Crash [@ JS_HoldPrincipals] with captureFirstSubsumedFrame shell function

VERIFIED FIXED in Firefox 50

Status

()

Core
JavaScript Engine
--
critical
VERIFIED FIXED
2 years ago
a year ago

People

(Reporter: decoder, Assigned: fitzgen)

Tracking

(Blocks: 1 bug, {crash, testcase})

Trunk
mozilla50
x86_64
Linux
crash, testcase
Points:
---

Firefox Tracking Flags

(firefox50 verified)

Details

(Whiteboard: [fuzzblocker] [jsbugmon:update], crash signature)

Attachments

(1 attachment)

(Reporter)

Description

2 years ago
The following testcase crashes on mozilla-central revision e0bc88708ffe (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize, run with --fuzzing-safe --no-threads):

const g1 = newGlobal({});
const g2 = newGlobal(newGlobal);
g1.g2obj = g2.eval("new Object");
g1.evaluate(`
  const global = this;
  function capture(shouldIgnoreSelfHosted = true) {
    return captureFirstSubsumedFrame(global.g2obj, shouldIgnoreSelfHosted);
  }
  (function iife1() {
    const captureTrueStack = capture(true);
  }());
`, {
});



Backtrace:

 received signal SIGSEGV, Segmentation fault.
JS_HoldPrincipals (principals=principals@entry=0x0) at js/src/jsapi.cpp:3278
#0  JS_HoldPrincipals (principals=principals@entry=0x0) at js/src/jsapi.cpp:3278
#1  0x0000000000c53ba3 in JS::FirstSubsumedFrame::FirstSubsumedFrame (ignoreSelfHostedFrames=true, p=<optimized out>, ctx=0x7ffff6965000, this=<optimized out>) at js/src/jsapi.h:5939
#2  CaptureFirstSubsumedFrame (cx=cx@entry=0x7ffff6965000, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/TestingFunctions.cpp:1168
#3  0x0000000000ab2b44 in js::CallJSNative (cx=cx@entry=0x7ffff6965000, native=0xc53a80 <CaptureFirstSubsumedFrame(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:232
[...]
#34 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:7519
rax	0x7ffff6956800	140737330374656
rbx	0x0	0
rcx	0x10ac101	17481985
rdx	0x1	1
rsi	0x1	1
rdi	0x0	0
rbp	0x7fffffffb830	140737488336944
rsp	0x7fffffffb830	140737488336944
r8	0x35	53
r9	0x7ffff6955800	140737330370560
r10	0x1d48420	30704672
r11	0x1d485d0	30705104
r12	0x7ffff6965000	140737330434048
r13	0x7fffffffb870	140737488337008
r14	0x7fffffffb930	140737488337200
r15	0x7ffff500b240	140737303851584
rip	0x8a82b4 <JS_HoldPrincipals(JSPrincipals*)+4>
=> 0x8a82b4 <JS_HoldPrincipals(JSPrincipals*)+4>:	lock addl $0x1,0x8(%rdi)
   0x8a82b9 <JS_HoldPrincipals(JSPrincipals*)+9>:	pop    %rbp


Happening quite often, marking as fuzzblocker.

Updated

2 years ago
Whiteboard: [jsbugmon:update,bisect][fuzzblocker] → [fuzzblocker] [jsbugmon:update]

Comment 1

2 years ago
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/0916f44729ff
user:        Nick Fitzgerald
date:        Thu Jul 21 23:40:59 2016 -0400
summary:     Bug 1280818 part 1 - Add the ability to capture the stack until the first non-self-hosted frame with the given principals; r=bz,jimb

This iteration took 225.837 seconds to run.
Assignee: nobody → nfitzgerald
Status: NEW → ASSIGNED
Created attachment 8774414 [details] [diff] [review]
Null check principals before holding them in JS::FirstSubsumedFrame

Try push: https://treeherder.mozilla.org/#/jobs?repo=try&revision=4fe9398ccc19
Attachment #8774414 - Flags: review?(jimb)

Updated

2 years ago
Attachment #8774414 - Flags: review?(jimb) → review+

Comment 3

2 years ago
Pushed by nfitzgerald@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/0d3a0369254a
Null check principals before holding them in JS::FirstSubsumedFrame; r=jimb

Comment 4

2 years ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/0d3a0369254a
Status: ASSIGNED → RESOLVED
Last Resolved: 2 years ago
status-firefox50: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla50
I believe we can safely mark this verified fixed on Fx50, based on the crash
data available for the last 2 months.

  SIGNATURE   | JS_HoldPrincipals
  ------------------------------------------
  CRASH STATS | http://tinyurl.com/h58xz47
  ------------------------------------------
  OVERVIEW    | 0 crashes on nightly 52
	      | 0 crashes on nightly 51
	      | 0 crashes on aurora 51
	      | 0 crashes on nightly 50
	      | 0 crashes on aurora 50
	      | 0 crashes on beta 50
Status: RESOLVED → VERIFIED
status-firefox50: fixed → verified
You need to log in before you can comment on or make changes to this bug.