Closed
Bug 1188288
Opened 9 years ago
Closed 8 years ago
Crash [@ MustSkipMarking<JSObject*>]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1205937
Tracking | Status | |
---|---|---|
firefox42 | --- | affected |
People
(Reporter: decoder, Unassigned)
Details
(4 keywords, Whiteboard: [fuzzblocker] [jsbugmon:update])
Crash Data
Attachments
(1 file)
1.87 KB,
patch
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision d3228c82badd (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-debug, run with --baseline-eager): gczeal(2, 2) var g1 = newGlobal(); g1.eval('function f() { return "from f"; }'); Backtrace: Program received signal SIGSEGV, Segmentation fault. MustSkipMarking<JSObject*> (obj=0x7fffffffffff) at js/src/gc/Marking.cpp:619 #0 MustSkipMarking<JSObject*> (obj=0x7fffffffffff) at js/src/gc/Marking.cpp:619 #1 DoMarking<JSObject*> (thing=0x7fffffffffff, gcmarker=0x7ffff6941f78) at js/src/gc/Marking.cpp:655 #2 operator()<JSObject> (this=<synthetic pointer>, gcmarker=0x7ffff6941f78, t=0x7fffffffffff) at js/src/gc/Marking.cpp:667 #3 js::DispatchValueTyped<DoMarkingFunctor<JS::Value>, js::GCMarker*&>(DoMarkingFunctor<JS::Value>, JS::Value const&, (decltype ({parm#1}((JSObject*)((decltype(nullptr))0), (Forward<js::GCMarker*&>)({parm#3})))&&)...) (f=..., val=...) at ../../dist/include/js/Value.h:1894 #4 0x000000000056f108 in DoMarking<JS::Value> (val=..., gcmarker=0x7ffff6941f78) at js/src/gc/Marking.cpp:674 #5 DispatchToTracer<JS::Value> (name=0xb9d9c0 "baseline-evalNewTarget", thingp=0x7fffffffc198, trc=0x7ffff6941f78) at js/src/gc/Marking.cpp:593 #6 js::TraceRoot<JS::Value> (trc=trc@entry=0x7ffff6941f78, thingp=thingp@entry=0x7fffffffc198, name=name@entry=0xb9d9c0 "baseline-evalNewTarget") at js/src/gc/Marking.cpp:449 #7 0x00000000006f38c9 in js::jit::BaselineFrame::trace (this=0x7fffffffc128, trc=trc@entry=0x7ffff6941f78, frameIterator=...) at js/src/jit/BaselineFrame.cpp:53 #8 0x000000000079bc94 in MarkJitActivation (activations=..., trc=0x7ffff6941f78) at js/src/jit/JitFrames.cpp:1541 #9 js::jit::MarkJitActivations (rt=<optimized out>, trc=trc@entry=0x7ffff6941f78) at js/src/jit/JitFrames.cpp:1576 #10 0x00000000006c2e85 in js::gc::GCRuntime::markRuntime (this=this@entry=0x7ffff693c330, trc=trc@entry=0x7ffff6941f78, traceOrMark=traceOrMark@entry=js::gc::GCRuntime::MarkRuntime, rootsSource=rootsSource@entry=js::gc::GCRuntime::TraceRoots) at js/src/gc/RootMarking.cpp:430 #11 0x00000000009299ba in js::gc::GCRuntime::beginMarkPhase (this=this@entry=0x7ffff693c330, reason=reason@entry=JS::gcreason::DEBUG_GC) at js/src/jsgc.cpp:3914 #12 0x0000000000932151 in js::gc::GCRuntime::incrementalCollectSlice (this=this@entry=0x7ffff693c330, budget=..., reason=reason@entry=JS::gcreason::DEBUG_GC) at js/src/jsgc.cpp:5802 #13 0x0000000000932eb5 in js::gc::GCRuntime::gcCycle (this=this@entry=0x7ffff693c330, incremental=incremental@entry=false, budget=..., reason=reason@entry=JS::gcreason::DEBUG_GC) at js/src/jsgc.cpp:6047 #14 0x0000000000933156 in js::gc::GCRuntime::collect (this=this@entry=0x7ffff693c330, incremental=incremental@entry=false, budget=..., reason=reason@entry=JS::gcreason::DEBUG_GC) at js/src/jsgc.cpp:6161 #15 0x0000000000934499 in gc (reason=<optimized out>, gckind=<optimized out>, this=<optimized out>) at js/src/jsgc.cpp:6222 #16 js::gc::GCRuntime::runDebugGC (this=this@entry=0x7ffff693c330) at js/src/jsgc.cpp:6662 #17 0x00000000005380cf in js::gc::GCRuntime::gcIfNeededPerAllocation (this=0x7ffff693c330, cx=cx@entry=0x7ffff698d210) at js/src/gc/Allocator.cpp:28 #18 0x00000000005636a7 in checkAllocatorState<(js::AllowGC)1> (kind=js::gc::SHAPE, cx=0x7ffff698d210, this=<optimized out>) at js/src/gc/Allocator.cpp:55 #19 js::Allocate<js::Shape, (js::AllowGC)1> (cx=cx@entry=0x7ffff698d210) at js/src/gc/Allocator.cpp:211 #20 0x0000000000651a31 in js::NativeObject::getChildPropertyOnDictionary (cx=cx@entry=0x7ffff698d210, obj=obj@entry=..., parent=..., parent@entry=..., child=...) at js/src/vm/Shape.cpp:388 #21 0x0000000000651dbb in js::NativeObject::getChildProperty (cx=cx@entry=0x7ffff698d210, obj=obj@entry=..., parent=parent@entry=..., unrootedChild=...) at js/src/vm/Shape.cpp:406 #22 0x00000000006598b6 in js::NativeObject::addPropertyInternal (cx=cx@entry=0x7ffff698d210, obj=obj@entry=..., id=id@entry=..., getter=0x0, setter=0x0, slot=16777215, attrs=attrs@entry=1, flags=flags@entry=0, entry=entry@entry=0x7ffff694da68, allowDictionary=allowDictionary@entry=true) at js/src/vm/Shape.cpp:581 #23 0x00000000006607f9 in js::NativeObject::putProperty (cx=cx@entry=0x7ffff698d210, obj=obj@entry=..., id=..., id@entry=..., getter=0x0, setter=0x0, slot=slot@entry=16777215, attrs=1, flags=flags@entry=0) at js/src/vm/Shape.cpp:729 #24 0x0000000000606be3 in AddOrChangeProperty (cx=cx@entry=0x7ffff698d210, obj=obj@entry=..., id=id@entry=..., desc=...) at js/src/vm/NativeObject.cpp:1152 #25 0x0000000000607bb5 in js::NativeDefineProperty (cx=0x7ffff698d210, obj=..., id=..., desc_=..., desc_@entry=..., result=...) at js/src/vm/NativeObject.cpp:1517 #26 0x00000000008f54ef in js::DefineProperty (cx=cx@entry=0x7ffff698d210, obj=..., obj@entry=..., id=..., id@entry=..., value=..., getter=getter@entry=0x0, setter=setter@entry=0x0, attrs=attrs@entry=1, result=...) at js/src/jsobj.cpp:2626 #27 0x00000000008f56e9 in DefineProperty (attrs=1, setter=0x0, getter=0x0, value=..., id=..., obj=..., cx=0x7ffff698d210) at js/src/jsobj.cpp:2657 #28 js::DefineProperty (cx=cx@entry=0x7ffff698d210, obj=..., obj@entry=..., name=<optimized out>, value=..., value@entry=..., getter=getter@entry=0x0, setter=setter@entry=0x0, attrs=1) at js/src/jsobj.cpp:2673 #29 0x00000000005a481e in js::DefFunOperation (cx=0x7ffff698d210, script=..., scopeChain=..., funArg=...) at js/src/vm/Interpreter.cpp:4260 #30 0x00007ffff7ff059e in ?? () #31 0x0000000000000000 in ?? () rax 0xffffffffffffffff -1 rbx 0x7fffffffffff 140737488355327 rcx 0xfffbffffffffffff -1125899906842625 rdx 0x7fffffffffe8 140737488355304 rsi 0x7fffffffffff 140737488355327 rdi 0x7fffffffb2c0 140737488335552 rbp 0x7ffff6941f78 140737330290552 rsp 0x7fffffffb290 140737488335504 r8 0x7ffff7efe0a0 140737353080992 r9 0x2000000000 137438953472 r10 0x2000000000 137438953472 r11 0x0 0 r12 0x7fffffffc128 140737488339240 r13 0x7fffffffb370 140737488335728 r14 0x7fffffffb3a0 140737488335776 r15 0x7fffffffb3a0 140737488335776 rip 0x56b799 <js::DispatchValueTyped<DoMarkingFunctor<JS::Value>, js::GCMarker*&>(DoMarkingFunctor<JS::Value>, JS::Value const&, (decltype ({parm#1}((JSObject*)((decltype(nullptr))0), (Forward<js::GCMarker*&>)({parm#3})))&&)...)+105> => 0x56b799 <js::DispatchValueTyped<DoMarkingFunctor<JS::Value>, js::GCMarker*&>(DoMarkingFunctor<JS::Value>, JS::Value const&, (decltype ({parm#1}((JSObject*)((decltype(nullptr))0), (Forward<js::GCMarker*&>)({parm#3})))&&)...)+105>: testb $0x1,(%rdx) 0x56b79c <js::DispatchValueTyped<DoMarkingFunctor<JS::Value>, js::GCMarker*&>(DoMarkingFunctor<JS::Value>, JS::Value const&, (decltype ({parm#1}((JSObject*)((decltype(nullptr))0), (Forward<js::GCMarker*&>)({parm#3})))&&)...)+108>: jne 0x56b767 <js::DispatchValueTyped<DoMarkingFunctor<JS::Value>, js::GCMarker*&>(DoMarkingFunctor<JS::Value>, JS::Value const&, (decltype ({parm#1}((JSObject*)((decltype(nullptr))0), (Forward<js::GCMarker*&>)({parm#3})))&&)...)+55> Marking s-s until investigated.
Comment 1•9 years ago
|
||
Guessing sec-moderate for now, but if there were a real-world chance to cause a GC in the right spot it could be sec-high or more.
Keywords: sec-moderate
Reporter | ||
Comment 2•9 years ago
|
||
Marking as fuzzblocker due to frequency.
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,bisect][fuzzblocker]
Updated•9 years ago
|
Group: core-security → javascript-core-security
Updated•9 years ago
|
Whiteboard: [jsbugmon:update,bisect][fuzzblocker] → [fuzzblocker] [jsbugmon:bisect]
Comment 3•9 years ago
|
||
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
Updated•9 years ago
|
Whiteboard: [fuzzblocker] [jsbugmon:bisect] → [fuzzblocker] [jsbugmon:]
Updated•9 years ago
|
Crash Signature: [@ MustSkipMarking<JSObject*>] → [@ MustSkipMarking<JSObject*>]
[@ MustSkipMarking<T>]
Updated•8 years ago
|
Whiteboard: [fuzzblocker] [jsbugmon:] → [fuzzblocker][jsbugmon:update]
Updated•8 years ago
|
Crash Signature: [@ MustSkipMarking<JSObject*>]
[@ MustSkipMarking<T>] → [@ MustSkipMarking<JSObject*>]
[@ MustSkipMarking<T>]
Whiteboard: [fuzzblocker][jsbugmon:update] → [fuzzblocker] [jsbugmon:]
Comment 4•8 years ago
|
||
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
Updated•8 years ago
|
Crash Signature: [@ MustSkipMarking<JSObject*>]
[@ MustSkipMarking<T>] → [@ MustSkipMarking<JSObject*>]
[@ MustSkipMarking<T>]
Whiteboard: [fuzzblocker] [jsbugmon:] → [fuzzblocker] [jsbugmon:update]
Updated•8 years ago
|
Crash Signature: [@ MustSkipMarking<JSObject*>]
[@ MustSkipMarking<T>] → [@ MustSkipMarking<JSObject*>]
[@ MustSkipMarking<T>]
Whiteboard: [fuzzblocker] [jsbugmon:update] → [fuzzblocker] [jsbugmon:]
Comment 5•8 years ago
|
||
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
JSBugMon was unable to reproduce this issue multiple times, trying again. In the meantime, needinfo'ing Jon in case the stack helps, and since GC is on the stack. Or perhaps in the >1 year since, the underlying issue has gone away.
Crash Signature: [@ MustSkipMarking<JSObject*>]
[@ MustSkipMarking<T>] → [@ MustSkipMarking<JSObject*>]
[@ MustSkipMarking<T>]
Flags: needinfo?(jcoppeard)
Flags: in-testsuite?
Whiteboard: [fuzzblocker] [jsbugmon:] → [fuzzblocker] [jsbugmon:update]
Comment 7•8 years ago
|
||
Bisection shows that this doesn't reproduce since: changeset: 254749:01675d584873 user: Tom Tromey <tromey@mozilla.com> date: Fri Jul 24 07:01:00 2015 -0400 summary: Bug 1148593 - Create async stack in callback objects. r=bz, r=fitzgen However that seems totally unrelated.
Comment 8•8 years ago
|
||
(Trying again) The problem seems to be that the baseline frame can be traced by a GC before the eval new target value is pushed. This patch fixes the test failure (which only reproduces at certain revisions presumably because it depends on the stack contents). However the code for this has changed quite a lot since. Does this sound like it's something that's still an issue?
Flags: needinfo?(jcoppeard)
Attachment #8794292 -
Flags: feedback?(jdemooij)
Comment 9•8 years ago
|
||
Comment on attachment 8794292 [details] [diff] [review] bug1302682-eval-new-target I think the bug here was: - We *only* pass a new.target Value to eval frames if the eval is in a function. - BaselineFrame::trace assumed the new.target Value was present for *all* eval frames. Waldo fixed this in bug 1205937.
Attachment #8794292 -
Flags: feedback?(jdemooij)
Updated•8 years ago
|
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
Updated•8 years ago
|
Group: javascript-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•