Crash [@ ??] with evalInWorker and newGlobal

RESOLVED FIXED in Firefox 47

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: decoder, Assigned: terrence)

Tracking

(Blocks: 1 bug, {crash, regression, testcase})

Trunk
mozilla47
x86_64
Linux
crash, regression, testcase
Points:
---

Firefox Tracking Flags

(firefox46 wontfix, firefox47 fixed)

Details

(Whiteboard: [jsbugmon:update], crash signature)

Attachments

(1 attachment)

(Reporter)

Description

2 years ago
The following testcase crashes on mozilla-central revision 8cb42e7a16b4 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --ion-offthread-compile=off):

evalInWorker("try { newGlobal({principal : 5}); } catch (e) {}");



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff30ff700 (LWP 63896)]
0x0000000000000000 in ?? ()
#0  0x0000000000000000 in ?? ()
#1  0x0000000000911a87 in sweepCompartments (keepAtleastOne=false, destroyingRuntime=true, fop=0x7ffff30fe8d0, this=0x7ffff328f000) at js/src/jsgc.cpp:3763
#2  js::gc::GCRuntime::sweepZones (this=0x7ffff69b5420, fop=0x7ffff30fe8d0, destroyingRuntime=true) at js/src/jsgc.cpp:3805
#3  0x0000000000923f17 in js::gc::GCRuntime::endSweepPhase (this=this@entry=0x7ffff69b5420, destroyingRuntime=destroyingRuntime@entry=true) at js/src/jsgc.cpp:5644
#4  0x0000000000925aa7 in js::gc::GCRuntime::incrementalCollectSlice (this=this@entry=0x7ffff69b5420, budget=..., reason=reason@entry=JS::gcreason::DESTROY_RUNTIME) at js/src/jsgc.cpp:6151
#5  0x0000000000926890 in js::gc::GCRuntime::gcCycle (this=this@entry=0x7ffff69b5420, nonincrementalByAPI=nonincrementalByAPI@entry=true, budget=..., reason=reason@entry=JS::gcreason::DESTROY_RUNTIME) at js/src/jsgc.cpp:6342
#6  0x0000000000926dc1 in js::gc::GCRuntime::collect (this=this@entry=0x7ffff69b5420, nonincrementalByAPI=nonincrementalByAPI@entry=true, budget=..., reason=reason@entry=JS::gcreason::DESTROY_RUNTIME) at js/src/jsgc.cpp:6448
#7  0x0000000000926ff3 in js::gc::GCRuntime::gc (this=this@entry=0x7ffff69b5420, gckind=gckind@entry=GC_NORMAL, reason=reason@entry=JS::gcreason::DESTROY_RUNTIME) at js/src/jsgc.cpp:6506
#8  0x0000000000adb42f in JSRuntime::~JSRuntime (this=0x7ffff69b5000, __in_chrg=<optimized out>) at js/src/vm/Runtime.cpp:416
#9  0x00000000008bfcb6 in js_delete<JSRuntime> (p=0x7ffff69b5000) at js/src/debug64/dist/include/js/Utility.h:370
#10 JS_DestroyRuntime (rt=0x7ffff69b5000) at js/src/jsapi.cpp:481
#11 0x000000000048e1c1 in WorkerMain (arg=0x7ffff699d860) at js/src/shell/js.cpp:2812
#12 0x0000000000aac5f1 in nspr::Thread::ThreadRoutine (arg=0x7ffff699d880) at js/src/vm/PosixNSPR.cpp:45
#13 0x00007ffff7bc4182 in start_thread (arg=0x7ffff30ff700) at pthread_create.c:312
#14 0x00007ffff6cb3fbd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111
rax	0x0	0
rbx	0x7ffff328f000	140737272934400
rcx	0x7ffff328f708	140737272936200
rdx	0x7ffff30ffa40	140737271298624
rsi	0x7ffff328de20	140737272929824
rdi	0x7ffff328de20	140737272929824
rbp	0x7ffff30fe7e0	140737271293920
rsp	0x7ffff30fe708	140737271293704
r8	0x0	0
r9	0x11000	69632
r10	0x7ffff3200f08	140737272352520
r11	0x7ffff6a00121	140737331069217
r12	0x7ffff328f710	140737272936208
r13	0x7ffff69b5000	140737330761728
r14	0x7ffff328f710	140737272936208
r15	0x7ffff693f800	140737330280448
rip	0x0	0
=> 0x0:
runtime->destroyPrincipals is nullptr here.
(Assignee)

Comment 2

2 years ago
Created attachment 8710771 [details] [diff] [review]
init_principals_destroyer_in_shell_worker-v0.diff

Quite right! I think this is what's called for?
Assignee: nobody → terrence
Status: NEW → ASSIGNED
Attachment #8710771 - Flags: review?(bbouvier)
Comment on attachment 8710771 [details] [diff] [review]
init_principals_destroyer_in_shell_worker-v0.diff

Review of attachment 8710771 [details] [diff] [review]:
-----------------------------------------------------------------

Yes, seems legit, thank you.
Attachment #8710771 - Flags: review?(bbouvier) → review+

Updated

2 years ago
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Comment hidden (obsolete)
Comment 4 is likely inaccurate.
(Assignee)

Comment 6

2 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/18d66f1eb5cdef3833b62efb0c5b62d5b2917079
Bug 1240532 - Init the principals destroyer in the shell's WorkerMain; r=bbouvier

Comment 7

2 years ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/18d66f1eb5cd
Status: ASSIGNED → RESOLVED
Last Resolved: 2 years ago
status-firefox47: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla47
Too late to uplift to beta 46. But it is fixed in 47.
status-firefox46: affected → wontfix
You need to log in before you can comment on or make changes to this bug.