1275080 - Crash [@ js::gc::TenuredCell::zone]

Status: RESOLVED DUPLICATE of bug 1282746

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 16663eb3dcfa (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --ion-offthread-compile=off --baseline-eager):

lfcode = Array(`
function test() {}
gczeal(9);
lfGlobal = newGlobal()
for (lfLocal in this)
  if (!(lfLocal in lfGlobal))
    lfGlobal[lfLocal] = this[lfLocal]
  lfGlobal.offThreadCompileScript(\`
    p = new Proxy( ( ) => () => 0, () => 0);
    test.prototype.__proto__ = p;
  \`)
  lfGlobal.runOffThreadScript()
`)
while (1) {
  file = lfcode.shift();
  loadFile(file);
}
function loadFile(lfVarx) {
  try {
      evaluate(lfVarx)
  } catch (lfVare) {}
}



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
js::gc::TenuredCell::zone (this=<optimized out>) at js/src/gc/Heap.h:1255
#0  js::gc::TenuredCell::zone (this=<optimized out>) at js/src/gc/Heap.h:1255
#1  0x0000000000c5a5bb in MustSkipMarking<js::Shape*> (thing=0x7ffff2f46a88) at js/src/gc/Marking.cpp:728
#2  DoMarking<js::Shape> (thing=0x7ffff2f46a88, gcmarker=0x7ffff6955430) at js/src/gc/Marking.cpp:775
#3  DispatchToTracer<js::Shape*> (trc=0x7ffff6955430, thingp=<optimized out>, name=<optimized out>) at js/src/gc/Marking.cpp:643
#4  0x00000000009a5fca in js::ProxyObject::trace (trc=0x7ffff6955430, obj=0x7ffff7e7d4e0) at js/src/proxy/Proxy.cpp:617
#5  0x0000000000c659ff in doTrace (this=<optimized out>, obj=0x7ffff7e7d4e0, trc=0x7ffff6955430) at js/src/debug64/dist/include/js/Class.h:815
#6  CallTraceHook<TraverseObjectFunctor, js::GCMarker* const, JSObject*&> (check=DoChecks, obj=0x7ffff7e7d4e0, trc=0x7ffff6955430, f=...) at js/src/gc/Marking.cpp:1307
#7  js::GCMarker::processMarkStackTop (this=this@entry=0x7ffff6955430, budget=...) at js/src/gc/Marking.cpp:1520
#8  0x0000000000c4f2fd in js::GCMarker::drainMarkStack (this=this@entry=0x7ffff6955430, budget=...) at js/src/gc/Marking.cpp:1353
#9  0x00000000008e74f6 in js::gc::GCRuntime::drainMarkStack (this=this@entry=0x7ffff6953428, sliceBudget=..., phase=phase@entry=js::gcstats::PHASE_MARK) at js/src/jsgc.cpp:5467
#10 0x000000000090c925 in js::gc::GCRuntime::incrementalCollectSlice (this=this@entry=0x7ffff6953428, budget=..., reason=reason@entry=JS::gcreason::DEBUG_GC) at js/src/jsgc.cpp:6135
#11 0x000000000090d756 in js::gc::GCRuntime::gcCycle (this=this@entry=0x7ffff6953428, nonincrementalByAPI=nonincrementalByAPI@entry=false, budget=..., reason=reason@entry=JS::gcreason::DEBUG_GC) at js/src/jsgc.cpp:6396
#12 0x000000000090dcf8 in js::gc::GCRuntime::collect (this=this@entry=0x7ffff6953428, nonincrementalByAPI=nonincrementalByAPI@entry=false, budget=..., reason=reason@entry=JS::gcreason::DEBUG_GC) at js/src/jsgc.cpp:6504
#13 0x000000000090f78c in js::gc::GCRuntime::runDebugGC (this=this@entry=0x7ffff6953428) at js/src/jsgc.cpp:7031
#14 0x0000000000c2c7ea in js::gc::GCRuntime::gcIfNeededPerAllocation (this=this@entry=0x7ffff6953428, cx=cx@entry=0x7ffff6908c00) at js/src/gc/Allocator.cpp:28
#15 0x0000000000c36ddf in js::gc::GCRuntime::checkAllocatorState<(js::AllowGC)1> (this=0x7ffff6953428, cx=0x7ffff6908c00, kind=js::gc::OBJECT8) at js/src/gc/Allocator.cpp:55
#16 0x0000000000c3d311 in js::Allocate<JSObject, (js::AllowGC)1> (cx=cx@entry=0x7ffff6908c00, kind=kind@entry=js::gc::OBJECT8, nDynamicSlots=0, heap=js::gc::TenuredHeap, clasp=clasp@entry=0x1cad360 <js::ErrorObject::classes>) at js/src/gc/Allocator.cpp:121
#17 0x000000000091a917 in JSObject::create (cx=0x7ffff6908c00, kind=js::gc::OBJECT8, heap=<optimized out>, shape=..., group=...) at js/src/jsobjinlines.h:351
#18 0x000000000094b0c9 in NewObject (cx=0x7ffff6908c00, group=..., kind=js::gc::OBJECT8, newKind=js::GenericObject, initialShapeFlags=<optimized out>) at js/src/jsobj.cpp:672
#19 0x000000000094b48d in js::NewObjectWithGivenTaggedProto (cxArg=cxArg@entry=0x7ffff6908c00, clasp=0x1cad360 <js::ErrorObject::classes>, proto=..., allocKind=js::gc::OBJECT8, newKind=newKind@entry=js::GenericObject, initialShapeFlags=initialShapeFlags@entry=0) at js/src/jsobj.cpp:733
#20 0x0000000000a0fb06 in NewObjectWithGivenTaggedProto (initialShapeFlags=0, newKind=js::GenericObject, proto=..., clasp=0x1cad360 <js::ErrorObject::classes>, cx=0x7ffff6908c00) at js/src/jsobjinlines.h:636
#21 NewObjectWithGivenProto (newKind=js::GenericObject, proto=..., clasp=<optimized out>, cx=0x7ffff6908c00) at js/src/jsobjinlines.h:671
#22 js::ErrorObject::create (cx=0x7ffff6908c00, errorType=JSEXN_ERR, stack=..., stack@entry=..., fileName=..., fileName@entry=..., lineNumber=lineNumber@entry=20, columnNumber=columnNumber@entry=7, report=report@entry=0x7fffffffc2e0, message=message@entry=..., protoArg=protoArg@entry=...) at js/src/vm/ErrorObject.cpp:102
#23 0x00000000008b256a in js::ErrorToException (cx=cx@entry=0x7ffff6908c00, message=message@entry=0x7ffff3014f40 "evaluate: invalid arguments", reportp=reportp@entry=0x7fffffffc460, callback=<optimized out>, userRef=<optimized out>) at js/src/jsexn.cpp:584
#24 0x00000000008b26ae in ReportError (cx=0x7ffff6908c00, message=0x7ffff3014f40 "evaluate: invalid arguments", reportp=0x7fffffffc460, callback=<optimized out>, userRef=<optimized out>) at js/src/jscntxt.cpp:226
#25 0x00000000008b2e87 in js::ReportErrorNumberVA (cx=0x7ffff6908c00, flags=0, callback=0x48ec60 <js::shell::my_GetErrorMessage(void*, unsigned int)>, userRef=0x0, errorNumber=12, argumentsType=js::ArgumentsAreASCII, ap=0x7fffffffc518) at js/src/jscntxt.cpp:762
#26 0x00000000008b2f1b in JS_ReportErrorNumberVA (cx=<optimized out>, errorCallback=<optimized out>, userRef=<optimized out>, errorNumber=<optimized out>, ap=ap@entry=0x7fffffffc518) at js/src/jsapi.cpp:5686
#27 0x00000000008b2fa6 in JS_ReportErrorNumber (cx=<optimized out>, errorCallback=errorCallback@entry=0x48ec60 <js::shell::my_GetErrorMessage(void*, unsigned int)>, userRef=userRef@entry=0x0, errorNumber=errorNumber@entry=12) at js/src/jsapi.cpp:5675
#28 0x000000000049e954 in Evaluate (cx=0x7ffff6908c00, argc=1, vp=0x7fffffffcad0) at js/src/shell/js.cpp:1335
#29 0x00007ffff7ff5158 in ?? ()
#30 0x0000000000000000 in ?? ()
rax	0x7ffff2f46000	140737269489664
rbx	0x7ffff6955430	140737330369584
rcx	0x7ffff2f00000	140737269202944
rdx	0x46a01	289281
rsi	0x7ffff7e7d4e8	140737352553704
rdi	0x0	0
rbp	0x7fffffffb9a0	140737488337312
rsp	0x7fffffffb990	140737488337296
r8	0x1	1
r9	0x7ffff7e7d4e0	140737352553696
r10	0x574350f9	1464029433
r11	0x7	7
r12	0x7ffff6955430	140737330369584
r13	0x7ffff2f46a88	140737269492360
r14	0x7ffff6955430	140737330369584
r15	0x7fffffffbec0	140737488338624
rip	0x6c5674 <js::gc::TenuredCell::zone() const+100>
=> 0x6c5674 <js::gc::TenuredCell::zone() const+100>:	mov    0x8(%rax),%rbx
   0x6c5678 <js::gc::TenuredCell::zone() const+104>:	mov    %rbx,%rdi


Marking s-s due to bad crash address and GC involved.

Comment 1

[Jon Coppeard (:jonco)]

Reduced test case:

function test() {}
lfGlobal = newGlobal();
lfGlobal['test'] = test;
lfGlobal.offThreadCompileScript(`
    p = new Proxy( ( ) => () => 0, () => 0);
    test.prototype.__proto__ = p;
`);
lfGlobal.runOffThreadScript();
gczeal(9);
for (let i = 0; i < 100; i++)
    evaluate('');

Comment 2

[Fuzzing Team]

JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20160427220852" and the hash "37c815005a7223bb81f947957bd80ae45c26376f".
The "bad" changeset has the timestamp "20160427224854" and the hash "3c4b7e1de6290ef6e21f2f9e17f99ee5a04f47c6".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=37c815005a7223bb81f947957bd80ae45c26376f&tochange=3c4b7e1de6290ef6e21f2f9e17f99ee5a04f47c6

Comment 3

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/6cfb92e3d2c7
user:        Jeff Walden
date:        Tue Feb 23 13:42:30 2016 -0800
summary:     Bug 888969 - Make the getPrototypeOf/setPrototypeOf traps scriptable.  r=efaust, r=bholley

Waldo, is bug 888969 a likely regressor?

Comment 4

[David Bolter [:davidb] (NeedInfo me for attention)]

Waldo is investigating (we chatted on IRC).

Comment 5

[Liz Henry (:lizzard) (relman/hg->git project)]

Waldo, please let us know if this affects 48 and esr as well.

Comment 6

[Jeff Walden [:Waldo]]

Very unclear yet if it affects anything backwards of the landing of bug 888969.  A pertinent part of that change, that clearly is responsible for the crash (but I don't understand how), has existed for a long time before this.  Because I don't understand exactly *why* the crash happens, that longstanding code might also offer a way to trigger this crash.  So, regression window here is still not clear.

Comment 7

[David Bolter [:davidb] (NeedInfo me for attention)]

(In reply to Jeff Walden [:Waldo] (remove +bmo to email) from comment #6)
> Very unclear yet if it affects anything backwards of the landing of bug
> 888969.  A pertinent part of that change, that clearly is responsible for
> the crash (but I don't understand how), has existed for a long time before
> this.  Because I don't understand exactly *why* the crash happens, that
> longstanding code might also offer a way to trigger this crash.  So,
> regression window here is still not clear.

As a plan B, is there a way to 'backout' the pertinent part? (Is this bug actionable?)

Comment 9

[Marcia Knous [:marcia]]

Removing tracking flags - we will track in the duplicate bug.

Comment 10

[David Bolter [:davidb] (NeedInfo me for attention)]

Current hack to get DUPE bugs off our triage list is to make branch status fix-optional so doing that now.

NOTE: I wouldn't mind getting cc'ed to bug 1282746 since I have a red stapler (FF 49 'boss')