Closed Bug 1028863 Opened 10 years ago Closed 10 years ago

Assertion failure: hasTwoByteChars(), at vm/String.h:1460 or Crash [@ js::StringBuffer::append] with saveStack

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla33
Tracking Flags:
Tracking Status
firefox33 --- affected

People

(Reporter: decoder, Assigned: jonco)

References

Details

(4 keywords, Whiteboard: [fuzzblocker] [jsbugmon:update])

Attachments

(2 files, 2 obsolete files)

[crash-signature] Machine-readable crash signature
535 bytes, text/plain
Details
bug1028863-root-lookup
17.29 KB, patch
terrence
: review+
Details | Diff | Splinter Review 
The following testcase asserts on mozilla-central revision 366b5c0c02d3 (run with --fuzzing-safe):


function writeTestCaseResult( expect, actual, string ) {}
schedulegc(10);
if (saveStack() == 3) done = true;
Marked as fuzzblocker because this triggers quite easily.
status-firefox33: --- → affected
Keywords: crash
Whiteboard: [jsbugmon:update,bisect][fuzzblocker]
Assignee: nobody → jcoppeard

        Attachment #8444337 -
        Attachment is obsolete: true

    
    

    
  


  

        Attachment #8444344 -
        Attachment is obsolete: true

    
  
Whiteboard: [jsbugmon:update,bisect][fuzzblocker] → [fuzzblocker] [jsbugmon:update]

    
    

    
  
JSBugMon: Bisection requested, failed due to error (try manually).

    
    

    
  
SavedStacks::insertFrames() does this:

    SavedFrame::Lookup lookup(location.source,
                              location.line,
                              location.column,
                              callee ? callee->displayAtom() : nullptr,
                              parentFrame,
                              thisFrame.compartment()->principals);

    frame.set(getOrCreateSavedFrame(cx, lookup));


Lookup contains unrooted GC things and getOrCreateSavedFrame() creates an new JSObject before using its contents, so this should really be a rooting hazard.  However, lookup is passed as a reference so at a guess the analysis assumes it's rooted in createFrameFromLookup() where it's is used after the possibility of GC.

I checked and this is one of our unsafe refs:

Function '_ZN2js11SavedStacks12insertFramesEP9JSContextRNS_15ScriptFrameIterEN2JS13MutableHandleIPNS_10SavedFrameEEE|uint8 js::SavedStacks::insertFrames(JSContext*, js::ScriptFrameIter*, class JS::MutableHandle<js::SavedFrame*>)' takes unsafe address of unrooted 'lookup' at js/src/vm/SavedStacks.cpp:464
    js/src/vm/SavedStacks.cpp:464: Call(35,36, __temp_14 := this*.getOrCreateSavedFrame(cx*,lookup))

It would be great if we could make this be reported as a hazard somehow.  It also means we should audit the unsafe refs list again.

    
    

    
  


  
Add an autorooter for SavedFrame::Lookup and use this to root Lookup around object creation.

I also added typedefs for HandleSavedFrame etc.

        Attachment #8444427 -
        Flags: review?(terrence)

    
    

    
  
Comment on attachment 8444427 [details] [diff] [review]
bug1028863-root-lookup

Review of attachment 8444427 [details] [diff] [review]:
-----------------------------------------------------------------

Gah! When reviewing, I walked through the places where a Lookup is on the stack call by call with mrgiggles and figured the analysis would catch anything I missed. Just goes to show how impossible this stuff is to get right even with all the helpful tools we've built. I'd consider this bug as solid positive evidence that we need to take the time to push the unsafe refs to 0 too: I'll add it to our list for triaging.

        Attachment #8444427 -
        Flags: review?(terrence) → review+

    
    

    
  
> JSBugMon: Bisection requested, failed due to error (try manually).

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/466812b83481
user:        Nick Fitzgerald
date:        Tue Jun 17 16:32:00 2014 -0400
summary:     Bug 1004110 - Memoize PCToLineNumber lookups in SavedStacks. r=terrence

Guessing this might be due to bug 1004110...
Blocks: 1004110
Keywords: regression

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/6dbb4388563b
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla33

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: