Closed Bug 1258301 Opened 9 years ago Closed 9 years ago

Crash [@ js::gc::TenuredCell::arena]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla48
Tracking Flags:
Tracking Status
firefox47 --- unaffected
firefox48 --- fixed

People

(Reporter: gkw, Assigned: jandem)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [fuzzblocker][jsbugmon:update])

Crash Data

Attachments

(1 file)

Patch
1.89 KB, patch
jonco
: review+
Details | Diff | Splinter Review
The following testcase crashes on mozilla-central revision f14898695ee0 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-ion --baseline-eager): gczeal(14); x = new WeakMap; x.__proto__ = null; x.get() Backtrace: 0 js-dbg-64-dm-clang-darwin-f14898695ee0 0x00000001007e5ea8 js::gc::TenuredCell::arena() const + 88 (Heap.h:956) 1 js-dbg-64-dm-clang-darwin-f14898695ee0 0x00000001009e7f2c void DoMarking<JSObject>(js::GCMarker*, JSObject*) + 60 (Heap.h:1226) 2 js-dbg-64-dm-clang-darwin-f14898695ee0 0x00000001001a228e js::jit::TraceBaselineCacheIRStub(JSTracer*, js::jit::ICStub*, js::jit::CacheIRStubInfo const*) + 190 (BaselineCacheIR.cpp:1052) 3 js-dbg-64-dm-clang-darwin-f14898695ee0 0x000000010044572e js::jit::ICStub::trace(JSTracer*) + 3342 (SharedIC.cpp:549) 4 js-dbg-64-dm-clang-darwin-f14898695ee0 0x0000000100444a0b js::jit::ICEntry::trace(JSTracer*) + 27 (SharedIC.h:648) 5 js-dbg-64-dm-clang-darwin-f14898695ee0 0x00000001001fcbc2 js::jit::BaselineScript::Trace(JSTracer*, js::jit::BaselineScript*) + 98 (BaselineJIT.cpp:463) 6 js-dbg-64-dm-clang-darwin-f14898695ee0 0x00000001006415c2 JSScript::traceChildren(JSTracer*) + 658 (jsscript.cpp:4012) 7 js-dbg-64-dm-clang-darwin-f14898695ee0 0x00000001009cc635 js::GCMarker::drainMarkStack(js::SliceBudget&) + 101 (SliceBudget.h:77) 8 js-dbg-64-dm-clang-darwin-f14898695ee0 0x00000001005e1bdf js::gc::GCRuntime::incrementalCollectSlice(js::SliceBudget&, JS::gcreason::Reason) + 879 (jsgc.cpp:5398) 9 js-dbg-64-dm-clang-darwin-f14898695ee0 0x00000001005e2a3c js::gc::GCRuntime::gcCycle(bool, js::SliceBudget&, JS::gcreason::Reason) + 460 (jsgc.cpp:6330) 10 js-dbg-64-dm-clang-darwin-f14898695ee0 0x00000001005e33fb js::gc::GCRuntime::collect(bool, js::SliceBudget, JS::gcreason::Reason) + 763 (jsgc.cpp:6432) 11 js-dbg-64-dm-clang-darwin-f14898695ee0 0x00000001005e5b56 js::gc::GCRuntime::runDebugGC() + 278 (jsgc.cpp:6492) 12 js-dbg-64-dm-clang-darwin-f14898695ee0 0x00000001009c9a98 js::gc::GCRuntime::gcIfNeededPerAllocation(JSContext*) + 72 (Allocator.cpp:33) 13 js-dbg-64-dm-clang-darwin-f14898695ee0 0x00000001009d583c bool js::gc::GCRuntime::checkAllocatorState<(js::AllowGC)1>(JSContext*, js::gc::AllocKind) + 28 (Allocator.cpp:60) 14 js-dbg-64-dm-clang-darwin-f14898695ee0 0x00000001009d6846 JSString* js::Allocate<JSString, (js::AllowGC)1>(js::ExclusiveContext*) + 54 (Allocator.cpp:213) 15 js-dbg-64-dm-clang-darwin-f14898695ee0 0x00000001008ad36d JSString* js::ConcatStrings<(js::AllowGC)1>(js::ExclusiveContext*, js::MaybeRooted<JSString*, (js::AllowGC)1>::HandleType, js::MaybeRooted<JSString*, (js::AllowGC)1>::HandleType) + 189 (String-inl.h:128) 16 js-dbg-64-dm-clang-darwin-f14898695ee0 0x00000001005974e7 js::ErrorReport::init(JSContext*, JS::Handle<JS::Value>) + 455 (RootingAPI.h:667) 17 js-dbg-64-dm-clang-darwin-f14898695ee0 0x0000000100588854 js::ReportUncaughtException(JSContext*) + 164 (jsexn.cpp:667) 18 js-dbg-64-dm-clang-darwin-f14898695ee0 0x00000001005a6ca0 AutoLastFrameCheck::~AutoLastFrameCheck() + 112 (GuardObjects.h:119) 19 js-dbg-64-dm-clang-darwin-f14898695ee0 0x000000010058486c ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::Value*) + 428 (jscntxt.cpp:1206) 20 js-dbg-64-dm-clang-darwin-f14898695ee0 0x0000000100584ad2 JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) + 82 (RootingAPI.h:667) 21 js-dbg-64-dm-clang-darwin-f14898695ee0 0x0000000100020cdf Process(JSContext*, char const*, bool, FileKind) + 3439 (js.cpp:523) 22 js-dbg-64-dm-clang-darwin-f14898695ee0 0x000000010000621e main + 12382 (js.cpp:6613) 23 js-dbg-64-dm-clang-darwin-f14898695ee0 0x00000001000011e4 start + 52 Setting s-s because this involves gczeal and gc is on the stack. Also [fuzzblocker] because this is happening very often.
=== Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20160317020419" and the hash "7067e2812c2616061ce4328d0e97da4a3dd48387". The "bad" changeset has the timestamp "20160317022913" and the hash "83b0a247a47f1135a80454a9bd88c8f4c092a5d8". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=7067e2812c2616061ce4328d0e97da4a3dd48387&tochange=83b0a247a47f1135a80454a9bd88c8f4c092a5d8 Jan, is bug 1255352 a likely regressor?
Blocks: 1255352
Flags: needinfo?(jdemooij)
Depends on: 1258314
Silly bug, the stub has a nullptr JSObject* (for the proto guard) and TraceEdge assumes its HeapPtr argument is non-null. So this just needs a null check somewhere.
Group: javascript-core-security
status-firefox47: affectedunaffected
status-firefox48: --- → affected
Flags: needinfo?(jdemooij)
Flags: needinfo?(jdemooij)
Attached patch PatchSplinter Review
Uses the (brand new) TraceNullableEdge. Currently shapes and groups are always non-null I think, but that will likely change soon.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Attachment #8733838 - Flags: review?(jcoppeard)
Attachment #8733838 - Flags: review?(jcoppeard) → review+
Blocks: 1258992
https://hg.mozilla.org/mozilla-central/rev/e8e55ed9453a
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
status-firefox48: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: