Closed Bug 1311060 Opened 9 years ago Closed 9 years ago

Assertion failure: CurrentThreadCanAccessZone(zone), at js/src/gc/Heap.h:1264 with schedulegc and worker

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla53
Tracking Flags:
Tracking Status
firefox49 --- wontfix
firefox-esr45 --- wontfix
firefox50 - wontfix
firefox51 + verified
firefox52 + verified
firefox53 --- verified

People

(Reporter: decoder, Unassigned)

References

Details

(4 keywords, Whiteboard: [jsbugmon:update][post-critsmash-triage][adv-main51-])

Attachments

(1 file)

bug1311060-schedule-gc
2.53 KB, patch
bbouvier
: review+
Details | Diff | Splinter Review
The following testcase crashes on mozilla-central revision dc89484d4b45 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off): evalInWorker(` (new WeakMap).set(class of extends schedulegc("s1") {}.prototype, this); `); Backtrace: received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7ffff01ff700 (LWP 2541)] 0x00000000004f4278 in js::gc::TenuredCell::zone (this=<optimized out>) at js/src/gc/Heap.h:1264 #0 0x00000000004f4278 in js::gc::TenuredCell::zone (this=<optimized out>) at js/src/gc/Heap.h:1264 #1 0x0000000000ca8957 in ScheduleGC (cx=cx@entry=0x7ffff032c000, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/TestingFunctions.cpp:776 #2 0x0000000000b1dc31 in js::CallJSNative (cx=cx@entry=0x7ffff032c000, native=0xca87f0 <ScheduleGC(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:239 #3 0x0000000000b18eb3 in js::InternalCallOrConstruct (cx=0x7ffff032c000, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:458 #4 0x0000000000b0c82e in js::CallFromStack (args=..., cx=<optimized out>) at js/src/vm/Interpreter.cpp:509 #5 Interpret (cx=0x7ffff032c000, state=...) at js/src/vm/Interpreter.cpp:2922 #6 0x0000000000b18c7d in js::RunScript (cx=cx@entry=0x7ffff032c000, state=...) at js/src/vm/Interpreter.cpp:404 #7 0x0000000000b1b3a8 in js::ExecuteKernel (cx=cx@entry=0x7ffff032c000, script=..., script@entry=..., envChainArg=..., newTargetValue=..., evalInFrame=..., evalInFrame@entry=..., result=result@entry=0x7ffff01fed70) at js/src/vm/Interpreter.cpp:685 #8 0x0000000000b1b768 in js::Execute (cx=cx@entry=0x7ffff032c000, script=script@entry=..., envChainArg=..., rval=rval@entry=0x7ffff01fed70) at js/src/vm/Interpreter.cpp:718 #9 0x00000000008e36ca in ExecuteScript (cx=cx@entry=0x7ffff032c000, scope=scope@entry=..., script=script@entry=..., rval=rval@entry=0x7ffff01fed70) at js/src/jsapi.cpp:4307 #10 0x00000000008f108b in JS_ExecuteScript (cx=cx@entry=0x7ffff032c000, scriptArg=scriptArg@entry=..., rval=rval@entry=...) at js/src/jsapi.cpp:4333 #11 0x00000000004612fd in WorkerMain (arg=0x7ffff022fdc0) at js/src/shell/js.cpp:3332 #12 0x00000000004632b2 in js::detail::ThreadTrampoline<void (&)(void*), WorkerInput*&>::callMain<0ul> (this=0x7ffff69201b0) at js/src/threading/Thread.h:234 #13 js::detail::ThreadTrampoline<void (&)(void*), WorkerInput*&>::Start (aPack=0x7ffff69201b0) at js/src/threading/Thread.h:227 #14 0x00007ffff7bc16fa in start_thread (arg=0x7ffff01ff700) at pthread_create.c:333 #15 0x00007ffff6c38b5d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109 rax 0x0 0 rbx 0x7ffff691f000 140737330147328 rcx 0x7ffff6c28a2d 140737333332525 rdx 0x0 0 rsi 0x7ffff6ef7770 140737336276848 rdi 0x7ffff6ef6540 140737336272192 rbp 0x7ffff01fe270 140737222009456 rsp 0x7ffff01fe260 140737222009440 r8 0x7ffff6ef7770 140737336276848 r9 0x7ffff01ff700 140737222014720 r10 0x58 88 r11 0x7ffff6b9f750 140737332770640 r12 0x7ffff032c000 140737223245824 r13 0x0 0 r14 0x7ffff01fe300 140737222009600 r15 0x7ffff69b70c0 140737330770112 rip 0x4f4278 <js::gc::TenuredCell::zone() const+344> => 0x4f4278 <js::gc::TenuredCell::zone() const+344>: movl $0x0,0x0 0x4f4283 <js::gc::TenuredCell::zone() const+355>: ud2 GC related, not sure if this is a shell-only problem. Hiding until investigated further.
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result: === Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20151009082747" and the hash "9d24051f444950cf6ea524989df43307647ac264". The "bad" changeset has the timestamp "20151009093836" and the hash "a67bbdf269fd2661280ab7421e9b601cab409422". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=9d24051f444950cf6ea524989df43307647ac264&tochange=a67bbdf269fd2661280ab7421e9b601cab409422
Jason: you reviewed the likely regressor. We're guessing this isn't good but could you take a look and let us know.
Blocks: 1105463
Flags: needinfo?(jorendorff)
Keywords: sec-high
Track 51+/52+ as sec-high.
tracking-firefox51: ?+
tracking-firefox52: ?+
This is not the same as bug 1328251. It's a shell problem because we assume we can access the zone of a string in the ScheduleGC function. We can't always do this - in this ScheduleGC is called on a worker and the string is in the parent runtime's atom's zone.
If this is just a problem with the shell, I'm going to change this to sec-other.
Keywords: sec-highsec-other
Patch to check we can access the string's zone before using it and add some error checking and reporting around schedulegc.
Assignee: nobody → jcoppeard
Attachment #8825051 - Flags: review?(bbouvier)
Comment on attachment 8825051 [details] [diff] [review] bug1311060-schedule-gc Review of attachment 8825051 [details] [diff] [review]: ----------------------------------------------------------------- Looks good to me, thanks. ::: js/src/builtin/TestingFunctions.cpp @@ +786,5 @@ > PrepareZoneForGC(zone); > } else if (args[0].isString()) { > /* This allows us to schedule the atoms zone for GC. */ > + Zone* zone = args[0].toString()->zoneFromAnyThread(); > + if (!CurrentThreadCanAccessZone(zone)) { Could this also happen for an object argument (branch above)? ::: js/src/jit-test/tests/gc/bug-1311060.js @@ +1,1 @@ > +evalInWorker(`schedulegc("s1");`); Does this need a typeof evalInWorked !== 'undefined'?
Attachment #8825051 - Flags: review?(bbouvier) → review+
(In reply to Benjamin Bouvier [:bbouvier] from comment #7) > Could this also happen for an object argument (branch above)? I don't think this is possible because we don't expose objects in the self-hosting compartment to scripts. At least, I pretty sure we don't. > ::: js/src/jit-test/tests/gc/bug-1311060.js > @@ +1,1 @@ > > +evalInWorker(`schedulegc("s1");`); > > Does this need a typeof evalInWorked !== 'undefined'? It seems this is always defined for jit-tests. Thanks for the quick review!
Group: javascript-core-security → core-security-release
Whiteboard: [jsbugmon:update] → [jsbugmon:update][post-critsmash-triage]
Whiteboard: [jsbugmon:update][post-critsmash-triage] → [jsbugmon:update][post-critsmash-triage][adv-main51-]
JSBugMon: This bug has been automatically verified fixed. JSBugMon: This bug has been automatically verified fixed on Fx51 JSBugMon: This bug has been automatically verified fixed on Fx52
Group: core-security-release
Assignee: jcoppeard → nobody
Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: