Crash [@ js::CallObject::createTemplateObject] or Crash [@ numFixedSlots] with Debugger

RESOLVED FIXED in Firefox 40

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
3 years ago
3 years ago

People

(Reporter: decoder, Unassigned)

Tracking

(Blocks: 1 bug, {crash, regression, testcase})

Trunk
mozilla40
x86_64
Linux
crash, regression, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox40 fixed)

Details

(Whiteboard: [jsbugmon:update,bisect], crash signature)

Attachments

(1 attachment)

(Reporter)

Description

3 years ago
The following testcase crashes on mozilla-central revision dc5f85980a82 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-debug, run with --fuzzing-safe --thread-count=2 --unboxed-objects --ion-eager --ion-check-range-analysis):

var lfcode = new Array();
function t() {}
lfcode.push("var dbg = Debugger(t); dbg.onEnterFrame = function (frame) { env = frame.environment; };");
lfcode.push("Function.prototype(1,true,false,'string', new Boolean(),null)");
while (true) {
  var file = lfcode.shift(); if (file == undefined) { break; }
  loadFile(file)
}
function loadFile(lfVarx) {
    try {
        var lfGlobal = newGlobal();
        for (lfLocal in this) { 
            if (!(lfLocal in lfGlobal))
                lfGlobal[lfLocal] = this[lfLocal]; 
        }
        lfGlobal.offThreadCompileScript(lfVarx);
        lfGlobal.runOffThreadScript();
        evaluate(lfVarx, { noScriptRval : true, compileAndGo : true }); 
    } catch (lfVare) {}
}



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
js::CallObject::createTemplateObject (cx=cx@entry=0x7ffff69820f0, script=script@entry=..., heap=js::gc::DefaultHeap) at js/src/vm/ScopeObject.cpp:186
#0  js::CallObject::createTemplateObject (cx=cx@entry=0x7ffff69820f0, script=script@entry=..., heap=js::gc::DefaultHeap) at js/src/vm/ScopeObject.cpp:186
#1  0x00000000005e352f in js::CallObject::create (cx=cx@entry=0x7ffff69820f0, script=script@entry=..., enclosing=..., enclosing@entry=..., callee=...) at js/src/vm/ScopeObject.cpp:211
#2  0x00000000005e3d3f in js::CallObject::createForFunction (cx=cx@entry=0x7ffff69820f0, enclosing=..., enclosing@entry=..., callee=..., callee@entry=...) at js/src/vm/ScopeObject.cpp:245
#3  0x00000000005e3e0e in js::CallObject::createForFunction (cx=cx@entry=0x7ffff69820f0, frame=...) at js/src/vm/ScopeObject.cpp:257
#4  0x00000000005ebe7b in GetDebugScopeForMissing (si=..., cx=0x7ffff69820f0) at js/src/vm/ScopeObject.cpp:2397
#5  GetDebugScope (cx=0x7ffff69820f0, si=...) at js/src/vm/ScopeObject.cpp:2469
#6  0x00000000005ec6e7 in js::GetDebugScopeForFrame (cx=cx@entry=0x7ffff69820f0, frame=..., pc=pc@entry=0x7ffff6904169 "\231") at js/src/vm/ScopeObject.cpp:2497
#7  0x0000000000579085 in DebuggerFrame_getEnvironment (cx=cx@entry=0x7ffff69820f0, argc=argc@entry=0, vp=vp@entry=0x7fffffff94d0) at js/src/vm/Debugger.cpp:5833
#8  0x00000000006adba8 in js::jit::DoCallNativeGetter (cx=0x7ffff69820f0, callee=..., obj=..., result=...) at js/src/jit/BaselineIC.cpp:1661
#9  0x00007ffff7feefec in ?? ()
[...]
#46 0x00007ffff69820f0 in ?? ()
#47 0x00000000006ab1bb in EnterBaseline (cx=0x7fffffff9570, cx@entry=0x7ffff69820f0, data=...) at js/src/jit/BaselineJIT.cpp:125
#48 0x00000000006b5a5b in js::jit::EnterBaselineMethod (cx=cx@entry=0x7ffff69820f0, state=...) at js/src/jit/BaselineJIT.cpp:156
#49 0x000000000058bb64 in js::RunScript (cx=cx@entry=0x7ffff69820f0, state=...) at js/src/vm/Interpreter.cpp:667
#50 0x000000000058be6d in js::Invoke (cx=cx@entry=0x7ffff69820f0, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:746
#51 0x000000000058d2ea in js::Invoke (cx=cx@entry=0x7ffff69820f0, thisv=..., fval=..., argc=argc@entry=1, argv=argv@entry=0x7fffffffa320, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:783
#52 0x000000000058eb2c in js::Debugger::fireEnterFrame (this=this@entry=0x7ffff69a0400, cx=cx@entry=0x7ffff69820f0, frame=..., vp=..., vp@entry=...) at js/src/vm/Debugger.cpp:1242
#53 0x000000000058eef4 in js::Debugger::slowPathOnEnterFrame (cx=cx@entry=0x7ffff69820f0, frame=...) at js/src/vm/Debugger.cpp:564
#54 0x00000000008267ed in onEnterFrame (frame=..., cx=0x7ffff69820f0) at js/src/vm/Debugger-inl.h:42
#55 js::jit::DebugPrologue (cx=0x7ffff69820f0, frame=0x7fffffffa558, pc=0x7ffff6904169 "\231", mustReturn=0x7fffffffa51c) at js/src/jit/VMFunctions.cpp:662
#56 0x00007ffff7ff0e64 in ?? ()
#57 0x000000000000023d in ?? ()
#58 0x00007fffffffa51c in ?? ()
#59 0x00007fffffffa528 in ?? ()
#60 0x0000000000000001 in ?? ()
#61 0x0000000001726f00 in StrictEvalPrologueInfo ()
#62 0x00007ffff52527f0 in ?? ()
[...]
#95 0x00007ffff69820f0 in ?? ()
#96 0x00000000006ab1bb in EnterBaseline (cx=0x7fffffffa598, cx@entry=0x7ffff69820f0, data=...) at js/src/jit/BaselineJIT.cpp:125
#97 0x00000000006b5a5b in js::jit::EnterBaselineMethod (cx=cx@entry=0x7ffff69820f0, state=...) at js/src/jit/BaselineJIT.cpp:156
#98 0x000000000058bb64 in js::RunScript (cx=cx@entry=0x7ffff69820f0, state=...) at js/src/vm/Interpreter.cpp:667
#99 0x000000000058be6d in js::Invoke (cx=cx@entry=0x7ffff69820f0, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:746
#100 0x000000000058d2ea in js::Invoke (cx=cx@entry=0x7ffff69820f0, thisv=..., fval=..., argc=argc@entry=6, argv=argv@entry=0x7fffffffb5c8, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:783
#101 0x000000000071b7ee in js::jit::DoCallFallback (cx=0x7ffff69820f0, frame=0x7fffffffb658, stub_=0x7ffff50fd358, argc=6, vp=0x7fffffffb5b8, res=...) at js/src/jit/BaselineIC.cpp:10212
#102 0x00007ffff7fedf84 in ?? ()
[...]
#127 0xfffc7ffff5300030 in ?? ()
rax	0x0	0
rbx	0x7ffff69820f0	140737330553072
rcx	0x152ab	86699
rdx	0x7fffffff8a10	140737488325136
rsi	0xb	11
rdi	0x7ffff6982120	140737330553120
rbp	0x7fffffff8af0	140737488325360
rsp	0x7fffffff89f0	140737488325104
r8	0x0	0
r9	0xf942b288	4181897864
r10	0x7ffff69820f0	140737330553072
r11	0x7ffff5021540	140737303942464
r12	0x0	0
r13	0x7fffffff89f0	140737488325104
r14	0x7fffffff8ad0	140737488325328
r15	0x578f20	5738272
rip	0x5e3409 <js::CallObject::createTemplateObject(JSContext*, JS::Handle<JSScript*>, js::gc::InitialHeap)+121>
=> 0x5e3409 <js::CallObject::createTemplateObject(JSContext*, JS::Handle<JSScript*>, js::gc::InitialHeap)+121>:	mov    0x10(%rax),%eax
   0x5e340c <js::CallObject::createTemplateObject(JSContext*, JS::Handle<JSScript*>, js::gc::InitialHeap)+124>:	shr    $0x1b,%eax

Comment 1

3 years ago
Created attachment 8601337 [details] [diff] [review]
When initializing a trivial script, also initialize its call object shape to the empty shape.

This fuzz test is trying to get the frame.environment of a frame inside
Function.prototype, which has a nullptr callObjShape.

I'm trying to reduce the test but I don't have the enthusiasm to try very hard.
Attachment #8601337 - Flags: review?(jimb)

Comment 2

3 years ago
The following crashes for me, same stack.

var g = newGlobal();
var dbg = new Debugger(g);
dbg.onEnterFrame = function (frame) { frame.environment; };
g.Function.prototype();

Comment 3

3 years ago
Comment on attachment 8601337 [details] [diff] [review]
When initializing a trivial script, also initialize its call object shape to the empty shape.

Review of attachment 8601337 [details] [diff] [review]:
-----------------------------------------------------------------

Thanks for the fix. r=me with some test case added, either mine, the original, or something you came up with. But it must have a test.
Attachment #8601337 - Flags: review?(jimb) → review+

Comment 4

3 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/cb1b4b057dad
Backed out in https://hg.mozilla.org/integration/mozilla-inbound/rev/27bd818ba469 for Linux64 debug cgc failures like https://treeherder.mozilla.org/logviewer.html#?job_id=9620747&repo=mozilla-inbound
Flags: needinfo?(shu)

Comment 6

3 years ago
This patch perturbed GC state enough to surface an independent bug. Filed bug 1161362.
Flags: needinfo?(shu)

Comment 7

3 years ago
Wait, no, this is bug 1161362. Filed bug 1162413.
Depends on: 1162413

Updated

3 years ago
Depends on: 1161968
No longer depends on: 1162413

Comment 8

3 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/4923c566a7f2
https://hg.mozilla.org/mozilla-central/rev/4923c566a7f2
Status: NEW → RESOLVED
Last Resolved: 3 years ago
status-firefox40: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla40
You need to log in before you can comment on or make changes to this bug.