Closed Bug 1172478 Opened 9 years ago Closed 9 years ago

Crash [@ JSObject::allocKindForTenure] or Crash [@ numFixedSlots]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1172498
Tracking Flags:
Tracking Status
firefox41 --- affected

People

(Reporter: decoder, Unassigned)

Details

(4 keywords, Whiteboard: [fuzzblocker] [jsbugmon:update,ignore])

Crash Data

The following testcase crashes on mozilla-central revision 7d4ab4a9febd (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --baseline-eager):

function foo() {
  test();
  function test(escape = [], ... propertyIsEnumerable) {
    new test();
  }
}
loadFile(foo.toString() + ";foo();");
function loadFile(x) {
  function newFunc(x) { (new Function(x))() }
  newFunc(x);
}



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
JSObject::allocKindForTenure (this=0x7ffff4e00320, nursery=...) at js/src/jsobj.h:121
#0  JSObject::allocKindForTenure (this=0x7ffff4e00320, nursery=...) at js/src/jsobj.h:121
#1  0x00000000005ed54d in js::TenuringTracer::moveToTenured (this=0x7fffffe466d0, src=0x7ffff4e00320) at js/src/gc/Marking.cpp:1852
#2  0x00000000005ed7bb in js::TenuringTracer::traverse<JSObject*> (this=<optimized out>, objp=0x7fffffe460e0) at js/src/gc/Marking.cpp:1719
#3  0x00000000005ed866 in js::TenuringTracer::traverse<JS::Value> (this=<optimized out>, valp=0x7ffffff4b2a8) at js/src/gc/Marking.cpp:1730
#4  0x000000000061eeb5 in DispatchToTracer<JS::Value> (trc=<optimized out>, thingp=<optimized out>, name=<optimized out>) at js/src/gc/Marking.cpp:585
#5  0x000000000061f076 in js::TraceRootRange<JS::Value> (trc=trc@entry=0x7fffffe466d0, len=3, vec=vec@entry=0x7ffffff4b298, name=name@entry=0xd9bbb6 "baseline-args") at js/src/gc/Marking.cpp:472
#6  0x000000000082fd71 in js::jit::BaselineFrame::trace (this=0x7ffffff4b228, trc=trc@entry=0x7fffffe466d0, frameIterator=...) at js/src/jit/BaselineFrame.cpp:40
#7  0x000000000090b8f3 in MarkJitActivation (activations=..., trc=<optimized out>) at js/src/jit/JitFrames.cpp:1524
#8  js::jit::MarkJitActivations (rt=<optimized out>, trc=trc@entry=0x7fffffe466d0) at js/src/jit/JitFrames.cpp:1558
#9  0x00000000008039f1 in js::gc::GCRuntime::markRuntime (this=this@entry=0x7ffff693c350, trc=trc@entry=0x7fffffe466d0, traceOrMark=traceOrMark@entry=js::gc::GCRuntime::TraceRuntime, rootsSource=rootsSource@entry=js::gc::GCRuntime::TraceRoots) at js/src/gc/RootMarking.cpp:515
#10 0x00000000005f38a2 in js::Nursery::collect (this=this@entry=0x7ffff693c3a8, rt=0x7ffff693c000, reason=reason@entry=JS::gcreason::OUT_OF_NURSERY, pretenureGroups=pretenureGroups@entry=0x7fffffe46950) at js/src/gc/Nursery.cpp:452
#11 0x0000000000ae88b5 in js::gc::GCRuntime::minorGCImpl (this=this@entry=0x7ffff693c350, reason=reason@entry=JS::gcreason::OUT_OF_NURSERY, pretenureGroups=pretenureGroups@entry=0x7fffffe46950) at js/src/jsgc.cpp:6371
#12 0x0000000000ae915e in js::gc::GCRuntime::minorGC (this=this@entry=0x7ffff693c350, cx=cx@entry=0x7ffff691b4e0, reason=reason@entry=JS::gcreason::OUT_OF_NURSERY) at js/src/jsgc.cpp:6383
#13 0x000000000061e30a in tryNewNurseryObject<(js::AllowGC)1> (clasp=0x1a023c0 <js::ArrayObject::class_>, nDynamicSlots=0, thingSize=96, cx=0x7ffff691b4e0, this=0x7ffff693c350) at js/src/gc/Allocator.cpp:157
#14 js::Allocate<JSObject, (js::AllowGC)1> (cx=cx@entry=0x7ffff691b4e0, kind=kind@entry=js::gc::OBJECT8_BACKGROUND, nDynamicSlots=0, heap=heap@entry=js::gc::DefaultHeap, clasp=0x1a023c0 <js::ArrayObject::class_>) at js/src/gc/Allocator.cpp:123
#15 0x000000000050954f in js::ArrayObject::createArrayInternal (cx=0x7ffff691b4e0, kind=js::gc::OBJECT8_BACKGROUND, heap=js::gc::DefaultHeap, shape=..., group=...) at js/src/vm/ArrayObject-inl.h:52
#16 0x00000000005096ec in js::ArrayObject::createArray (cx=cx@entry=0x7ffff691b4e0, kind=kind@entry=js::gc::OBJECT8_BACKGROUND, heap=<optimized out>, shape=..., shape@entry=..., group=..., group@entry=..., length=length@entry=0) at js/src/vm/ArrayObject-inl.h:81
#17 0x00000000004f956e in NewArray<268435456u> (cxArg=0x7ffff691b4e0, length=0, protoArg=..., newKind=js::GenericObject) at js/src/jsarray.cpp:3492
#18 0x00000000004fa753 in NewDenseFullyAllocatedArray (newKind=<optimized out>, proto=..., length=<optimized out>, cx=0x7ffff691b4e0) at js/src/jsarray.cpp:3532
#19 js::NewDenseArray (cx=0x7ffff691b4e0, length=<optimized out>, group=..., allocating=js::NewArray_FullyAllocating, convertDoubleElements=<optimized out>) at js/src/jsarray.cpp:3566
#20 0x00007ffff7fed26d in ?? ()
#21 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x7ffff4e00320	140737301709600
rcx	0x1a023c0	27272128
rdx	0x7ffff693c3a8	140737330267048
rsi	0x7ffff693c3a8	140737330267048
rdi	0x7ffff4e00320	140737301709600
rbp	0x7fffffe46040	140737486544960
rsp	0x7fffffe46030	140737486544944
r8	0x7ffff470ff40	140737294434112
r9	0x7ffff470ff10	140737294434064
r10	0x1	1
r11	0x283	643
r12	0x2	2
r13	0x7fffffe466d0	140737486546640
r14	0x3	3
r15	0x7ffffff4b2a8	140737487614632
rip	0xaefd54 <JSObject::allocKindForTenure(js::Nursery const&) const+20>
=> 0xaefd54 <JSObject::allocKindForTenure(js::Nursery const&) const+20>:	mov    (%rax),%rdx
   0xaefd57 <JSObject::allocKindForTenure(js::Nursery const&) const+23>:	cmp    %rcx,%rdx


This bug easily changes its crash signature, it would be good to fix this first (marking fuzzblocker). Maybe it's already on file with a different signature as well.
Whiteboard: [jsbugmon:update,bisect][fuzzblocker] → [fuzzblocker] [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/89ac61464a45
user:        Kartikaya Gupta
date:        Thu Jun 04 13:44:55 2015 -0400
summary:     Bug 1164218 - Enable some guinea pig tests to run in chaos mode. r=botond

This iteration took 200.605 seconds to run.
Whiteboard: [fuzzblocker] [jsbugmon:update] → [fuzzblocker] [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision e10e2e8d8bf2).
Group: core-security
This looks GCish. Can you take a look, Terrence? Thanks.
Flags: needinfo?(terrence)
I was able to reproduce, but on closer inspection it looks like it may be a jit issue.

I got a couple of crashes here. In one, we allocate a nursery object under jit::DoNewArray. The slots for this happen to land at nursery + 0x320. Later we are marking the runtime when collecting the nursery; we visit a baseline frame's args and one of the args is ObjectValue(nursery + 0x320). This is in the middle of an object, so I'm really not sure what's going on here.

There were some other examples as well; the most common one was similar to the above, but the baseline frame args point into swept nursery.

In any case, I'm going to have to punt this over to JS::JIT in hopes that it will be easier to debug from that side.
Flags: needinfo?(terrence) → needinfo?(jdemooij)
I can reproduce this with the revision in comment 0 but not on tip, so I did a bisection:

The first good revision is:
changeset:   250964:c6a517d18f12
user:        Eric Faust <efaustbmo@mozilla.com>
date:        Tue Jun 23 09:19:36 2015 -0700
summary:     Bug 1172498 - Properly mark ion frame new.target values. (r=jandem)

I think this makes sense, considering the testcase and comment 4: if Ion doesn't properly trace its new.target, we bail to Baseline and then we GC again, we'll mark a bogus Value.

(It crashes about 50% of the time for me, that probably confused the bisection in comment 1.)
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(jdemooij)
Resolution: --- → DUPLICATE
Group: core-security → core-security-release
Group: core-security-release
Keywords: sec-high
You need to log in before you can comment on or make changes to this bug.