Closed Bug 1302432 Opened 4 years ago Closed 4 years ago

Crash [@ JSObject::allocKindForTenure] with Debugger and use-after-free

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla52
Tracking Status
firefox49 --- wontfix
firefox-esr45 --- affected
firefox50 --- fixed
firefox51 --- fixed
firefox52 --- fixed

People

(Reporter: decoder, Assigned: shu)

References

Details

(5 keywords, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(1 file)

The following testcase crashes on mozilla-central revision cfdb7af3af2e (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off):

setJitCompilerOption('ion.warmup.trigger', 0);
gczeal(7, 1);
var dbgGlobal = newGlobal();
var dbg = new dbgGlobal.Debugger();
dbg.addDebuggee(this);
function f(x, await = () => Array.isArray(revocable.proxy), ...get) {
    dbg.getNewestFrame().older.eval("print(a)");
}
function a() {}
for (var i = 0; this; i++) f();



Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x00000000007b70ea in JSObject::allocKindForTenure (this=this@entry=0x7ffff0700420, nursery=...) at js/src/jsobj.cpp:3668
#0  0x00000000007b70ea in JSObject::allocKindForTenure (this=this@entry=0x7ffff0700420, nursery=...) at js/src/jsobj.cpp:3668
#1  0x0000000000a82e7e in js::TenuringTracer::moveToTenured (this=0x7fffffffb7a0, src=0x7ffff0700420) at js/src/gc/Marking.cpp:2395
#2  0x0000000000a83044 in js::TenuringTracer::traverse<JSObject> (this=<optimized out>, objp=0x7fffffffb388) at js/src/gc/Marking.cpp:2226
#3  0x0000000000a92faf in js::TenuringTraversalFunctor<JS::Value>::operator()<JSObject> (this=<synthetic pointer>, trc=<optimized out>, t=0x7ffff0700420) at js/src/gc/Marking.cpp:2232
#4  js::DispatchTyped<js::TenuringTraversalFunctor<JS::Value>, js::TenuringTracer*>(js::TenuringTraversalFunctor<JS::Value>, JS::Value const&, js::TenuringTracer*&&) (f=..., val=...) at dist/include/js/Value.h:1913
#5  0x0000000000a950a8 in js::TenuringTracer::traverse<JS::Value> (thingp=0x7fffffffc4b0, this=0x7fffffffb7a0) at js/src/gc/Marking.cpp:2241
#6  DispatchToTracer<JS::Value> (trc=trc@entry=0x7fffffffb7a0, thingp=thingp@entry=0x7fffffffc4b0, name=name@entry=0xd91619 "baseline-stack") at js/src/gc/Marking.cpp:663
#7  0x0000000000a953dd in js::TraceRootRange<JS::Value> (trc=trc@entry=0x7fffffffb7a0, len=6, vec=<optimized out>, name=name@entry=0xd91619 "baseline-stack") at js/src/gc/Marking.cpp:533
#8  0x0000000000b858ca in MarkLocals (end=<optimized out>, start=0, trc=0x7fffffffb7a0, frame=0x7fffffffc4c8) at js/src/jit/BaselineFrame.cpp:26
#9  js::jit::BaselineFrame::trace (this=0x7fffffffc4c8, trc=trc@entry=0x7fffffffb7a0, frameIterator=...) at js/src/jit/BaselineFrame.cpp:73
#10 0x00000000005f5ce9 in js::jit::MarkJitActivation (activations=..., trc=0x7fffffffb7a0) at js/src/jit/JitFrames.cpp:1428
#11 js::jit::MarkJitActivations (rt=<optimized out>, trc=trc@entry=0x7fffffffb7a0) at js/src/jit/JitFrames.cpp:1456
#12 0x0000000000a85e41 in js::gc::GCRuntime::traceRuntimeCommon (this=this@entry=0x7ffff695f8d0, trc=trc@entry=0x7fffffffb7a0, traceOrMark=traceOrMark@entry=js::gc::GCRuntime::TraceRuntime, lock=...) at js/src/gc/RootMarking.cpp:350
#13 0x0000000000a862c1 in js::gc::GCRuntime::traceRuntimeForMinorGC (this=this@entry=0x7ffff695f8d0, trc=trc@entry=0x7fffffffb7a0, lock=...) at js/src/gc/RootMarking.cpp:304
#14 0x0000000000a86499 in js::Nursery::doCollection (this=this@entry=0x7ffff695f918, rt=rt@entry=0x7ffff695f200, reason=reason@entry=JS::gcreason::DEBUG_GC, tenureCounts=...) at js/src/gc/Nursery.cpp:678
#15 0x0000000000a86ea7 in js::Nursery::collect (this=this@entry=0x7ffff695f918, rt=0x7ffff695f200, reason=reason@entry=JS::gcreason::DEBUG_GC) at js/src/gc/Nursery.cpp:574
#16 0x000000000078900a in js::gc::GCRuntime::minorGC (this=this@entry=0x7ffff695f8d0, reason=reason@entry=JS::gcreason::DEBUG_GC, phase=phase@entry=js::gcstats::PHASE_MINOR_GC) at js/src/jsgc.cpp:6502
#17 0x00000000007a23cb in js::gc::GCRuntime::minorGC (phase=js::gcstats::PHASE_MINOR_GC, reason=JS::gcreason::DEBUG_GC, this=0x7ffff695f8d0) at js/src/jsgc.cpp:6701
#18 js::gc::GCRuntime::runDebugGC (this=this@entry=0x7ffff695f8d0) at js/src/jsgc.cpp:6702
#19 0x0000000000a70390 in js::gc::GCRuntime::gcIfNeededPerAllocation (this=0x7ffff695f8d0, cx=0x7ffff695f000) at js/src/gc/Allocator.cpp:225
#20 0x0000000000a7b21e in js::gc::GCRuntime::checkAllocatorState<(js::AllowGC)1> (kind=js::gc::AllocKind::OBJECT0_BACKGROUND, cx=<optimized out>, this=0x7ffff695f8d0) at js/src/gc/Allocator.cpp:189
#21 js::Allocate<JSObject, (js::AllowGC)1> (cx=0x7ffff695f000, kind=js::gc::AllocKind::OBJECT0_BACKGROUND, nDynamicSlots=3, heap=js::gc::TenuredHeap, clasp=0x1a64760 <js::ProxyObject::proxyClass>) at js/src/gc/Allocator.cpp:47
#22 0x00000000007bce4d in JSObject::create (group=..., shape=..., heap=js::gc::TenuredHeap, kind=js::gc::AllocKind::OBJECT0_BACKGROUND, cx=0x7ffff695f000) at js/src/jsobjinlines.h:377
#23 NewObject (cx=cx@entry=0x7ffff695f000, group=group@entry=..., kind=kind@entry=js::gc::AllocKind::OBJECT0_BACKGROUND, newKind=newKind@entry=js::GenericObject, initialShapeFlags=initialShapeFlags@entry=0) at js/src/jsobj.cpp:667
#24 0x00000000007bd461 in js::NewObjectWithGivenTaggedProto (cxArg=cxArg@entry=0x7ffff695f000, clasp=clasp@entry=0x1a64760 <js::ProxyObject::proxyClass>, proto=proto@entry=..., allocKind=allocKind@entry=js::gc::AllocKind::OBJECT0_BACKGROUND, newKind=newKind@entry=js::GenericObject, initialShapeFlags=initialShapeFlags@entry=0) at js/src/jsobj.cpp:727
#25 0x00000000008f0b17 in js::ProxyObject::New (cx=0x7ffff695f000, handler=0x1a648a0 <js::CrossCompartmentWrapper::singleton>, priv=..., proto_=..., options=...) at js/src/vm/ProxyObject.cpp:48
#26 0x000000000080d937 in js::NewProxyObject (cx=<optimized out>, handler=<optimized out>, priv=..., priv@entry=..., proto_=<optimized out>, options=...) at js/src/proxy/Proxy.cpp:774
#27 0x000000000083aa92 in js::Wrapper::New (cx=<optimized out>, obj=<optimized out>, handler=<optimized out>, options=...) at js/src/proxy/Wrapper.cpp:311
#28 0x000000000083adc6 in js::TransparentObjectWrapper (cx=<optimized out>, existing=..., obj=...) at js/src/proxy/Wrapper.cpp:394
#29 0x000000000075fb72 in JSCompartment::wrap (this=this@entry=0x7ffff03c8000, cx=cx@entry=0x7ffff695f000, obj=obj@entry=..., existingArg=..., existingArg@entry=...) at js/src/jscompartment.cpp:465
#30 0x000000000076eb08 in JSCompartment::wrap (this=0x7ffff03c8000, cx=0x7ffff695f000, vp=...) at js/src/jscompartmentinlines.h:119
#31 0x000000000080e916 in js::CrossCompartmentWrapper::call (this=0x1a648a0 <js::CrossCompartmentWrapper::singleton>, cx=0x7ffff695f000, wrapper=..., args=...) at js/src/proxy/CrossCompartmentWrapper.cpp:337
#32 0x000000000080d6ca in js::Proxy::call (args=..., proxy=..., cx=0x7ffff695f000) at js/src/proxy/Proxy.cpp:401
#33 js::proxy_Call (cx=0x7ffff695f000, argc=<optimized out>, vp=<optimized out>) at js/src/proxy/Proxy.cpp:690
#34 0x00000000008d8300 in js::CallJSNative (args=..., native=<optimized out>, cx=0x7ffff695f000) at js/src/jscntxtinlines.h:235
#35 js::InternalCallOrConstruct (cx=cx@entry=0x7ffff695f000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:454
#36 0x00000000008d8475 in InternalCall (cx=cx@entry=0x7ffff695f000, args=...) at js/src/vm/Interpreter.cpp:499
#37 0x00000000008d84a5 in js::CallFromStack (cx=cx@entry=0x7ffff695f000, args=...) at js/src/vm/Interpreter.cpp:505
#38 0x0000000000bc0022 in js::jit::DoCallFallback (cx=0x7ffff695f000, frame=0x7fffffffc4c8, stub_=0x7ffff03fe3c8, argc=1, vp=0x7fffffffc460, res=...) at js/src/jit/BaselineIC.cpp:5998
#39 0x00007ffff7e3ca5f in ?? ()
#40 0x0000000000000000 in ?? ()
rax	0x1a54080	27607168
rbx	0x7ffff0700420	140737227260960
rcx	0x1fffc	131068
rdx	0xbad0bad1	3134241489
rsi	0x7ffff695f918	140737330411800
rdi	0x7ffff0700420	140737227260960
rbp	0x7fffffffb7a0	140737488336800
rsp	0x7fffffffb308	140737488335624
r8	0x2b2b2b2b2b2b2b2b	3110627432037296939
r9	0x654	1620
r10	0xa8	168
r11	0x246	582
r12	0xfffc000000000000	-1125899906842624
r13	0x7fffffffb7a0	140737488336800
r14	0x6	6
r15	0xfffa7fffffffffff	-1548112371908609
rip	0x7b70ea <JSObject::allocKindForTenure(js::Nursery const&) const+10>
=> 0x7b70ea <JSObject::allocKindForTenure(js::Nursery const&) const+10>:	mov    (%r8),%rdx
   0x7b70ed <JSObject::allocKindForTenure(js::Nursery const&) const+13>:	cmp    %rax,%rdx


Debugger only, not marking s-s.
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
Due to skipped revisions, the first bad revision could be any of:
changeset:   https://hg.mozilla.org/mozilla-central/rev/cb6fc6d38f8d
user:        Shu-yu Guo
date:        Thu Aug 25 01:28:47 2016 -0700
summary:     Bug 1263355 - Rewrite the frontend: bindings. (r=jorendorff,Waldo)

changeset:   https://hg.mozilla.org/mozilla-central/rev/18bec78f348e
user:        Shu-yu Guo
date:        Thu Aug 25 01:28:47 2016 -0700
summary:     Bug 1263355 - Report memory metrics for Scopes. (r=njn)

This iteration took 191.954 seconds to run.
Shu-yu, is bug 1263355 a likely regressor?
Blocks: 1263355
Flags: needinfo?(shu)
Crash volume for signature 'JSObject::allocKindForTenure':
 - nightly (version 52): 3 crashes from 2016-09-19.
 - aurora  (version 51): 20 crashes from 2016-09-19.
 - beta    (version 50): 235 crashes from 2016-09-20.
 - release (version 49): 481 crashes from 2016-09-05.
 - esr     (version 45): 201 crashes from 2016-06-01.

Crash volume on the last weeks (Week N is from 10-03 to 10-09):
            W. N-1  W. N-2
 - nightly       0       3
 - aurora       19       1
 - beta        191      44
 - release     380     100
 - esr          24      11

Affected platforms: Windows, Linux

Crash rank on the last 7 days:
           Browser   Content     Plugin
 - nightly
 - aurora  #230      #70
 - beta    #107      #71
 - release #194      #100
 - esr     #395
The bug is that RematerializedFrame slots are incorrectly traced, causing in a
local slot not being forwarded. The length of RematerializedFrame::slots_ is
the max(actuals, formals) + fixed slots, and the tracing code wasn't using the
max().
Attachment #8797299 - Flags: review?(jimb)
Flags: needinfo?(shu)
Attachment #8797299 - Flags: review?(jimb) → review+
Pushed by shu@rfrn.org:
https://hg.mozilla.org/integration/mozilla-inbound/rev/ef948812fe08
Fix RematerializedFrame slot tracing. (r=jimb)
https://hg.mozilla.org/mozilla-central/rev/ef948812fe08
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla52
Is 50 affected? Or is the crash on 50 a different crash with the same signature?
Flags: needinfo?(shu)
(In reply to Marco Castelluccio [:marco] from comment #7)
> Is 50 affected? Or is the crash on 50 a different crash with the same
> signature?

Yeah it's probably affected?
Flags: needinfo?(shu)
If this seems appropriate to uplift to 51 or 50, please request uplift. Thanks!
Flags: needinfo?(choller)
Forwarding needinfo to shu. Please request uplift and prepare patches if necessary. Thanks!
Flags: needinfo?(choller) → needinfo?(shu)
Comment on attachment 8797299 [details] [diff] [review]
Fix RematerializedFrame slot tracing.

Approval Request Comment
[Feature/regressing bug #]: Unknown, but bug 1263355 surfaced it
[User impact if declined]: Possible crashes when debugging; should be rare
[Describe test coverage new/current, TreeHerder]: On central
[Risks and why]: Low, bugfix only
[String/UUID change made/needed]: None
Flags: needinfo?(shu)
Attachment #8797299 - Flags: approval-mozilla-beta?
Attachment #8797299 - Flags: approval-mozilla-aurora?
Comment on attachment 8797299 [details] [diff] [review]
Fix RematerializedFrame slot tracing.

Crash fix, Aurora51+, Beta50+
Attachment #8797299 - Flags: approval-mozilla-beta?
Attachment #8797299 - Flags: approval-mozilla-beta+
Attachment #8797299 - Flags: approval-mozilla-aurora?
Attachment #8797299 - Flags: approval-mozilla-aurora+
Duplicate of this bug: 1305779
You need to log in before you can comment on or make changes to this bug.