Crash [@ JSObject::allocKindForTenure] with Debugger and use-after-free

RESOLVED FIXED in Firefox 50



3 years ago
2 years ago


(Reporter: decoder, Assigned: shu)


(Blocks 1 bug, 5 keywords)

Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox49 wontfix, firefox-esr45 affected, firefox50 fixed, firefox51 fixed, firefox52 fixed)


(Whiteboard: [jsbugmon:update], crash signature)


(1 attachment)



3 years ago
The following testcase crashes on mozilla-central revision cfdb7af3af2e (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off):

setJitCompilerOption('ion.warmup.trigger', 0);
gczeal(7, 1);
var dbgGlobal = newGlobal();
var dbg = new dbgGlobal.Debugger();
function f(x, await = () => Array.isArray(revocable.proxy), ...get) {
function a() {}
for (var i = 0; this; i++) f();


 received signal SIGSEGV, Segmentation fault.
0x00000000007b70ea in JSObject::allocKindForTenure (this=this@entry=0x7ffff0700420, nursery=...) at js/src/jsobj.cpp:3668
#0  0x00000000007b70ea in JSObject::allocKindForTenure (this=this@entry=0x7ffff0700420, nursery=...) at js/src/jsobj.cpp:3668
#1  0x0000000000a82e7e in js::TenuringTracer::moveToTenured (this=0x7fffffffb7a0, src=0x7ffff0700420) at js/src/gc/Marking.cpp:2395
#2  0x0000000000a83044 in js::TenuringTracer::traverse<JSObject> (this=<optimized out>, objp=0x7fffffffb388) at js/src/gc/Marking.cpp:2226
#3  0x0000000000a92faf in js::TenuringTraversalFunctor<JS::Value>::operator()<JSObject> (this=<synthetic pointer>, trc=<optimized out>, t=0x7ffff0700420) at js/src/gc/Marking.cpp:2232
#4  js::DispatchTyped<js::TenuringTraversalFunctor<JS::Value>, js::TenuringTracer*>(js::TenuringTraversalFunctor<JS::Value>, JS::Value const&, js::TenuringTracer*&&) (f=..., val=...) at dist/include/js/Value.h:1913
#5  0x0000000000a950a8 in js::TenuringTracer::traverse<JS::Value> (thingp=0x7fffffffc4b0, this=0x7fffffffb7a0) at js/src/gc/Marking.cpp:2241
#6  DispatchToTracer<JS::Value> (trc=trc@entry=0x7fffffffb7a0, thingp=thingp@entry=0x7fffffffc4b0, name=name@entry=0xd91619 "baseline-stack") at js/src/gc/Marking.cpp:663
#7  0x0000000000a953dd in js::TraceRootRange<JS::Value> (trc=trc@entry=0x7fffffffb7a0, len=6, vec=<optimized out>, name=name@entry=0xd91619 "baseline-stack") at js/src/gc/Marking.cpp:533
#8  0x0000000000b858ca in MarkLocals (end=<optimized out>, start=0, trc=0x7fffffffb7a0, frame=0x7fffffffc4c8) at js/src/jit/BaselineFrame.cpp:26
#9  js::jit::BaselineFrame::trace (this=0x7fffffffc4c8, trc=trc@entry=0x7fffffffb7a0, frameIterator=...) at js/src/jit/BaselineFrame.cpp:73
#10 0x00000000005f5ce9 in js::jit::MarkJitActivation (activations=..., trc=0x7fffffffb7a0) at js/src/jit/JitFrames.cpp:1428
#11 js::jit::MarkJitActivations (rt=<optimized out>, trc=trc@entry=0x7fffffffb7a0) at js/src/jit/JitFrames.cpp:1456
#12 0x0000000000a85e41 in js::gc::GCRuntime::traceRuntimeCommon (this=this@entry=0x7ffff695f8d0, trc=trc@entry=0x7fffffffb7a0, traceOrMark=traceOrMark@entry=js::gc::GCRuntime::TraceRuntime, lock=...) at js/src/gc/RootMarking.cpp:350
#13 0x0000000000a862c1 in js::gc::GCRuntime::traceRuntimeForMinorGC (this=this@entry=0x7ffff695f8d0, trc=trc@entry=0x7fffffffb7a0, lock=...) at js/src/gc/RootMarking.cpp:304
#14 0x0000000000a86499 in js::Nursery::doCollection (this=this@entry=0x7ffff695f918, rt=rt@entry=0x7ffff695f200, reason=reason@entry=JS::gcreason::DEBUG_GC, tenureCounts=...) at js/src/gc/Nursery.cpp:678
#15 0x0000000000a86ea7 in js::Nursery::collect (this=this@entry=0x7ffff695f918, rt=0x7ffff695f200, reason=reason@entry=JS::gcreason::DEBUG_GC) at js/src/gc/Nursery.cpp:574
#16 0x000000000078900a in js::gc::GCRuntime::minorGC (this=this@entry=0x7ffff695f8d0, reason=reason@entry=JS::gcreason::DEBUG_GC, phase=phase@entry=js::gcstats::PHASE_MINOR_GC) at js/src/jsgc.cpp:6502
#17 0x00000000007a23cb in js::gc::GCRuntime::minorGC (phase=js::gcstats::PHASE_MINOR_GC, reason=JS::gcreason::DEBUG_GC, this=0x7ffff695f8d0) at js/src/jsgc.cpp:6701
#18 js::gc::GCRuntime::runDebugGC (this=this@entry=0x7ffff695f8d0) at js/src/jsgc.cpp:6702
#19 0x0000000000a70390 in js::gc::GCRuntime::gcIfNeededPerAllocation (this=0x7ffff695f8d0, cx=0x7ffff695f000) at js/src/gc/Allocator.cpp:225
#20 0x0000000000a7b21e in js::gc::GCRuntime::checkAllocatorState<(js::AllowGC)1> (kind=js::gc::AllocKind::OBJECT0_BACKGROUND, cx=<optimized out>, this=0x7ffff695f8d0) at js/src/gc/Allocator.cpp:189
#21 js::Allocate<JSObject, (js::AllowGC)1> (cx=0x7ffff695f000, kind=js::gc::AllocKind::OBJECT0_BACKGROUND, nDynamicSlots=3, heap=js::gc::TenuredHeap, clasp=0x1a64760 <js::ProxyObject::proxyClass>) at js/src/gc/Allocator.cpp:47
#22 0x00000000007bce4d in JSObject::create (group=..., shape=..., heap=js::gc::TenuredHeap, kind=js::gc::AllocKind::OBJECT0_BACKGROUND, cx=0x7ffff695f000) at js/src/jsobjinlines.h:377
#23 NewObject (cx=cx@entry=0x7ffff695f000, group=group@entry=..., kind=kind@entry=js::gc::AllocKind::OBJECT0_BACKGROUND, newKind=newKind@entry=js::GenericObject, initialShapeFlags=initialShapeFlags@entry=0) at js/src/jsobj.cpp:667
#24 0x00000000007bd461 in js::NewObjectWithGivenTaggedProto (cxArg=cxArg@entry=0x7ffff695f000, clasp=clasp@entry=0x1a64760 <js::ProxyObject::proxyClass>, proto=proto@entry=..., allocKind=allocKind@entry=js::gc::AllocKind::OBJECT0_BACKGROUND, newKind=newKind@entry=js::GenericObject, initialShapeFlags=initialShapeFlags@entry=0) at js/src/jsobj.cpp:727
#25 0x00000000008f0b17 in js::ProxyObject::New (cx=0x7ffff695f000, handler=0x1a648a0 <js::CrossCompartmentWrapper::singleton>, priv=..., proto_=..., options=...) at js/src/vm/ProxyObject.cpp:48
#26 0x000000000080d937 in js::NewProxyObject (cx=<optimized out>, handler=<optimized out>, priv=..., priv@entry=..., proto_=<optimized out>, options=...) at js/src/proxy/Proxy.cpp:774
#27 0x000000000083aa92 in js::Wrapper::New (cx=<optimized out>, obj=<optimized out>, handler=<optimized out>, options=...) at js/src/proxy/Wrapper.cpp:311
#28 0x000000000083adc6 in js::TransparentObjectWrapper (cx=<optimized out>, existing=..., obj=...) at js/src/proxy/Wrapper.cpp:394
#29 0x000000000075fb72 in JSCompartment::wrap (this=this@entry=0x7ffff03c8000, cx=cx@entry=0x7ffff695f000, obj=obj@entry=..., existingArg=..., existingArg@entry=...) at js/src/jscompartment.cpp:465
#30 0x000000000076eb08 in JSCompartment::wrap (this=0x7ffff03c8000, cx=0x7ffff695f000, vp=...) at js/src/jscompartmentinlines.h:119
#31 0x000000000080e916 in js::CrossCompartmentWrapper::call (this=0x1a648a0 <js::CrossCompartmentWrapper::singleton>, cx=0x7ffff695f000, wrapper=..., args=...) at js/src/proxy/CrossCompartmentWrapper.cpp:337
#32 0x000000000080d6ca in js::Proxy::call (args=..., proxy=..., cx=0x7ffff695f000) at js/src/proxy/Proxy.cpp:401
#33 js::proxy_Call (cx=0x7ffff695f000, argc=<optimized out>, vp=<optimized out>) at js/src/proxy/Proxy.cpp:690
#34 0x00000000008d8300 in js::CallJSNative (args=..., native=<optimized out>, cx=0x7ffff695f000) at js/src/jscntxtinlines.h:235
#35 js::InternalCallOrConstruct (cx=cx@entry=0x7ffff695f000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:454
#36 0x00000000008d8475 in InternalCall (cx=cx@entry=0x7ffff695f000, args=...) at js/src/vm/Interpreter.cpp:499
#37 0x00000000008d84a5 in js::CallFromStack (cx=cx@entry=0x7ffff695f000, args=...) at js/src/vm/Interpreter.cpp:505
#38 0x0000000000bc0022 in js::jit::DoCallFallback (cx=0x7ffff695f000, frame=0x7fffffffc4c8, stub_=0x7ffff03fe3c8, argc=1, vp=0x7fffffffc460, res=...) at js/src/jit/BaselineIC.cpp:5998
#39 0x00007ffff7e3ca5f in ?? ()
#40 0x0000000000000000 in ?? ()
rax	0x1a54080	27607168
rbx	0x7ffff0700420	140737227260960
rcx	0x1fffc	131068
rdx	0xbad0bad1	3134241489
rsi	0x7ffff695f918	140737330411800
rdi	0x7ffff0700420	140737227260960
rbp	0x7fffffffb7a0	140737488336800
rsp	0x7fffffffb308	140737488335624
r8	0x2b2b2b2b2b2b2b2b	3110627432037296939
r9	0x654	1620
r10	0xa8	168
r11	0x246	582
r12	0xfffc000000000000	-1125899906842624
r13	0x7fffffffb7a0	140737488336800
r14	0x6	6
r15	0xfffa7fffffffffff	-1548112371908609
rip	0x7b70ea <JSObject::allocKindForTenure(js::Nursery const&) const+10>
=> 0x7b70ea <JSObject::allocKindForTenure(js::Nursery const&) const+10>:	mov    (%r8),%rdx
   0x7b70ed <JSObject::allocKindForTenure(js::Nursery const&) const+13>:	cmp    %rax,%rdx

Debugger only, not marking s-s.


3 years ago
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]

Comment 1

3 years ago
JSBugMon: Bisection requested, result:
Due to skipped revisions, the first bad revision could be any of:
user:        Shu-yu Guo
date:        Thu Aug 25 01:28:47 2016 -0700
summary:     Bug 1263355 - Rewrite the frontend: bindings. (r=jorendorff,Waldo)

user:        Shu-yu Guo
date:        Thu Aug 25 01:28:47 2016 -0700
summary:     Bug 1263355 - Report memory metrics for Scopes. (r=njn)

This iteration took 191.954 seconds to run.
Shu-yu, is bug 1263355 a likely regressor?
Blocks: 1263355
Flags: needinfo?(shu)
Crash volume for signature 'JSObject::allocKindForTenure':
 - nightly (version 52): 3 crashes from 2016-09-19.
 - aurora  (version 51): 20 crashes from 2016-09-19.
 - beta    (version 50): 235 crashes from 2016-09-20.
 - release (version 49): 481 crashes from 2016-09-05.
 - esr     (version 45): 201 crashes from 2016-06-01.

Crash volume on the last weeks (Week N is from 10-03 to 10-09):
            W. N-1  W. N-2
 - nightly       0       3
 - aurora       19       1
 - beta        191      44
 - release     380     100
 - esr          24      11

Affected platforms: Windows, Linux

Crash rank on the last 7 days:
           Browser   Content     Plugin
 - nightly
 - aurora  #230      #70
 - beta    #107      #71
 - release #194      #100
 - esr     #395

Comment 4

3 years ago
The bug is that RematerializedFrame slots are incorrectly traced, causing in a
local slot not being forwarded. The length of RematerializedFrame::slots_ is
the max(actuals, formals) + fixed slots, and the tracing code wasn't using the
Attachment #8797299 - Flags: review?(jimb)


3 years ago
Flags: needinfo?(shu)


3 years ago
Attachment #8797299 - Flags: review?(jimb) → review+

Comment 5

3 years ago
Pushed by
Fix RematerializedFrame slot tracing. (r=jimb)

Comment 6

3 years ago
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla52
Is 50 affected? Or is the crash on 50 a different crash with the same signature?
Flags: needinfo?(shu)

Comment 8

3 years ago
(In reply to Marco Castelluccio [:marco] from comment #7)
> Is 50 affected? Or is the crash on 50 a different crash with the same
> signature?

Yeah it's probably affected?
Flags: needinfo?(shu)
If this seems appropriate to uplift to 51 or 50, please request uplift. Thanks!
Flags: needinfo?(choller)

Comment 10

3 years ago
Forwarding needinfo to shu. Please request uplift and prepare patches if necessary. Thanks!
Flags: needinfo?(choller) → needinfo?(shu)

Comment 11

3 years ago
Comment on attachment 8797299 [details] [diff] [review]
Fix RematerializedFrame slot tracing.

Approval Request Comment
[Feature/regressing bug #]: Unknown, but bug 1263355 surfaced it
[User impact if declined]: Possible crashes when debugging; should be rare
[Describe test coverage new/current, TreeHerder]: On central
[Risks and why]: Low, bugfix only
[String/UUID change made/needed]: None
Flags: needinfo?(shu)
Attachment #8797299 - Flags: approval-mozilla-beta?
Attachment #8797299 - Flags: approval-mozilla-aurora?
Comment on attachment 8797299 [details] [diff] [review]
Fix RematerializedFrame slot tracing.

Crash fix, Aurora51+, Beta50+
Attachment #8797299 - Flags: approval-mozilla-beta?
Attachment #8797299 - Flags: approval-mozilla-beta+
Attachment #8797299 - Flags: approval-mozilla-aurora?
Attachment #8797299 - Flags: approval-mozilla-aurora+


3 years ago
Duplicate of this bug: 1305779
You need to log in before you can comment on or make changes to this bug.