Closed Bug 1295530 Opened 9 years ago Closed 9 years ago

Crash [@ JS::Zone::isGCSweeping] with Promise

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1294241
Tracking Flags:
Tracking Status
firefox51 --- fixed

People

(Reporter: decoder, Unassigned)

Details

(4 keywords, Whiteboard: [jsbugmon:update,ignore])

Crash Data

The following testcase crashes on mozilla-central revision 6e191a55c3d2 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-debug --enable-address-sanitizer --disable-jemalloc --enable-optimize=-O2, run with --fuzzing-safe --ion-eager): var lfLogBuffer = ` //corefuzz-dcd-endofdata function rejectionTracker(promise, state) {} setPromiseRejectionTrackerCallback(rejectionTracker); //corefuzz-dcd-endofdata let p2 = new Promise((res, rej)=>rej('rejection')) //corefuzz-dcd-endofdata startgc(100000, 'shrinking'); `; lfLogBuffer = lfLogBuffer.split('\n'); var lfCodeBuffer = ""; while (true) { var line = lfLogBuffer.shift(); if (line == null) { break; } else if (line == "//corefuzz-dcd-endofdata") { loadFile(lfCodeBuffer); lfCodeBuffer = ""; } else if (line.indexOf("//corefuzz-dcd-selectmode ") === 0) { loadFile(line); } else { lfCodeBuffer += line + "\n"; } } if (lfCodeBuffer) loadFile(lfCodeBuffer); function loadFile(lfVarx) { try { var lfGlobal = newGlobal(); lfGlobal.offThreadCompileScript(lfVarx); lfGlobal.runOffThreadScript(); evaluate(lfVarx); } catch (lfVare) {} } Backtrace: ==2820==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000778 (pc 0x000001b4201b bp 0x7ffe43e87d70 sp 0x7ffe43e87d70 T0) ==2820==The signal is caused by a READ memory access. ==2820==Hint: address points to the zero page. #0 0x1b4201a in JS::Zone::isGCSweeping() js/src/gc/Zone.h:243:34 #1 0x1b4201a in bool IsAboutToBeFinalizedInternal<js::ObjectGroup>(js::ObjectGroup**) js/src/gc/Marking.cpp:2535 #2 0x1b4201a in bool js::gc::IsAboutToBeFinalizedUnbarriered<js::ObjectGroup*>(js::ObjectGroup**) js/src/gc/Marking.cpp:2583 #3 0x17ae4cd in IsObjectKeyAboutToBeFinalized(js::TypeSet::ObjectKey**) js/src/vm/TypeInference.cpp:797:32 #4 0x17ae4cd in js::ConstraintTypeSet::sweep(JS::Zone*, js::AutoClearTypeInferenceStateOnOOM&) js/src/vm/TypeInference.cpp:4094 #5 0x171bb4f in JSScript::maybeSweepTypes(js::AutoClearTypeInferenceStateOnOOM*) js/src/vm/TypeInference.cpp:4317:9 #6 0x10a9028 in SweepThing(JSScript*, js::AutoClearTypeInferenceStateOnOOM*) js/src/jsgc.cpp:5243:5 #7 0x10a9028 in bool SweepArenaList<JSScript, js::AutoClearTypeInferenceStateOnOOM*>(js::gc::Arena**, js::SliceBudget&, js::AutoClearTypeInferenceStateOnOOM*) js/src/jsgc.cpp:5258 #8 0x10a9028 in js::gc::GCRuntime::sweepPhase(js::SliceBudget&, js::AutoLockForExclusiveAccess&) js/src/jsgc.cpp:5299 #9 0x10aeefb in js::gc::GCRuntime::incrementalCollectSlice(js::SliceBudget&, JS::gcreason::Reason, js::AutoLockForExclusiveAccess&) js/src/jsgc.cpp:5901:13 #10 0x10b0bde in js::gc::GCRuntime::gcCycle(bool, js::SliceBudget&, JS::gcreason::Reason) js/src/jsgc.cpp:6141:5 #11 0x10b2260 in js::gc::GCRuntime::collect(bool, js::SliceBudget, JS::gcreason::Reason) js/src/jsgc.cpp:6248:25 #12 0x108eee4 in js::gc::GCRuntime::gc(JSGCInvocationKind, JS::gcreason::Reason) js/src/jsgc.cpp:6313:5 #13 0x159376f in JSRuntime::destroyRuntime() js/src/vm/Runtime.cpp:418:9 #14 0x101f48b in JSContext::~JSContext() js/src/jscntxt.cpp:935:5 #15 0xfd2a88 in void js_delete_poison<JSContext>(JSContext const*) dist/include/js/Utility.h:392:9 #16 0xfd2a88 in js::DestroyContext(JSContext*) js/src/jscntxt.cpp:136 #17 0x557de6 in main js/src/shell/js.cpp:7562:5 GC crash with address that isn't likely a null deref, marking s-s and sec-high.
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 054d4856cea6). JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/d4cf63e47ae9 user: Till Schneidereit date: Thu Jul 21 00:44:16 2016 +0200 summary: Bug 911216 - Part 30: Enable SpiderMonkey Promise implementation. r=bz,efaust,bholley,Paolo,tromey,shu This iteration took 187.603 seconds to run.
Setting needinfo? from Till due to Promises.
Flags: needinfo?(till)
Jon, would this perhaps be fixed by bug 1290551?
Flags: needinfo?(till) → needinfo?(jcoppeard)
This is a dupe of bug 1294241.
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(jcoppeard)
Resolution: --- → DUPLICATE
Group: javascript-core-security
Keywords: sec-high
You need to log in before you can comment on or make changes to this bug.