Closed
Bug 1265667
Opened 8 years ago
Closed 8 years ago
Crash [@ js::TraceLoggerThread::getOrCreateEventPayload]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: gkw, Unassigned)
References
Details
(4 keywords, Whiteboard: [jsbugmon:] fixed on trunk by 1232676)
Crash Data
Attachments
(1 file)
44.15 KB,
text/plain
|
Details |
The following testcase crashes on mozilla-esr45 revision fdcfad0a693c (build with --enable-debug --enable-more-deterministic -R , run with --fuzzing-safe --ion-offthread-compile=off --no-baseline --ion-eager): // Adapted from randomly chosen test: js/src/jit-test/tests/gc/oomInOffTheadCompile.js options('strict'); oomTest(() => { offThreadCompileScript( ` function f(x) { if (x == 0) return ""; } f(); `); runOffThreadScript(); }); Backtrace: Thread 9 Crashed:: JS Helper 0 js-dbg-64-dm-clang-darwin-fdcfad0a693c 0x00000001000ceb4f js::TraceLoggerThread::getOrCreateEventPayload(TraceLoggerTextId) + 79 (TraceLogging.cpp:353) 1 js-dbg-64-dm-clang-darwin-fdcfad0a693c 0x00000001000d0863 js::TraceLoggerEvent::TraceLoggerEvent(js::TraceLoggerThread*, TraceLoggerTextId, JS::ReadOnlyCompileOptions const&) + 51 (TraceLogging.cpp:998) 2 js-dbg-64-dm-clang-darwin-fdcfad0a693c 0x00000001008ae389 AutoCompilationTraceLogger::AutoCompilationTraceLogger(js::ExclusiveContext*, TraceLoggerTextId, JS::ReadOnlyCompileOptions const&) + 73 (BytecodeCompiler.cpp:126) 3 js-dbg-64-dm-clang-darwin-fdcfad0a693c 0x00000001008ae4ad BytecodeCompiler::BytecodeCompiler(js::ExclusiveContext*, js::LifoAlloc*, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::Handle<js::ScopeObject*>, TraceLoggerTextId) + 45 (BytecodeCompiler.cpp:137) 4 js-dbg-64-dm-clang-darwin-fdcfad0a693c 0x00000001008b3b70 js::frontend::CompileScript(js::ExclusiveContext*, js::LifoAlloc*, JS::Handle<JSObject*>, JS::Handle<js::ScopeObject*>, JS::Handle<JSScript*>, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JSString*, js::SourceCompressionTask*, js::ScriptSourceObject**) + 176 (BytecodeCompiler.cpp:156) 5 js-dbg-64-dm-clang-darwin-fdcfad0a693c 0x00000001006cb972 js::HelperThread::handleParseWorkload() + 642 (RootingAPI.h:1083) 6 js-dbg-64-dm-clang-darwin-fdcfad0a693c 0x00000001006ca0cd js::HelperThread::threadLoop() + 605 (HelperThreads.cpp:1585) 7 js-dbg-64-dm-clang-darwin-fdcfad0a693c 0x000000010076c5df nspr::Thread::ThreadRoutine(void*) + 31 (Utility.h:369) 8 libsystem_pthread.dylib 0x00007fff8828d99d _pthread_body + 131 9 libsystem_pthread.dylib 0x00007fff8828d91a _pthread_start + 168 10 libsystem_pthread.dylib 0x00007fff8828b351 thread_start + 13
Reporter | ||
Comment 1•8 years ago
|
||
[Tracking Requested - why for this release]: Regressor on ESR45. autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 311714:7190c35c9e14 user: Jan de Mooij date: Wed Feb 24 17:55:05 2016 +0100 summary: Bug 1232229 - Ensure generator object prototype is a singleton and tenured. r=jonco a=lizzard I found this bug while fuzzing ESR45, this regressor seems to only be on mozilla-esr45, mozilla-release (45) and mozilla-beta (46) but I could only reproduce on (ESR)45. Locking s-s to be safe. I dug through Breakpad and found: bp-5eaffec2-30ff-488e-a671-d766e2160415 Jan, is bug 1232229 a likely regressor?
status-firefox48:
affected → ---
status-firefox-esr45:
--- → affected
tracking-firefox-esr45:
--- → ?
Flags: needinfo?(jdemooij)
Whiteboard: [jsbugmon:update] → [jsbugmon:]
Reporter | ||
Comment 2•8 years ago
|
||
Reporter | ||
Comment 3•8 years ago
|
||
Regressor is on: mozilla-esr45 - http://hg.mozilla.org/releases/mozilla-esr45/rev/7190c35c9e14 mozilla-release (45) - http://hg.mozilla.org/releases/mozilla-release/rev/7190c35c9e14 mozilla-beta (46) - http://hg.mozilla.org/releases/mozilla-beta/rev/7190c35c9e14 Error about invalid revision: mozilla-aurora (47) - http://hg.mozilla.org/releases/mozilla-aurora/rev/7190c35c9e14
Reporter | ||
Comment 4•8 years ago
|
||
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #1) > Locking s-s to be safe. This should be s-s. I dug more through crash-stats and found: bp-6f96535d-399a-401c-9348-c47152160401 It shows an exploitability rating of "high".
Reporter | ||
Comment 5•8 years ago
|
||
> It shows an exploitability rating of "high".
Setting sec-critical until further diagnosis.
Keywords: sec-critical
Reporter | ||
Comment 6•8 years ago
|
||
> Regressor is on:
>
> mozilla-esr45 - http://hg.mozilla.org/releases/mozilla-esr45/rev/7190c35c9e14
> mozilla-release (45) -
> http://hg.mozilla.org/releases/mozilla-release/rev/7190c35c9e14
> mozilla-beta (46) -
> http://hg.mozilla.org/releases/mozilla-beta/rev/7190c35c9e14
I'd guess that I should set status-firefox46 to "affected" as well.
status-firefox46:
--- → affected
Comment 7•8 years ago
|
||
The crash in crash stats and the crash posted here are likely different. The crash here looks like a null-deref due to OOM to me, that's unlikely to be the same crash as the one on crash stats. Also the bisection could be inaccurate due to OOM.
Comment 8•8 years ago
|
||
Yeah, this looks like an OOM bug in TraceLogger code that I fixed as part of bug 1232676.
No longer blocks: 1232229
Flags: needinfo?(jdemooij)
Comment 9•8 years ago
|
||
I don't think we should backport the null check.
Updated•8 years ago
|
Comment 10•8 years ago
|
||
Clearing sec flags and unhiding bug based on comment 9.
Group: javascript-core-security
Keywords: sec-critical
Updated•8 years ago
|
Depends on: 1232676
Whiteboard: [jsbugmon:] → [jsbugmon:] fixed on trunk by 1232676
Version: Trunk → 45 Branch
Updated•8 years ago
|
Keywords: csectype-nullptr
You need to log in
before you can comment on or make changes to this bug.
Description
•