Closed Bug 1259490 Opened 8 years ago Closed 8 years ago

Crash involving gczeal(8) with Interpret on the stack

Categories

(Core :: JavaScript Engine, defect)

x86_64
macOS
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla48
Tracking Status
firefox47 --- unaffected
firefox48 --- verified
firefox-esr45 --- unaffected

People

(Reporter: gkw, Assigned: terrence)

References

Details

(5 keywords, Whiteboard: [fuzzblocker][jsbugmon:update])

Attachments

(1 file)

The following testcase crashes on mozilla-central revision 24c5fbde4488 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-baseline --no-ion):

gczeal(8);
for (var k = 0; k < 99; ++k) {
    uneval(-(0 ** (Object | 0 * Object)))
}

Backtrace:

0   js-dbg-64-dm-clang-darwin-24c5fbde4488	0x00000001007e9338 js::CompartmentChecker::check(JS::Value const&) + 120 (jscntxtinlines.h:95)
1   js-dbg-64-dm-clang-darwin-24c5fbde4488	0x00000001007df720 js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) + 288 (jscntxtinlines.h:162)
2   js-dbg-64-dm-clang-darwin-24c5fbde4488	0x00000001007a66de js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) + 702 (Interpreter.cpp:464)
3   js-dbg-64-dm-clang-darwin-24c5fbde4488	0x00000001007c4f01 Interpret(JSContext*, js::RunState&) + 48897 (Interpreter.cpp:2809)
4   js-dbg-64-dm-clang-darwin-24c5fbde4488	0x00000001007b8f37 js::RunScript(JSContext*, js::RunState&) + 519 (Interpreter.cpp:426)
5   js-dbg-64-dm-clang-darwin-24c5fbde4488	0x00000001007d1254 js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) + 1124 (Interpreter.cpp:684)
6   js-dbg-64-dm-clang-darwin-24c5fbde4488	0x00000001007d15d5 js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) + 469 (RootingAPI.h:667)
7   js-dbg-64-dm-clang-darwin-24c5fbde4488	0x0000000100595f61 ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::Value*) + 417 (jsapi.cpp:4373)
8   js-dbg-64-dm-clang-darwin-24c5fbde4488	0x00000001005961d2 JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) + 82 (RootingAPI.h:667)
9   js-dbg-64-dm-clang-darwin-24c5fbde4488	0x0000000100021099 Process(JSContext*, char const*, bool, FileKind) + 3609 (js.cpp:530)
10  js-dbg-64-dm-clang-darwin-24c5fbde4488	0x0000000100006754 main + 12404 (js.cpp:6732)
11  js-dbg-64-dm-clang-darwin-24c5fbde4488	0x0000000100001724 start + 52

This testcase seems to involve gczeal, so setting s-s as a start. Also setting [fuzzblocker] because this seems to happen quite often.
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20160323062544" and the hash "56d3ab31480a27c4e6063f635f78625b8ce4d220".
The "bad" changeset has the timestamp "20160323062840" and the hash "36c1fd35d9959fa380d07521b210ba315772d683".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=56d3ab31480a27c4e6063f635f78625b8ce4d220&tochange=36c1fd35d9959fa380d07521b210ba315772d683

Jon, is bug 1258453 a likely regressor?
Blocks: 1258453
Flags: needinfo?(jcoppeard)
Yes, this look like me.
Assignee: nobody → jcoppeard
Flags: needinfo?(jcoppeard)
This is causing major problems in fuzzing. We either need a fix soon or backout.
Flags: needinfo?(jdemooij)
(In reply to Christian Holler (:decoder) from comment #3)
> This is causing major problems in fuzzing. We either need a fix soon or
> backout.

Jon, Terrence: should we disable the compacting GC code for strings for now, to unblock fuzzing?

(I noticed there's also a topcrash in AssignJSString on Nightly. #1 if you select "3 days".)
Flags: needinfo?(terrence)
Flags: needinfo?(jdemooij)
Flags: needinfo?(jcoppeard)
(In reply to Jan de Mooij [:jandem] from comment #4)
> Jon, Terrence: should we disable the compacting GC code for strings for now,
> to unblock fuzzing?
> 
> (I noticed there's also a topcrash in AssignJSString on Nightly. #1 if you
> select "3 days".)

I'm all for this. Apparently I filed this Thursday evening in Europe time - some countries are out till Tuesday due to Easter weekend.

Basically fuzzing is super noisy with variations of this bug now.
Update the DtoA cache after compacting GC. This cache only stores pointers to strings, so it was not already in the set of caches we update.
Assignee: jcoppeard → terrence
Status: NEW → ASSIGNED
Flags: needinfo?(terrence)
Flags: needinfo?(jcoppeard)
Attachment #8735489 - Flags: review?(jcoppeard)
Comment on attachment 8735489 [details] [diff] [review]
bug-1259490-v0.diff

r=jandem via IRC so that we can get this on m-i sooner.
Attachment #8735489 - Flags: review?(jcoppeard) → review+
(In reply to Terrence Cole [:terrence] from comment #7)
Thanks for picking this up.
https://hg.mozilla.org/mozilla-central/rev/595ba913eb83
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
Group: javascript-core-security → core-security-release
I'm going to mark this sec-critical because it sounds easily discoverable.
Depends on: 1261649
Group: core-security-release
Blocks: 1260198
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
You need to log in before you can comment on or make changes to this bug.