Closed
Bug 1138199
Opened 10 years ago
Closed 10 years ago
Crash [@ js::ConstraintTypeSet::sweep] or Assertion failure: addr % CellSize == 0, at gc/Heap.h:1229 with runOffThreadScript
Categories
(Core :: JavaScript: GC, defect)
Tracking
()
RESOLVED
FIXED
mozilla39
People
(Reporter: decoder, Assigned: bhackett1024)
References
Details
(5 keywords, Whiteboard: [jsbugmon:][adv-main37+][adv-esr31.6+][post-critsmash-triage])
Crash Data
Attachments
(2 files)
770 bytes,
patch
|
billm
:
review+
|
Details | Diff | Splinter Review |
1.16 KB,
patch
|
abillings
:
approval-mozilla-aurora+
abillings
:
approval-mozilla-beta+
lmandel
:
approval-mozilla-esr31+
abillings
:
sec-approval+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision eea6188b9b05 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --enable-debug, run with --fuzzing-safe --thread-count=2): var lfGlobal = newGlobal(); var src = "var obj = {"; for (var i = 0; i < 140; ++i) { src += "prop" + i + ": 2,"; } src += "}; {"; lfGlobal.offThreadCompileScript(src); lfGlobal.runOffThreadScript(); Backtrace: Program received signal SIGSEGV, Segmentation fault. js::ConstraintTypeSet::sweep (this=0x1b29dd8, zone=0x1b0e280, oom=...) at js/src/vm/TypeInference.cpp:3785 3785 ObjectKey *key = oldArray[i]; #0 js::ConstraintTypeSet::sweep (this=0x1b29dd8, zone=0x1b0e280, oom=...) at js/src/vm/TypeInference.cpp:3785 #1 0x00000000006ea90b in js::ObjectGroup::maybeSweep (this=0x7ffff568e5e0, oom=oom@entry=0x7fffffffd290) at js/src/vm/TypeInference.cpp:3944 #2 0x0000000000a9a595 in SweepThing (group=<optimized out>, oom=0x7fffffffd290) at js/src/jsgc.cpp:5240 #3 SweepArenaList<js::ObjectGroup, js::AutoClearTypeInferenceStateOnOOM*> (sliceBudget=..., arenasToSweep=0x1b0e6e0) at js/src/jsgc.cpp:5249 #4 js::gc::GCRuntime::sweepPhase (this=this@entry=0x1a076c8, sliceBudget=...) at js/src/jsgc.cpp:5292 #5 0x0000000000aa572b in js::gc::GCRuntime::incrementalCollectSlice (this=this@entry=0x1a076c8, budget=..., reason=reason@entry=JS::gcreason::DESTROY_CONTEXT) at js/src/jsgc.cpp:5941 #6 0x0000000000aa6456 in js::gc::GCRuntime::gcCycle (this=this@entry=0x1a076c8, incremental=incremental@entry=false, budget=..., reason=reason@entry=JS::gcreason::DESTROY_CONTEXT) at js/src/jsgc.cpp:6116 #7 0x0000000000aa678d in js::gc::GCRuntime::collect (this=this@entry=0x1a076c8, incremental=incremental@entry=false, budget=..., reason=reason@entry=JS::gcreason::DESTROY_CONTEXT) at js/src/jsgc.cpp:6228 #8 0x0000000000aa7a2a in js::gc::GCRuntime::gc (this=this@entry=0x1a076c8, gckind=gckind@entry=GC_NORMAL, reason=reason@entry=JS::gcreason::DESTROY_CONTEXT) at js/src/jsgc.cpp:6289 #9 0x0000000000a26517 in js::DestroyContext (cx=0x1a29b50, mode=js::DCM_FORCE_GC) at js/src/jscntxt.cpp:185 #10 0x0000000000a26814 in JS_DestroyContext (cx=<optimized out>) at js/src/jsapi.cpp:576 #11 0x0000000000425efd in DestroyContext (withGC=true, cx=0x1a29b50) at js/src/shell/js.cpp:5649 #12 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:6406 rax 0x1b0e7b8 28370872 rbx 0x1b29dd8 28483032 rcx 0x6 6 rdx 0x63614073 1667317875 rsi 0x1 1 rdi 0x1b 27 rbp 0x7fffffffd190 140737488343440 rsp 0x7fffffffd120 140737488343328 r8 0x8 8 r9 0x0 0 r10 0x1b29d50 28482896 r11 0x1b29d30 28482864 r12 0x200 512 r13 0x1b0e280 28369536 r14 0x0 0 r15 0x7ffff000ba10 140737219967504 rip 0x71b6df <js::ConstraintTypeSet::sweep(JS::Zone*, js::AutoClearTypeInferenceStateOnOOM&)+223> => 0x71b6df <js::ConstraintTypeSet::sweep(JS::Zone*, js::AutoClearTypeInferenceStateOnOOM&)+223>: mov (%r14),%r15 0x71b6e2 <js::ConstraintTypeSet::sweep(JS::Zone*, js::AutoClearTypeInferenceStateOnOOM&)+226>: test %r15,%r15 Marking s-s, since this is a GC crash. The signatures vary a little.
Reporter | ||
Updated•10 years ago
|
status-firefox38:
affected → ---
status-firefox39:
--- → affected
Comment 1•10 years ago
|
||
Is this something you could look at, Jon? This could be related to the type sweeping GC crashes we've been seeing.
Component: JavaScript Engine → JavaScript: GC
Flags: needinfo?(jcoppeard)
Comment 2•10 years ago
|
||
I've had a look but I can't see what's going wrong here. We do an off-thread parse of a script that fails due to a syntax error in Parser::blockStatement(). The error is thrown on the main thread in GlobalHelperThreadState::finishParseTask(). When we GC as the context is destroyed we crash in ConstraintTypeSet::sweep() because we have oldCapacity of 64 but oldArray is nullptr. The recent change to finishParseTask() in bug 1137341 doesn't seem implicated since it doesn't cause a GC (in fact there is no GC before the one where we crash). My guess would be something to do with merging the object groups after off thread parsing. Brian, do you have time to take a look at this as you're more familiar with this area?
Flags: needinfo?(jcoppeard) → needinfo?(bhackett1024)
Assignee | ||
Comment 3•10 years ago
|
||
This is an old problem which goes back to bug 909574 I think. If we do an off thread parse and rejoin on the main thread and the main thread's zone's type LifoAlloc is completely empty, then we mess the pointers up a bit when merging in the off thread allocator's state. I don't know if this can be triggered in the browser. It requires the main thread zone's allocator to be completely empty, which would mean that no properties have been added to non-singleton objects, and that no code has run long enough to be baseline compiled. Presumably something like that would happen for a content page to be able to trigger an off thread parse via a <script> tag, but I don't know enough about the browser machinery to say one way or the other.
Assignee: nobody → bhackett1024
Flags: needinfo?(bhackett1024)
Attachment #8573345 -
Flags: review?(wmccloskey)
Updated•10 years ago
|
Blocks: 909574
status-firefox36:
--- → affected
status-firefox37:
--- → affected
status-firefox38:
--- → affected
status-firefox-esr31:
--- → affected
status-firefox-esr38:
--- → affected
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Reporter | ||
Updated•10 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:]
Reporter | ||
Comment 4•10 years ago
|
||
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
Comment on attachment 8573345 [details] [diff] [review] patch Review of attachment 8573345 [details] [diff] [review]: ----------------------------------------------------------------- What a screwup! Thanks. ::: js/src/ds/LifoAlloc.h @@ +194,4 @@ > > // Append used chunks to the end of this LifoAlloc. We act as if all the > // chunks in |this| are used, even if they're not, so memory may be wasted. > void appendUsed(BumpChunk *start, BumpChunk *latest, BumpChunk *end) { Can you rename this param to latest_ or something so it's a little less crazy? Maybe call the other params first_ and last_ too?
Attachment #8573345 -
Flags: review?(wmccloskey) → review+
Updated•10 years ago
|
status-b2g-v1.4:
--- → affected
status-b2g-v2.0:
--- → affected
status-b2g-v2.0M:
--- → affected
status-b2g-v2.1:
--- → affected
status-b2g-v2.1S:
--- → affected
status-b2g-v2.2:
--- → affected
status-b2g-master:
--- → affected
Assignee | ||
Comment 6•10 years ago
|
||
Patch updated per comments. I used other{First,Latest,Last} for even more bonus readability.
Assignee | ||
Comment 7•10 years ago
|
||
Comment on attachment 8574292 [details] [diff] [review] updated [Security approval request comment] How easily could an exploit be constructed based on the patch? Not easily at all. Exploitability of this bug is unknown. Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? No. Which older supported branches are affected by this flaw? All. If not all supported branches, which bug introduced the flaw? Off thread parsing. Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? Trivial. How likely is this patch to cause regressions; how much testing does it need? None. Approval Request Comment [Feature/regressing bug #]: Off thread parsing. [User impact if declined]: Possible UAF, though exploitability is unknown. [Describe test coverage new/current, TreeHerder]: None. [Risks and why]: None.
Attachment #8574292 -
Flags: sec-approval?
Attachment #8574292 -
Flags: approval-mozilla-beta?
Attachment #8574292 -
Flags: approval-mozilla-aurora?
Comment 8•10 years ago
|
||
Comment on attachment 8574292 [details] [diff] [review] updated sec-approval+ and branch approvals.
Attachment #8574292 -
Flags: sec-approval?
Attachment #8574292 -
Flags: sec-approval+
Attachment #8574292 -
Flags: approval-mozilla-beta?
Attachment #8574292 -
Flags: approval-mozilla-beta+
Attachment #8574292 -
Flags: approval-mozilla-aurora?
Attachment #8574292 -
Flags: approval-mozilla-aurora+
Comment 9•10 years ago
|
||
Can we get an ESR31 patch for this as well?
tracking-firefox37:
--- → +
tracking-firefox38:
--- → +
tracking-firefox39:
--- → +
tracking-firefox-esr31:
--- → ?
Assignee | ||
Comment 10•10 years ago
|
||
Comment on attachment 8574292 [details] [diff] [review] updated This patch should apply fine to ESR branches.
Attachment #8574292 -
Flags: approval-mozilla-esr31?
Comment 11•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/dc074235bf94
Flags: in-testsuite?
Comment 12•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/dc074235bf94
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla39
Comment 13•10 years ago
|
||
Comment on attachment 8574292 [details] [diff] [review] updated ESR31+
Attachment #8574292 -
Flags: approval-mozilla-esr31? → approval-mozilla-esr31+
Comment 14•10 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/1fb8a664e27b https://hg.mozilla.org/releases/mozilla-beta/rev/46392e569cb6 https://hg.mozilla.org/releases/mozilla-esr31/rev/d30cf95d24c5
Comment 15•10 years ago
|
||
https://hg.mozilla.org/releases/mozilla-b2g37_v2_2/rev/46392e569cb6 https://hg.mozilla.org/releases/mozilla-b2g34_v2_1/rev/19d5fb3ece4c https://hg.mozilla.org/releases/mozilla-b2g32_v2_0/rev/0e8ea792b0da https://hg.mozilla.org/releases/mozilla-b2g30_v1_4/rev/49d75d4d2846
Comment 16•10 years ago
|
||
https://hg.mozilla.org/releases/mozilla-b2g34_v2_1s/rev/19d5fb3ece4c https://hg.mozilla.org/releases/mozilla-b2g32_v2_0m/rev/0e8ea792b0da
Updated•10 years ago
|
Updated•10 years ago
|
Whiteboard: [jsbugmon:] → [jsbugmon:][adv-main37+][adv-esr31.6+]
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•9 years ago
|
Whiteboard: [jsbugmon:][adv-main37+][adv-esr31.6+] → [jsbugmon:][adv-main37+][adv-esr31.6+][post-critsmash-triage]
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•