Closed
Bug 1302432
Opened 8 years ago
Closed 8 years ago
Crash [@ JSObject::allocKindForTenure] with Debugger and use-after-free
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla52
People
(Reporter: decoder, Assigned: shu)
References
Details
(5 keywords, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(1 file)
2.51 KB,
patch
|
jimb
:
review+
ritu
:
approval-mozilla-aurora+
ritu
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision cfdb7af3af2e (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off): setJitCompilerOption('ion.warmup.trigger', 0); gczeal(7, 1); var dbgGlobal = newGlobal(); var dbg = new dbgGlobal.Debugger(); dbg.addDebuggee(this); function f(x, await = () => Array.isArray(revocable.proxy), ...get) { dbg.getNewestFrame().older.eval("print(a)"); } function a() {} for (var i = 0; this; i++) f(); Backtrace: received signal SIGSEGV, Segmentation fault. 0x00000000007b70ea in JSObject::allocKindForTenure (this=this@entry=0x7ffff0700420, nursery=...) at js/src/jsobj.cpp:3668 #0 0x00000000007b70ea in JSObject::allocKindForTenure (this=this@entry=0x7ffff0700420, nursery=...) at js/src/jsobj.cpp:3668 #1 0x0000000000a82e7e in js::TenuringTracer::moveToTenured (this=0x7fffffffb7a0, src=0x7ffff0700420) at js/src/gc/Marking.cpp:2395 #2 0x0000000000a83044 in js::TenuringTracer::traverse<JSObject> (this=<optimized out>, objp=0x7fffffffb388) at js/src/gc/Marking.cpp:2226 #3 0x0000000000a92faf in js::TenuringTraversalFunctor<JS::Value>::operator()<JSObject> (this=<synthetic pointer>, trc=<optimized out>, t=0x7ffff0700420) at js/src/gc/Marking.cpp:2232 #4 js::DispatchTyped<js::TenuringTraversalFunctor<JS::Value>, js::TenuringTracer*>(js::TenuringTraversalFunctor<JS::Value>, JS::Value const&, js::TenuringTracer*&&) (f=..., val=...) at dist/include/js/Value.h:1913 #5 0x0000000000a950a8 in js::TenuringTracer::traverse<JS::Value> (thingp=0x7fffffffc4b0, this=0x7fffffffb7a0) at js/src/gc/Marking.cpp:2241 #6 DispatchToTracer<JS::Value> (trc=trc@entry=0x7fffffffb7a0, thingp=thingp@entry=0x7fffffffc4b0, name=name@entry=0xd91619 "baseline-stack") at js/src/gc/Marking.cpp:663 #7 0x0000000000a953dd in js::TraceRootRange<JS::Value> (trc=trc@entry=0x7fffffffb7a0, len=6, vec=<optimized out>, name=name@entry=0xd91619 "baseline-stack") at js/src/gc/Marking.cpp:533 #8 0x0000000000b858ca in MarkLocals (end=<optimized out>, start=0, trc=0x7fffffffb7a0, frame=0x7fffffffc4c8) at js/src/jit/BaselineFrame.cpp:26 #9 js::jit::BaselineFrame::trace (this=0x7fffffffc4c8, trc=trc@entry=0x7fffffffb7a0, frameIterator=...) at js/src/jit/BaselineFrame.cpp:73 #10 0x00000000005f5ce9 in js::jit::MarkJitActivation (activations=..., trc=0x7fffffffb7a0) at js/src/jit/JitFrames.cpp:1428 #11 js::jit::MarkJitActivations (rt=<optimized out>, trc=trc@entry=0x7fffffffb7a0) at js/src/jit/JitFrames.cpp:1456 #12 0x0000000000a85e41 in js::gc::GCRuntime::traceRuntimeCommon (this=this@entry=0x7ffff695f8d0, trc=trc@entry=0x7fffffffb7a0, traceOrMark=traceOrMark@entry=js::gc::GCRuntime::TraceRuntime, lock=...) at js/src/gc/RootMarking.cpp:350 #13 0x0000000000a862c1 in js::gc::GCRuntime::traceRuntimeForMinorGC (this=this@entry=0x7ffff695f8d0, trc=trc@entry=0x7fffffffb7a0, lock=...) at js/src/gc/RootMarking.cpp:304 #14 0x0000000000a86499 in js::Nursery::doCollection (this=this@entry=0x7ffff695f918, rt=rt@entry=0x7ffff695f200, reason=reason@entry=JS::gcreason::DEBUG_GC, tenureCounts=...) at js/src/gc/Nursery.cpp:678 #15 0x0000000000a86ea7 in js::Nursery::collect (this=this@entry=0x7ffff695f918, rt=0x7ffff695f200, reason=reason@entry=JS::gcreason::DEBUG_GC) at js/src/gc/Nursery.cpp:574 #16 0x000000000078900a in js::gc::GCRuntime::minorGC (this=this@entry=0x7ffff695f8d0, reason=reason@entry=JS::gcreason::DEBUG_GC, phase=phase@entry=js::gcstats::PHASE_MINOR_GC) at js/src/jsgc.cpp:6502 #17 0x00000000007a23cb in js::gc::GCRuntime::minorGC (phase=js::gcstats::PHASE_MINOR_GC, reason=JS::gcreason::DEBUG_GC, this=0x7ffff695f8d0) at js/src/jsgc.cpp:6701 #18 js::gc::GCRuntime::runDebugGC (this=this@entry=0x7ffff695f8d0) at js/src/jsgc.cpp:6702 #19 0x0000000000a70390 in js::gc::GCRuntime::gcIfNeededPerAllocation (this=0x7ffff695f8d0, cx=0x7ffff695f000) at js/src/gc/Allocator.cpp:225 #20 0x0000000000a7b21e in js::gc::GCRuntime::checkAllocatorState<(js::AllowGC)1> (kind=js::gc::AllocKind::OBJECT0_BACKGROUND, cx=<optimized out>, this=0x7ffff695f8d0) at js/src/gc/Allocator.cpp:189 #21 js::Allocate<JSObject, (js::AllowGC)1> (cx=0x7ffff695f000, kind=js::gc::AllocKind::OBJECT0_BACKGROUND, nDynamicSlots=3, heap=js::gc::TenuredHeap, clasp=0x1a64760 <js::ProxyObject::proxyClass>) at js/src/gc/Allocator.cpp:47 #22 0x00000000007bce4d in JSObject::create (group=..., shape=..., heap=js::gc::TenuredHeap, kind=js::gc::AllocKind::OBJECT0_BACKGROUND, cx=0x7ffff695f000) at js/src/jsobjinlines.h:377 #23 NewObject (cx=cx@entry=0x7ffff695f000, group=group@entry=..., kind=kind@entry=js::gc::AllocKind::OBJECT0_BACKGROUND, newKind=newKind@entry=js::GenericObject, initialShapeFlags=initialShapeFlags@entry=0) at js/src/jsobj.cpp:667 #24 0x00000000007bd461 in js::NewObjectWithGivenTaggedProto (cxArg=cxArg@entry=0x7ffff695f000, clasp=clasp@entry=0x1a64760 <js::ProxyObject::proxyClass>, proto=proto@entry=..., allocKind=allocKind@entry=js::gc::AllocKind::OBJECT0_BACKGROUND, newKind=newKind@entry=js::GenericObject, initialShapeFlags=initialShapeFlags@entry=0) at js/src/jsobj.cpp:727 #25 0x00000000008f0b17 in js::ProxyObject::New (cx=0x7ffff695f000, handler=0x1a648a0 <js::CrossCompartmentWrapper::singleton>, priv=..., proto_=..., options=...) at js/src/vm/ProxyObject.cpp:48 #26 0x000000000080d937 in js::NewProxyObject (cx=<optimized out>, handler=<optimized out>, priv=..., priv@entry=..., proto_=<optimized out>, options=...) at js/src/proxy/Proxy.cpp:774 #27 0x000000000083aa92 in js::Wrapper::New (cx=<optimized out>, obj=<optimized out>, handler=<optimized out>, options=...) at js/src/proxy/Wrapper.cpp:311 #28 0x000000000083adc6 in js::TransparentObjectWrapper (cx=<optimized out>, existing=..., obj=...) at js/src/proxy/Wrapper.cpp:394 #29 0x000000000075fb72 in JSCompartment::wrap (this=this@entry=0x7ffff03c8000, cx=cx@entry=0x7ffff695f000, obj=obj@entry=..., existingArg=..., existingArg@entry=...) at js/src/jscompartment.cpp:465 #30 0x000000000076eb08 in JSCompartment::wrap (this=0x7ffff03c8000, cx=0x7ffff695f000, vp=...) at js/src/jscompartmentinlines.h:119 #31 0x000000000080e916 in js::CrossCompartmentWrapper::call (this=0x1a648a0 <js::CrossCompartmentWrapper::singleton>, cx=0x7ffff695f000, wrapper=..., args=...) at js/src/proxy/CrossCompartmentWrapper.cpp:337 #32 0x000000000080d6ca in js::Proxy::call (args=..., proxy=..., cx=0x7ffff695f000) at js/src/proxy/Proxy.cpp:401 #33 js::proxy_Call (cx=0x7ffff695f000, argc=<optimized out>, vp=<optimized out>) at js/src/proxy/Proxy.cpp:690 #34 0x00000000008d8300 in js::CallJSNative (args=..., native=<optimized out>, cx=0x7ffff695f000) at js/src/jscntxtinlines.h:235 #35 js::InternalCallOrConstruct (cx=cx@entry=0x7ffff695f000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:454 #36 0x00000000008d8475 in InternalCall (cx=cx@entry=0x7ffff695f000, args=...) at js/src/vm/Interpreter.cpp:499 #37 0x00000000008d84a5 in js::CallFromStack (cx=cx@entry=0x7ffff695f000, args=...) at js/src/vm/Interpreter.cpp:505 #38 0x0000000000bc0022 in js::jit::DoCallFallback (cx=0x7ffff695f000, frame=0x7fffffffc4c8, stub_=0x7ffff03fe3c8, argc=1, vp=0x7fffffffc460, res=...) at js/src/jit/BaselineIC.cpp:5998 #39 0x00007ffff7e3ca5f in ?? () #40 0x0000000000000000 in ?? () rax 0x1a54080 27607168 rbx 0x7ffff0700420 140737227260960 rcx 0x1fffc 131068 rdx 0xbad0bad1 3134241489 rsi 0x7ffff695f918 140737330411800 rdi 0x7ffff0700420 140737227260960 rbp 0x7fffffffb7a0 140737488336800 rsp 0x7fffffffb308 140737488335624 r8 0x2b2b2b2b2b2b2b2b 3110627432037296939 r9 0x654 1620 r10 0xa8 168 r11 0x246 582 r12 0xfffc000000000000 -1125899906842624 r13 0x7fffffffb7a0 140737488336800 r14 0x6 6 r15 0xfffa7fffffffffff -1548112371908609 rip 0x7b70ea <JSObject::allocKindForTenure(js::Nursery const&) const+10> => 0x7b70ea <JSObject::allocKindForTenure(js::Nursery const&) const+10>: mov (%r8),%rdx 0x7b70ed <JSObject::allocKindForTenure(js::Nursery const&) const+13>: cmp %rax,%rdx Debugger only, not marking s-s.
Updated•8 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Comment 1•8 years ago
|
||
JSBugMon: Bisection requested, result: Due to skipped revisions, the first bad revision could be any of: changeset: https://hg.mozilla.org/mozilla-central/rev/cb6fc6d38f8d user: Shu-yu Guo date: Thu Aug 25 01:28:47 2016 -0700 summary: Bug 1263355 - Rewrite the frontend: bindings. (r=jorendorff,Waldo) changeset: https://hg.mozilla.org/mozilla-central/rev/18bec78f348e user: Shu-yu Guo date: Thu Aug 25 01:28:47 2016 -0700 summary: Bug 1263355 - Report memory metrics for Scopes. (r=njn) This iteration took 191.954 seconds to run.
Shu-yu, is bug 1263355 a likely regressor?
Blocks: 1263355
Flags: needinfo?(shu)
Comment 3•8 years ago
|
||
Crash volume for signature 'JSObject::allocKindForTenure': - nightly (version 52): 3 crashes from 2016-09-19. - aurora (version 51): 20 crashes from 2016-09-19. - beta (version 50): 235 crashes from 2016-09-20. - release (version 49): 481 crashes from 2016-09-05. - esr (version 45): 201 crashes from 2016-06-01. Crash volume on the last weeks (Week N is from 10-03 to 10-09): W. N-1 W. N-2 - nightly 0 3 - aurora 19 1 - beta 191 44 - release 380 100 - esr 24 11 Affected platforms: Windows, Linux Crash rank on the last 7 days: Browser Content Plugin - nightly - aurora #230 #70 - beta #107 #71 - release #194 #100 - esr #395
status-firefox49:
--- → affected
status-firefox50:
--- → affected
status-firefox52:
--- → affected
status-firefox-esr45:
--- → affected
Assignee | ||
Comment 4•8 years ago
|
||
The bug is that RematerializedFrame slots are incorrectly traced, causing in a local slot not being forwarded. The length of RematerializedFrame::slots_ is the max(actuals, formals) + fixed slots, and the tracing code wasn't using the max().
Attachment #8797299 -
Flags: review?(jimb)
Assignee | ||
Updated•8 years ago
|
Flags: needinfo?(shu)
Updated•8 years ago
|
Attachment #8797299 -
Flags: review?(jimb) → review+
Pushed by shu@rfrn.org: https://hg.mozilla.org/integration/mozilla-inbound/rev/ef948812fe08 Fix RematerializedFrame slot tracing. (r=jimb)
Comment 6•8 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/ef948812fe08
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla52
Comment 7•8 years ago
|
||
Is 50 affected? Or is the crash on 50 a different crash with the same signature?
Flags: needinfo?(shu)
Assignee | ||
Comment 8•8 years ago
|
||
(In reply to Marco Castelluccio [:marco] from comment #7) > Is 50 affected? Or is the crash on 50 a different crash with the same > signature? Yeah it's probably affected?
Flags: needinfo?(shu)
Comment 9•8 years ago
|
||
If this seems appropriate to uplift to 51 or 50, please request uplift. Thanks!
Flags: needinfo?(choller)
Reporter | ||
Comment 10•8 years ago
|
||
Forwarding needinfo to shu. Please request uplift and prepare patches if necessary. Thanks!
Flags: needinfo?(choller) → needinfo?(shu)
Assignee | ||
Comment 11•8 years ago
|
||
Comment on attachment 8797299 [details] [diff] [review] Fix RematerializedFrame slot tracing. Approval Request Comment [Feature/regressing bug #]: Unknown, but bug 1263355 surfaced it [User impact if declined]: Possible crashes when debugging; should be rare [Describe test coverage new/current, TreeHerder]: On central [Risks and why]: Low, bugfix only [String/UUID change made/needed]: None
Flags: needinfo?(shu)
Attachment #8797299 -
Flags: approval-mozilla-beta?
Attachment #8797299 -
Flags: approval-mozilla-aurora?
Comment on attachment 8797299 [details] [diff] [review] Fix RematerializedFrame slot tracing. Crash fix, Aurora51+, Beta50+
Attachment #8797299 -
Flags: approval-mozilla-beta?
Attachment #8797299 -
Flags: approval-mozilla-beta+
Attachment #8797299 -
Flags: approval-mozilla-aurora?
Attachment #8797299 -
Flags: approval-mozilla-aurora+
Comment 13•8 years ago
|
||
bugherder uplift |
https://hg.mozilla.org/releases/mozilla-aurora/rev/dfbe8179ded9
Comment 14•8 years ago
|
||
bugherder uplift |
https://hg.mozilla.org/releases/mozilla-beta/rev/f65f7378763e
Flags: in-testsuite+
Updated•7 years ago
|
Assignee: nobody → shu
Updated•7 years ago
|
Keywords: csectype-uaf
You need to log in
before you can comment on or make changes to this bug.
Description
•