrence]]

Okay, Hf should /really/ not be green without the suppression, given that this clearly does GC in practice. Steve, could you take a look?

Comment 10

[Terrence Cole [:terrence]]

The hazard may just be gone. I'll do archeology to see why it was added.

Comment 11

[Terrence Cole [:terrence]]

The AutoSuppressGCAnalysis was added by Luke in bug 924905 in comment 45, in order to make the Hf failures stop. Presumably he also assumed that subsumes would not ever GC. Unfortunately, the exact hazard he saw has been lost in a long-ago try reset, so we have no way of checking. I think in this case we're just going to have to trust the analysis.

1 - https://bugzilla.mozilla.org/show_bug.cgi?id=924905#c45

Comment 12

[Terrence Cole [:terrence]]

Attachment: remove_defunct_suppression-v0.diff

This simply removes the suppression. The hazard analysis is still green, so whatever hazard it was added to ignore has since been rooted or otherwise removed.

Comment 13

[Terrence Cole [:terrence]]

Also, this bug is not sec-sensitive, just an incorrect assertion firing.

Comment 14

[Terrence Cole [:terrence]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/e34edf1ea296

Comment 15

[Ed Morley [:emorley]]

https://hg.mozilla.org/mozilla-central/rev/e34edf1ea296

Comment 16

[Chris Peterson [:cpeterson]]

Terrence: should this fix be uplifted to Aurora 32? The original crash was reported for Nightly 32.

Comment 17

[Terrence Cole [:terrence]]

It's just an assertion, so will not impact releases and is unlikely to trigger even in debug builds. I'd say uplifting is not urgent, although it is a trivial patch so would not be hard to uplift either.