Closed Bug 1265667 Opened 8 years ago Closed 8 years ago

Crash [@ js::TraceLoggerThread::getOrCreateEventPayload]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
45 Branch
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WONTFIX
Tracking Flags:
Tracking Status
firefox46 --- fixed
firefox-esr45 --- wontfix

People

(Reporter: gkw, Unassigned)

References

Details

(4 keywords, Whiteboard: [jsbugmon:] fixed on trunk by 1232676)

Crash Data

Attachments

(1 file)

Stack from Crash Reporter
44.15 KB, text/plain
Details 
The following testcase crashes on mozilla-esr45 revision fdcfad0a693c (build with --enable-debug --enable-more-deterministic -R , run with --fuzzing-safe --ion-offthread-compile=off --no-baseline --ion-eager):

// Adapted from randomly chosen test: js/src/jit-test/tests/gc/oomInOffTheadCompile.js
options('strict');
oomTest(() => {
    offThreadCompileScript(
        `
        function f(x) {
            if (x == 0)
                return "";
        }
        f();
        `);
    runOffThreadScript();
});

Backtrace:

Thread 9 Crashed:: JS Helper
0   js-dbg-64-dm-clang-darwin-fdcfad0a693c	0x00000001000ceb4f js::TraceLoggerThread::getOrCreateEventPayload(TraceLoggerTextId) + 79 (TraceLogging.cpp:353)
1   js-dbg-64-dm-clang-darwin-fdcfad0a693c	0x00000001000d0863 js::TraceLoggerEvent::TraceLoggerEvent(js::TraceLoggerThread*, TraceLoggerTextId, JS::ReadOnlyCompileOptions const&) + 51 (TraceLogging.cpp:998)
2   js-dbg-64-dm-clang-darwin-fdcfad0a693c	0x00000001008ae389 AutoCompilationTraceLogger::AutoCompilationTraceLogger(js::ExclusiveContext*, TraceLoggerTextId, JS::ReadOnlyCompileOptions const&) + 73 (BytecodeCompiler.cpp:126)
3   js-dbg-64-dm-clang-darwin-fdcfad0a693c	0x00000001008ae4ad BytecodeCompiler::BytecodeCompiler(js::ExclusiveContext*, js::LifoAlloc*, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::Handle<js::ScopeObject*>, TraceLoggerTextId) + 45 (BytecodeCompiler.cpp:137)
4   js-dbg-64-dm-clang-darwin-fdcfad0a693c	0x00000001008b3b70 js::frontend::CompileScript(js::ExclusiveContext*, js::LifoAlloc*, JS::Handle<JSObject*>, JS::Handle<js::ScopeObject*>, JS::Handle<JSScript*>, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JSString*, js::SourceCompressionTask*, js::ScriptSourceObject**) + 176 (BytecodeCompiler.cpp:156)
5   js-dbg-64-dm-clang-darwin-fdcfad0a693c	0x00000001006cb972 js::HelperThread::handleParseWorkload() + 642 (RootingAPI.h:1083)
6   js-dbg-64-dm-clang-darwin-fdcfad0a693c	0x00000001006ca0cd js::HelperThread::threadLoop() + 605 (HelperThreads.cpp:1585)
7   js-dbg-64-dm-clang-darwin-fdcfad0a693c	0x000000010076c5df nspr::Thread::ThreadRoutine(void*) + 31 (Utility.h:369)
8   libsystem_pthread.dylib       	0x00007fff8828d99d _pthread_body + 131
9   libsystem_pthread.dylib       	0x00007fff8828d91a _pthread_start + 168
10  libsystem_pthread.dylib       	0x00007fff8828b351 thread_start + 13
[Tracking Requested - why for this release]:
Regressor on ESR45.

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   311714:7190c35c9e14
user:        Jan de Mooij
date:        Wed Feb 24 17:55:05 2016 +0100
summary:     Bug 1232229 - Ensure generator object prototype is a singleton and tenured. r=jonco a=lizzard

I found this bug while fuzzing ESR45, this regressor seems to only be on mozilla-esr45, mozilla-release (45) and mozilla-beta (46) but I could only reproduce on (ESR)45. Locking s-s to be safe.

I dug through Breakpad and found: bp-5eaffec2-30ff-488e-a671-d766e2160415

Jan, is bug 1232229 a likely regressor?
status-firefox48: affected → ---
status-firefox-esr45: --- → affected
tracking-firefox-esr45: --- → ?
Flags: needinfo?(jdemooij)
Whiteboard: [jsbugmon:update] → [jsbugmon:]
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #1)
> Locking s-s to be safe.

This should be s-s. I dug more through crash-stats and found:

bp-6f96535d-399a-401c-9348-c47152160401

It shows an exploitability rating of "high".
> It shows an exploitability rating of "high".

Setting sec-critical until further diagnosis.
Keywords: sec-critical
> Regressor is on:
> 
> mozilla-esr45 - http://hg.mozilla.org/releases/mozilla-esr45/rev/7190c35c9e14
> mozilla-release (45) -
> http://hg.mozilla.org/releases/mozilla-release/rev/7190c35c9e14
> mozilla-beta (46) -
> http://hg.mozilla.org/releases/mozilla-beta/rev/7190c35c9e14

I'd guess that I should set status-firefox46 to "affected" as well.
status-firefox46: --- → affected
The crash in crash stats and the crash posted here are likely different. The crash here looks like a null-deref due to OOM to me, that's unlikely to be the same crash as the one on crash stats.

Also the bisection could be inaccurate due to OOM.
Yeah, this looks like an OOM bug in TraceLogger code that I fixed as part of bug 1232676.
No longer blocks: 1232229
Flags: needinfo?(jdemooij)
I don't think we should backport the null check.
Status: NEW → RESOLVED
Closed: 8 years ago
tracking-firefox-esr45: ? → ---
Resolution: --- → WONTFIX
Clearing sec flags and unhiding bug based on comment 9.
Group: javascript-core-security
Keywords: sec-critical
Depends on: 1232676
Whiteboard: [jsbugmon:] → [jsbugmon:] fixed on trunk by 1232676
Version: Trunk → 45 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: