Closed Bug 1302463 Opened 8 years ago Closed 8 years ago

Crash [@ js::gc::IsInsideNursery] with off-thread compilation and bad pointer

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 1301496
Tracking Status
firefox50 --- fixed
firefox51 --- fixed

People

(Reporter: decoder, Unassigned)

Details

(4 keywords, Whiteboard: [jsbugmon:update,bisect])

Crash Data

The following testcase crashes on mozilla-central revision cfdb7af3af2e (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize, run with --fuzzing-safe --baseline-eager):

gczeal(10);
newGlobal();
offThreadCompileScript("let x = 1;");
evaluate(`
  if(month == 4) return day-119-leap;
`);



Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x00000000004f1a98 in js::gc::IsInsideNursery (cell=0xbad0bad1) at /srv/jenkins/jobs/mozilla-central-build-jsshell/workspace/arch/64/compiler/gcc/sanitizer/none/type/debug/dist/include/js/HeapAPI.h:338
#0  0x00000000004f1a98 in js::gc::IsInsideNursery (cell=0xbad0bad1) at /srv/jenkins/jobs/mozilla-central-build-jsshell/workspace/arch/64/compiler/gcc/sanitizer/none/type/debug/dist/include/js/HeapAPI.h:338
#1  js::gc::Cell::isTenured (this=0xbad0bad1) at js/src/gc/Heap.h:251
#2  js::gc::TenuredCell::arena (this=0xbad0bad1) at js/src/gc/Heap.h:1242
#3  0x0000000000a99f6f in js::gc::TenuredCell::zoneFromAnyThread (this=<optimized out>) at js/src/gc/Heap.h:1271
#4  JSObject::zoneFromAnyThread (this=<optimized out>) at js/src/jsobj.h:318
#5  js::ParseTask::trace (trc=0x7fffffff9788, this=0x7ffff03f8d30) at js/src/vm/HelperThreads.cpp:260
#6  js::GlobalHelperThreadState::trace (this=<optimized out>, trc=trc@entry=0x7fffffff9788) at js/src/vm/HelperThreads.cpp:1701
#7  0x0000000000d1bcca in js::gc::GCRuntime::traceRuntimeCommon (this=this@entry=0x7ffff695f958, trc=trc@entry=0x7fffffff9788, traceOrMark=traceOrMark@entry=js::gc::GCRuntime::MarkRuntime, lock=...) at js/src/gc/RootMarking.cpp:383
#8  0x0000000000d1bf50 in js::gc::GCRuntime::traceRuntimeForMajorGC (this=this@entry=0x7ffff695f958, trc=trc@entry=0x7fffffff9788, lock=...) at js/src/gc/RootMarking.cpp:286
#9  0x000000000091a607 in js::gc::GCRuntime::updatePointersToRelocatedCells (this=this@entry=0x7ffff695f958, zone=zone@entry=0x7ffff0339000, lock=...) at js/src/jsgc.cpp:2550
#10 0x000000000092e154 in js::gc::GCRuntime::compactPhase (this=this@entry=0x7ffff695f958, reason=reason@entry=JS::gcreason::DEBUG_GC, sliceBudget=..., lock=...) at js/src/jsgc.cpp:5482
#11 0x000000000092e952 in js::gc::GCRuntime::incrementalCollectSlice (this=this@entry=0x7ffff695f958, budget=..., reason=reason@entry=JS::gcreason::DEBUG_GC, lock=...) at js/src/jsgc.cpp:5951
#12 0x000000000092fa9f in js::gc::GCRuntime::gcCycle (this=this@entry=0x7ffff695f958, nonincrementalByAPI=nonincrementalByAPI@entry=false, budget=..., reason=reason@entry=JS::gcreason::DEBUG_GC) at js/src/jsgc.cpp:6143
#13 0x000000000093014b in js::gc::GCRuntime::collect (this=this@entry=0x7ffff695f958, nonincrementalByAPI=nonincrementalByAPI@entry=false, budget=..., reason=reason@entry=JS::gcreason::DEBUG_GC) at js/src/jsgc.cpp:6271
#14 0x0000000000930d15 in js::gc::GCRuntime::runDebugGC (this=this@entry=0x7ffff695f958) at js/src/jsgc.cpp:6730
#15 0x0000000000cfa658 in js::gc::GCRuntime::gcIfNeededPerAllocation (this=this@entry=0x7ffff695f958, cx=cx@entry=0x7ffff695f000) at js/src/gc/Allocator.cpp:225
#16 0x0000000000d07529 in js::gc::GCRuntime::checkAllocatorState<(js::AllowGC)1> (this=this@entry=0x7ffff695f958, cx=cx@entry=0x7ffff695f000, kind=kind@entry=js::gc::AllocKind::SHAPE) at js/src/gc/Allocator.cpp:189
#17 0x0000000000d09277 in js::Allocate<js::Shape, (js::AllowGC)1> (cx=cx@entry=0x7ffff695f000) at js/src/gc/Allocator.cpp:139
#18 0x00000000009692e8 in js::Shape::new_ (nfixed=<optimized out>, other=..., cx=0x7ffff695f000) at js/src/vm/Shape-inl.h:86
#19 js::PropertyTree::getChild (this=0x7ffff0302868, cx=cx@entry=0x7ffff695f000, parentArg=parentArg@entry=0x7ffff06c9d80, child=child@entry=...) at js/src/jspropertytree.cpp:185
#20 0x0000000000b4c600 in js::NativeObject::getChildProperty (cx=0x7ffff695f000, obj=obj@entry=..., parent=parent@entry=..., child=child@entry=...) at js/src/vm/Shape.cpp:446
#21 0x0000000000b64e76 in js::NativeObject::addPropertyInternal (cx=0x7ffff695f000, obj=obj@entry=..., id=..., id@entry=..., getter=0x0, setter=0x0, slot=16777215, attrs=0, flags=0, entry=0x0, allowDictionary=true) at js/src/vm/Shape.cpp:623
#22 0x0000000000b66370 in js::NativeObject::putProperty (cx=cx@entry=0x7ffff695f000, obj=obj@entry=..., id=id@entry=..., getter=0x0, setter=0x0, slot=slot@entry=16777215, attrs=0, flags=0) at js/src/vm/Shape.cpp:774
#23 0x0000000000ace17a in AddOrChangeProperty (cx=0x7ffff695f000, obj=obj@entry=..., id=id@entry=..., desc=...) at js/src/vm/NativeObject.cpp:1184
#24 0x0000000000ae1060 in js::NativeDefineProperty (cx=cx@entry=0x7ffff695f000, obj=..., id=id@entry=..., desc_=..., result=...) at js/src/vm/NativeObject.cpp:1407
#25 0x0000000000959f08 in js::DefineProperty (cx=cx@entry=0x7ffff695f000, obj=..., id=..., id@entry=..., value=..., getter=getter@entry=0x0, setter=setter@entry=0x0, attrs=0, result=...) at js/src/jsobj.cpp:2683
#26 0x000000000095a20e in js::DefineProperty (cx=cx@entry=0x7ffff695f000, obj=..., obj@entry=..., id=..., id@entry=..., value=..., getter=getter@entry=0x0, setter=setter@entry=0x0, attrs=0) at js/src/jsobj.cpp:2714
#27 0x000000000095a356 in js::DefineProperty (cx=cx@entry=0x7ffff695f000, obj=obj@entry=..., name=<optimized out>, value=..., value@entry=..., getter=getter@entry=0x0, setter=setter@entry=0x0, attrs=0) at js/src/jsobj.cpp:2730
#28 0x0000000000907da4 in js::ErrorObject::createProto (cx=0x7ffff695f000, key=<optimized out>) at js/src/jsexn.cpp:468
#29 0x0000000000aa7298 in js::GlobalObject::resolveConstructor (cx=0x7ffff695f000, global=..., key=JSProto_SyntaxError) at js/src/vm/GlobalObject.cpp:199
#30 0x0000000000aa7d79 in js::GlobalObject::getOrCreateCustomErrorPrototype (exnType=JSEXN_SYNTAXERR, global=..., cx=0x7ffff695f000) at js/src/vm/GlobalObject.h:425
#31 js::ErrorObject::create (cx=cx@entry=0x7ffff695f000, errorType=errorType@entry=JSEXN_SYNTAXERR, stack=..., stack@entry=..., fileName=..., fileName@entry=..., lineNumber=lineNumber@entry=2, columnNumber=columnNumber@entry=17, report=0x7fffffffa7e0, message=..., protoArg=...) at js/src/vm/ErrorObject.cpp:94
#32 0x0000000000908348 in js::ErrorToException (cx=0x7ffff695f000, message=<optimized out>, reportp=reportp@entry=0x7fffffffa940, callback=<optimized out>, callback@entry=0x0, userRef=userRef@entry=0x0) at js/src/jsexn.cpp:557
#33 0x0000000000cffbb4 in js::frontend::CompileError::throwError (cx=<optimized out>, this=<optimized out>) at js/src/frontend/TokenStream.cpp:586
#34 js::frontend::TokenStream::reportCompileErrorNumberVA (this=0x7fffffffbee0, offset=<optimized out>, flags=<optimized out>, errorNumber=<optimized out>, args=<optimized out>) at js/src/frontend/TokenStream.cpp:699
#35 0x00000000004a7eec in js::frontend::Parser<js::frontend::FullParseHandler>::report (this=this@entry=0x7fffffffbeb0, kind=kind@entry=js::frontend::ParseError, strict=strict@entry=false, pn=pn@entry=0x0, errorNumber=errorNumber@entry=140) at js/src/frontend/Parser.cpp:587
#36 0x00000000004d5147 in js::frontend::Parser<js::frontend::FullParseHandler>::statement (this=this@entry=0x7fffffffbeb0, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName) at js/src/frontend/Parser.cpp:6643
#37 0x00000000004d615c in js::frontend::Parser<js::frontend::FullParseHandler>::consequentOrAlternative (this=this@entry=0x7fffffffbeb0, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName) at js/src/frontend/Parser.cpp:4933
#38 0x00000000004d639a in js::frontend::Parser<js::frontend::FullParseHandler>::ifStatement (this=this@entry=0x7fffffffbeb0, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName) at js/src/frontend/Parser.cpp:4962
#39 0x00000000004d6aab in js::frontend::Parser<js::frontend::FullParseHandler>::statementListItem (this=this@entry=0x7fffffffbeb0, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, canHaveDirectives=<optimized out>) at js/src/frontend/Parser.cpp:6806
#40 0x00000000004d6d7d in js::frontend::Parser<js::frontend::FullParseHandler>::statementList (this=this@entry=0x7fffffffbeb0, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName) at js/src/frontend/Parser.cpp:3633
#41 0x00000000004a51ca in js::frontend::Parser<js::frontend::FullParseHandler>::globalBody (this=0x7fffffffbeb0, globalsc=globalsc@entry=0x7fffffffb810) at js/src/frontend/Parser.cpp:1885
#42 0x0000000000cdaa5c in BytecodeCompiler::compileScript (this=this@entry=0x7fffffffb860, environment=..., environment@entry=..., sc=sc@entry=0x7fffffffb810) at js/src/frontend/BytecodeCompiler.cpp:335
#43 0x0000000000cdb3b8 in BytecodeCompiler::compileGlobalScript (scopeKind=<optimized out>, this=0x7fffffffb860) at js/src/frontend/BytecodeCompiler.cpp:376
#44 js::frontend::CompileGlobalScript (cx=cx@entry=0x7ffff695f000, alloc=..., scopeKind=scopeKind@entry=js::ScopeKind::Global, options=..., srcBuf=..., extraSct=extraSct@entry=0x0, sourceObjectOut=0x0) at js/src/frontend/BytecodeCompiler.cpp:568
#45 0x00000000008bcb41 in Compile (cx=0x7ffff695f000, options=..., scopeKind=scopeKind@entry=js::ScopeKind::Global, srcBuf=..., script=...) at js/src/jsapi.cpp:3899
#46 0x00000000008bccd6 in Compile (script=..., length=78926592, chars=0x7ffff6971380 u"\n  if(month == 4) return day-119-leap;\n", scopeKind=js::ScopeKind::Global, options=..., cx=0x7ffff695f000) at js/src/jsapi.cpp:3908
#47 JS::Compile (cx=cx@entry=0x7ffff695f000, options=..., chars=chars@entry=0x7ffff6971380 u"\n  if(month == 4) return day-119-leap;\n", length=length@entry=39, script=..., script@entry=...) at js/src/jsapi.cpp:3967
#48 0x0000000000457cd9 in Evaluate (cx=cx@entry=0x7ffff695f000, argc=<optimized out>, vp=0x7fffffffcdb8) at js/src/shell/js.cpp:1637
#49 0x0000000000aef2f9 in js::CallJSNative (cx=cx@entry=0x7ffff695f000, native=0x457370 <Evaluate(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
[..]
#80 0x0000000000000000 in ?? ()
rax	0xbadfffe8	3135242216
rbx	0x7ffff691e0c0	140737330143424
rcx	0x2	2
rdx	0x0	0
rsi	0x0	0
rdi	0xbad0bad1	3134241489
rbp	0x7fffffff9540	140737488328000
rsp	0x7fffffff9540	140737488328000
r8	0x7ffff6914e50	140737330105936
r9	0x0	0
r10	0xb	11
r11	0x246	582
r12	0x7fffffff9788	140737488328584
r13	0x7ffff03f8d30	140737224084784
r14	0x7ffff691e0c8	140737330143432
r15	0x7fffffff9630	140737488328240
rip	0x4f1a98 <js::gc::TenuredCell::arena() const+24>
=> 0x4f1a98 <js::gc::TenuredCell::arena() const+24>:	mov    (%rax),%eax
   0x4f1a9a <js::gc::TenuredCell::arena() const+26>:	lea    -0x1(%rax),%edx


Pointer looks poisoned and the test involves GC, marking s-s.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
Mark 51 fixed as bug 1301496 is fixed.
Group: javascript-core-security
You need to log in before you can comment on or make changes to this bug.