Closed Bug 1295530 Opened 8 years ago Closed 8 years ago

Crash [@ JS::Zone::isGCSweeping] with Promise

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1294241
Tracking Flags:
Tracking Status
firefox51 --- fixed

People

(Reporter: decoder, Unassigned)

Details

(4 keywords, Whiteboard: [jsbugmon:update,ignore])

Crash Data

The following testcase crashes on mozilla-central revision 6e191a55c3d2 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-debug --enable-address-sanitizer --disable-jemalloc --enable-optimize=-O2, run with --fuzzing-safe --ion-eager):

var lfLogBuffer = `
//corefuzz-dcd-endofdata
function rejectionTracker(promise, state) {}
setPromiseRejectionTrackerCallback(rejectionTracker);
//corefuzz-dcd-endofdata
let p2 = new Promise((res, rej)=>rej('rejection'))
//corefuzz-dcd-endofdata
  startgc(100000, 'shrinking');
`;
lfLogBuffer = lfLogBuffer.split('\n');
var lfCodeBuffer = "";
while (true) {
    var line = lfLogBuffer.shift();
    if (line == null) {
        break;
    } else if (line == "//corefuzz-dcd-endofdata") {
        loadFile(lfCodeBuffer);
        lfCodeBuffer = "";
    } else if (line.indexOf("//corefuzz-dcd-selectmode ") === 0) {
        loadFile(line);
    } else {
        lfCodeBuffer += line + "\n";
    }
}
if (lfCodeBuffer) loadFile(lfCodeBuffer);
function loadFile(lfVarx) {
    try {
        var lfGlobal = newGlobal();
        lfGlobal.offThreadCompileScript(lfVarx);
        lfGlobal.runOffThreadScript();
        evaluate(lfVarx);
    } catch (lfVare) {}
}



Backtrace:

==2820==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000778 (pc 0x000001b4201b bp 0x7ffe43e87d70 sp 0x7ffe43e87d70 T0)
==2820==The signal is caused by a READ memory access.
==2820==Hint: address points to the zero page.
    #0 0x1b4201a in JS::Zone::isGCSweeping() js/src/gc/Zone.h:243:34
    #1 0x1b4201a in bool IsAboutToBeFinalizedInternal<js::ObjectGroup>(js::ObjectGroup**) js/src/gc/Marking.cpp:2535
    #2 0x1b4201a in bool js::gc::IsAboutToBeFinalizedUnbarriered<js::ObjectGroup*>(js::ObjectGroup**) js/src/gc/Marking.cpp:2583
    #3 0x17ae4cd in IsObjectKeyAboutToBeFinalized(js::TypeSet::ObjectKey**) js/src/vm/TypeInference.cpp:797:32
    #4 0x17ae4cd in js::ConstraintTypeSet::sweep(JS::Zone*, js::AutoClearTypeInferenceStateOnOOM&) js/src/vm/TypeInference.cpp:4094
    #5 0x171bb4f in JSScript::maybeSweepTypes(js::AutoClearTypeInferenceStateOnOOM*) js/src/vm/TypeInference.cpp:4317:9
    #6 0x10a9028 in SweepThing(JSScript*, js::AutoClearTypeInferenceStateOnOOM*) js/src/jsgc.cpp:5243:5
    #7 0x10a9028 in bool SweepArenaList<JSScript, js::AutoClearTypeInferenceStateOnOOM*>(js::gc::Arena**, js::SliceBudget&, js::AutoClearTypeInferenceStateOnOOM*) js/src/jsgc.cpp:5258
    #8 0x10a9028 in js::gc::GCRuntime::sweepPhase(js::SliceBudget&, js::AutoLockForExclusiveAccess&) js/src/jsgc.cpp:5299
    #9 0x10aeefb in js::gc::GCRuntime::incrementalCollectSlice(js::SliceBudget&, JS::gcreason::Reason, js::AutoLockForExclusiveAccess&) js/src/jsgc.cpp:5901:13
    #10 0x10b0bde in js::gc::GCRuntime::gcCycle(bool, js::SliceBudget&, JS::gcreason::Reason) js/src/jsgc.cpp:6141:5
    #11 0x10b2260 in js::gc::GCRuntime::collect(bool, js::SliceBudget, JS::gcreason::Reason) js/src/jsgc.cpp:6248:25
    #12 0x108eee4 in js::gc::GCRuntime::gc(JSGCInvocationKind, JS::gcreason::Reason) js/src/jsgc.cpp:6313:5
    #13 0x159376f in JSRuntime::destroyRuntime() js/src/vm/Runtime.cpp:418:9
    #14 0x101f48b in JSContext::~JSContext() js/src/jscntxt.cpp:935:5
    #15 0xfd2a88 in void js_delete_poison<JSContext>(JSContext const*) dist/include/js/Utility.h:392:9
    #16 0xfd2a88 in js::DestroyContext(JSContext*) js/src/jscntxt.cpp:136
    #17 0x557de6 in main js/src/shell/js.cpp:7562:5


GC crash with address that isn't likely a null deref, marking s-s and sec-high.
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 054d4856cea6).
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/d4cf63e47ae9
user:        Till Schneidereit
date:        Thu Jul 21 00:44:16 2016 +0200
summary:     Bug 911216 - Part 30: Enable SpiderMonkey Promise implementation. r=bz,efaust,bholley,Paolo,tromey,shu

This iteration took 187.603 seconds to run.
Setting needinfo? from Till due to Promises.
Flags: needinfo?(till)
Jon, would this perhaps be fixed by bug 1290551?
Flags: needinfo?(till) → needinfo?(jcoppeard)
This is a dupe of bug 1294241.
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: needinfo?(jcoppeard)
Resolution: --- → DUPLICATE
Group: javascript-core-security
Keywords: sec-high
You need to log in before you can comment on or make changes to this bug.