Closed Bug 1188288 Opened 4 years ago Closed 3 years ago

Crash [@ MustSkipMarking<JSObject*>]

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 1205937
Tracking Status
firefox42 --- affected

People

(Reporter: decoder, Unassigned)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [fuzzblocker] [jsbugmon:update])

Crash Data

Attachments

(1 file)

The following testcase crashes on mozilla-central revision d3228c82badd (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-debug, run with --baseline-eager):

gczeal(2, 2)
var g1 = newGlobal();
g1.eval('function f() { return "from f"; }');



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
MustSkipMarking<JSObject*> (obj=0x7fffffffffff) at js/src/gc/Marking.cpp:619
#0  MustSkipMarking<JSObject*> (obj=0x7fffffffffff) at js/src/gc/Marking.cpp:619
#1  DoMarking<JSObject*> (thing=0x7fffffffffff, gcmarker=0x7ffff6941f78) at js/src/gc/Marking.cpp:655
#2  operator()<JSObject> (this=<synthetic pointer>, gcmarker=0x7ffff6941f78, t=0x7fffffffffff) at js/src/gc/Marking.cpp:667
#3  js::DispatchValueTyped<DoMarkingFunctor<JS::Value>, js::GCMarker*&>(DoMarkingFunctor<JS::Value>, JS::Value const&, (decltype ({parm#1}((JSObject*)((decltype(nullptr))0), (Forward<js::GCMarker*&>)({parm#3})))&&)...) (f=..., val=...) at ../../dist/include/js/Value.h:1894
#4  0x000000000056f108 in DoMarking<JS::Value> (val=..., gcmarker=0x7ffff6941f78) at js/src/gc/Marking.cpp:674
#5  DispatchToTracer<JS::Value> (name=0xb9d9c0 "baseline-evalNewTarget", thingp=0x7fffffffc198, trc=0x7ffff6941f78) at js/src/gc/Marking.cpp:593
#6  js::TraceRoot<JS::Value> (trc=trc@entry=0x7ffff6941f78, thingp=thingp@entry=0x7fffffffc198, name=name@entry=0xb9d9c0 "baseline-evalNewTarget") at js/src/gc/Marking.cpp:449
#7  0x00000000006f38c9 in js::jit::BaselineFrame::trace (this=0x7fffffffc128, trc=trc@entry=0x7ffff6941f78, frameIterator=...) at js/src/jit/BaselineFrame.cpp:53
#8  0x000000000079bc94 in MarkJitActivation (activations=..., trc=0x7ffff6941f78) at js/src/jit/JitFrames.cpp:1541
#9  js::jit::MarkJitActivations (rt=<optimized out>, trc=trc@entry=0x7ffff6941f78) at js/src/jit/JitFrames.cpp:1576
#10 0x00000000006c2e85 in js::gc::GCRuntime::markRuntime (this=this@entry=0x7ffff693c330, trc=trc@entry=0x7ffff6941f78, traceOrMark=traceOrMark@entry=js::gc::GCRuntime::MarkRuntime, rootsSource=rootsSource@entry=js::gc::GCRuntime::TraceRoots) at js/src/gc/RootMarking.cpp:430
#11 0x00000000009299ba in js::gc::GCRuntime::beginMarkPhase (this=this@entry=0x7ffff693c330, reason=reason@entry=JS::gcreason::DEBUG_GC) at js/src/jsgc.cpp:3914
#12 0x0000000000932151 in js::gc::GCRuntime::incrementalCollectSlice (this=this@entry=0x7ffff693c330, budget=..., reason=reason@entry=JS::gcreason::DEBUG_GC) at js/src/jsgc.cpp:5802
#13 0x0000000000932eb5 in js::gc::GCRuntime::gcCycle (this=this@entry=0x7ffff693c330, incremental=incremental@entry=false, budget=..., reason=reason@entry=JS::gcreason::DEBUG_GC) at js/src/jsgc.cpp:6047
#14 0x0000000000933156 in js::gc::GCRuntime::collect (this=this@entry=0x7ffff693c330, incremental=incremental@entry=false, budget=..., reason=reason@entry=JS::gcreason::DEBUG_GC) at js/src/jsgc.cpp:6161
#15 0x0000000000934499 in gc (reason=<optimized out>, gckind=<optimized out>, this=<optimized out>) at js/src/jsgc.cpp:6222
#16 js::gc::GCRuntime::runDebugGC (this=this@entry=0x7ffff693c330) at js/src/jsgc.cpp:6662
#17 0x00000000005380cf in js::gc::GCRuntime::gcIfNeededPerAllocation (this=0x7ffff693c330, cx=cx@entry=0x7ffff698d210) at js/src/gc/Allocator.cpp:28
#18 0x00000000005636a7 in checkAllocatorState<(js::AllowGC)1> (kind=js::gc::SHAPE, cx=0x7ffff698d210, this=<optimized out>) at js/src/gc/Allocator.cpp:55
#19 js::Allocate<js::Shape, (js::AllowGC)1> (cx=cx@entry=0x7ffff698d210) at js/src/gc/Allocator.cpp:211
#20 0x0000000000651a31 in js::NativeObject::getChildPropertyOnDictionary (cx=cx@entry=0x7ffff698d210, obj=obj@entry=..., parent=..., parent@entry=..., child=...) at js/src/vm/Shape.cpp:388
#21 0x0000000000651dbb in js::NativeObject::getChildProperty (cx=cx@entry=0x7ffff698d210, obj=obj@entry=..., parent=parent@entry=..., unrootedChild=...) at js/src/vm/Shape.cpp:406
#22 0x00000000006598b6 in js::NativeObject::addPropertyInternal (cx=cx@entry=0x7ffff698d210, obj=obj@entry=..., id=id@entry=..., getter=0x0, setter=0x0, slot=16777215, attrs=attrs@entry=1, flags=flags@entry=0, entry=entry@entry=0x7ffff694da68, allowDictionary=allowDictionary@entry=true) at js/src/vm/Shape.cpp:581
#23 0x00000000006607f9 in js::NativeObject::putProperty (cx=cx@entry=0x7ffff698d210, obj=obj@entry=..., id=..., id@entry=..., getter=0x0, setter=0x0, slot=slot@entry=16777215, attrs=1, flags=flags@entry=0) at js/src/vm/Shape.cpp:729
#24 0x0000000000606be3 in AddOrChangeProperty (cx=cx@entry=0x7ffff698d210, obj=obj@entry=..., id=id@entry=..., desc=...) at js/src/vm/NativeObject.cpp:1152
#25 0x0000000000607bb5 in js::NativeDefineProperty (cx=0x7ffff698d210, obj=..., id=..., desc_=..., desc_@entry=..., result=...) at js/src/vm/NativeObject.cpp:1517
#26 0x00000000008f54ef in js::DefineProperty (cx=cx@entry=0x7ffff698d210, obj=..., obj@entry=..., id=..., id@entry=..., value=..., getter=getter@entry=0x0, setter=setter@entry=0x0, attrs=attrs@entry=1, result=...) at js/src/jsobj.cpp:2626
#27 0x00000000008f56e9 in DefineProperty (attrs=1, setter=0x0, getter=0x0, value=..., id=..., obj=..., cx=0x7ffff698d210) at js/src/jsobj.cpp:2657
#28 js::DefineProperty (cx=cx@entry=0x7ffff698d210, obj=..., obj@entry=..., name=<optimized out>, value=..., value@entry=..., getter=getter@entry=0x0, setter=setter@entry=0x0, attrs=1) at js/src/jsobj.cpp:2673
#29 0x00000000005a481e in js::DefFunOperation (cx=0x7ffff698d210, script=..., scopeChain=..., funArg=...) at js/src/vm/Interpreter.cpp:4260
#30 0x00007ffff7ff059e in ?? ()
#31 0x0000000000000000 in ?? ()
rax	0xffffffffffffffff	-1
rbx	0x7fffffffffff	140737488355327
rcx	0xfffbffffffffffff	-1125899906842625
rdx	0x7fffffffffe8	140737488355304
rsi	0x7fffffffffff	140737488355327
rdi	0x7fffffffb2c0	140737488335552
rbp	0x7ffff6941f78	140737330290552
rsp	0x7fffffffb290	140737488335504
r8	0x7ffff7efe0a0	140737353080992
r9	0x2000000000	137438953472
r10	0x2000000000	137438953472
r11	0x0	0
r12	0x7fffffffc128	140737488339240
r13	0x7fffffffb370	140737488335728
r14	0x7fffffffb3a0	140737488335776
r15	0x7fffffffb3a0	140737488335776
rip	0x56b799 <js::DispatchValueTyped<DoMarkingFunctor<JS::Value>, js::GCMarker*&>(DoMarkingFunctor<JS::Value>, JS::Value const&, (decltype ({parm#1}((JSObject*)((decltype(nullptr))0), (Forward<js::GCMarker*&>)({parm#3})))&&)...)+105>
=> 0x56b799 <js::DispatchValueTyped<DoMarkingFunctor<JS::Value>, js::GCMarker*&>(DoMarkingFunctor<JS::Value>, JS::Value const&, (decltype ({parm#1}((JSObject*)((decltype(nullptr))0), (Forward<js::GCMarker*&>)({parm#3})))&&)...)+105>:	testb  $0x1,(%rdx)
   0x56b79c <js::DispatchValueTyped<DoMarkingFunctor<JS::Value>, js::GCMarker*&>(DoMarkingFunctor<JS::Value>, JS::Value const&, (decltype ({parm#1}((JSObject*)((decltype(nullptr))0), (Forward<js::GCMarker*&>)({parm#3})))&&)...)+108>:	jne    0x56b767 <js::DispatchValueTyped<DoMarkingFunctor<JS::Value>, js::GCMarker*&>(DoMarkingFunctor<JS::Value>, JS::Value const&, (decltype ({parm#1}((JSObject*)((decltype(nullptr))0), (Forward<js::GCMarker*&>)({parm#3})))&&)...)+55>


Marking s-s until investigated.
Guessing sec-moderate for now, but if there were a real-world chance to cause a GC in the right spot it could be sec-high or more.
Keywords: sec-moderate
Marking as fuzzblocker due to frequency.
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,bisect][fuzzblocker]
Group: core-security → javascript-core-security
Whiteboard: [jsbugmon:update,bisect][fuzzblocker] → [fuzzblocker] [jsbugmon:bisect]
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
Whiteboard: [fuzzblocker] [jsbugmon:bisect] → [fuzzblocker] [jsbugmon:]
Crash Signature: [@ MustSkipMarking<JSObject*>] → [@ MustSkipMarking<JSObject*>] [@ MustSkipMarking<T>]
Whiteboard: [fuzzblocker] [jsbugmon:] → [fuzzblocker][jsbugmon:update]
Crash Signature: [@ MustSkipMarking<JSObject*>] [@ MustSkipMarking<T>] → [@ MustSkipMarking<JSObject*>] [@ MustSkipMarking<T>]
Whiteboard: [fuzzblocker][jsbugmon:update] → [fuzzblocker] [jsbugmon:]
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
Crash Signature: [@ MustSkipMarking<JSObject*>] [@ MustSkipMarking<T>] → [@ MustSkipMarking<JSObject*>] [@ MustSkipMarking<T>]
Whiteboard: [fuzzblocker] [jsbugmon:] → [fuzzblocker] [jsbugmon:update]
Crash Signature: [@ MustSkipMarking<JSObject*>] [@ MustSkipMarking<T>] → [@ MustSkipMarking<JSObject*>] [@ MustSkipMarking<T>]
Whiteboard: [fuzzblocker] [jsbugmon:update] → [fuzzblocker] [jsbugmon:]
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
JSBugMon was unable to reproduce this issue multiple times, trying again.

In the meantime, needinfo'ing Jon in case the stack helps, and since GC is on the stack. Or perhaps in the >1 year since, the underlying issue has gone away.
Crash Signature: [@ MustSkipMarking<JSObject*>] [@ MustSkipMarking<T>] → [@ MustSkipMarking<JSObject*>] [@ MustSkipMarking<T>]
Flags: needinfo?(jcoppeard)
Flags: in-testsuite?
Whiteboard: [fuzzblocker] [jsbugmon:] → [fuzzblocker] [jsbugmon:update]
Bisection shows that this doesn't reproduce since:

changeset:   254749:01675d584873
user:        Tom Tromey <tromey@mozilla.com>
date:        Fri Jul 24 07:01:00 2015 -0400
summary:     Bug 1148593 - Create async stack in callback objects. r=bz, r=fitzgen

However that seems totally unrelated.
(Trying again)

The problem seems to be that the baseline frame can be traced by a GC before the eval new target value is pushed.

This patch fixes the test failure (which only reproduces at certain revisions presumably because it depends on the stack contents).

However the code for this has changed quite a lot since.  Does this sound like it's something that's still an issue?
Flags: needinfo?(jcoppeard)
Attachment #8794292 - Flags: feedback?(jdemooij)
Comment on attachment 8794292 [details] [diff] [review]
bug1302682-eval-new-target

I think the bug here was:

- We *only* pass a new.target Value to eval frames if the eval is in a function.
- BaselineFrame::trace assumed the new.target Value was present for *all* eval frames.

Waldo fixed this in bug 1205937.
Attachment #8794292 - Flags: feedback?(jdemooij)
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1205937
Group: javascript-core-security
You need to log in before you can comment on or make changes to this bug.