Closed Bug 1337414 Opened 3 years ago Closed 3 years ago

Crash [@ js::AutoClearTypeInferenceStateOnOOM::AutoClearTypeInferenceStateOnOOM] or Assertion failure: CurrentThreadCanAccessZone(zone), at vm/TypeInference.cpp:4536

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla54
Tracking Status
firefox-esr45 --- unaffected
firefox51 --- wontfix
firefox52 --- wontfix
firefox-esr52 --- wontfix
firefox53 --- wontfix
firefox54 --- fixed

People

(Reporter: decoder, Assigned: jonco)

References

(Blocks 1 open bug)

Details

(5 keywords, Whiteboard: [jsbugmon:ignore])

Crash Data

Attachments

(1 file)

The following testcase crashes on mozilla-central revision 20a8536b0bfa (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off):

var lfLogBuffer = `
gczeal(15,10);
try {
    a = []
    gczeal(2, 2)()
} catch (e) {}
a.every(function() {})
//corefuzz-dcd-endofdata
//corefuzz-dcd-selectmode 5
`;
lfLogBuffer = lfLogBuffer.split('\n');
lfPreamble = `
`;
var lfCodeBuffer = "";
var lfRunTypeLimit = 7;
var lfOffThreadGlobal = newGlobal();
try {} catch (lfVare5) {}
var lfAccumulatedCode = lfPreamble;
while (true) {
    var line = lfLogBuffer.shift();
    if (line == null) {
        break;
    } else if (line == "//corefuzz-dcd-endofdata") {
        loadFile(lfCodeBuffer);
    } else if (line.indexOf("//corefuzz-dcd-selectmode ") === 0) {
        loadFile(line);
    } else {
        lfCodeBuffer += line + "\n";
    }
}
if (lfCodeBuffer) loadFile(lfCodeBuffer);
function loadFile(lfVarx) {
    try {
        if (lfVarx.indexOf("//corefuzz-dcd-selectmode ") === 0) {
            lfRunTypeId = parseInt(lfVarx.split(" ")[1]) % lfRunTypeLimit;
        } else {
            switch (lfRunTypeId) {
                case 5:
                    evalInWorker(lfAccumulatedCode);
                    evaluate(lfVarx);
            }
        }
    } catch (lfVare) {
        lfAccumulatedCode += "try { evaluate(`\n" + lfVarx + "\n`); } catch(exc) {}\n";
    }
}


Backtrace:

Program terminated with signal SIGSEGV, Segmentation fault.
#0  js::AutoClearTypeInferenceStateOnOOM::AutoClearTypeInferenceStateOnOOM (zone=0x7fb26f91d000, this=0x7fb2692fc428) at js/src/vm/TypeInference.cpp:4576
#1  mozilla::Maybe<js::AutoClearTypeInferenceStateOnOOM>::emplace<JS::Zone*&> (this=0x7fb2692fc420) at dist/include/mozilla/Maybe.h:461
#2  EnsureHasAutoClearTypeInferenceStateOnOOM (oom=@0x7fb2692fc408: 0x0, zone=0x7fb26f91d000, fallback=...) at js/src/vm/TypeInference.cpp:4285
#3  0x00000000009cae2a in js::ObjectGroup::sweep (this=this@entry=0x7fb269629250, oom=oom@entry=0x0) at js/src/vm/TypeInference.cpp:4308
#4  0x0000000000b1411d in js::ObjectGroup::maybeSweep (this=this@entry=0x7fb269629250, oom=0x0) at js/src/vm/ObjectGroup-inl.h:26
#5  0x0000000000b1c37b in js::ObjectGroup::flags (this=0x7fb269629250) at js/src/vm/ObjectGroup-inl.h:32
#6  js::ObjectGroup::basePropertyCount (this=0x7fb269629250) at js/src/vm/TypeInference-inl.h:1058
#7  js::ObjectGroup::getPropertyCount (this=0x7fb269629250) at js/src/vm/TypeInference-inl.h:1134
#8  js::ObjectGroup::traceChildren (this=0x7fb269629250, trc=0x7fb2692fc5b8) at js/src/gc/Marking.cpp:1402
#9  0x0000000000b3a288 in js::TraceChildren (kind=<optimized out>, thing=0x7fb269629250, trc=0x7fb2692fc5b8) at js/src/gc/Tracer.cpp:126
#10 JS::TraceChildren (trc=trc@entry=0x7fb2692fc5b8, thing=...) at js/src/gc/Tracer.cpp:111
#11 0x0000000000b3a33f in CheckHeapTracer::check (this=this@entry=0x7fb2692fc5b0, lock=...) at js/src/gc/Verifier.cpp:549
#12 0x0000000000b3a4e0 in js::gc::CheckHeapAfterGC (rt=<optimized out>) at js/src/gc/Verifier.cpp:570
#13 0x00000000008362fc in js::gc::GCRuntime::collect (this=this@entry=0x7fb2694ed3c0, nonincrementalByAPI=nonincrementalByAPI@entry=true, budget=..., reason=<optimized out>, reason@entry=JS::gcreason::DEBUG_GC) at js/src/jsgc.cpp:6396
#14 0x00000000008363cb in js::gc::GCRuntime::gc (this=0x7fb2694ed3c0, gckind=<optimized out>, reason=JS::gcreason::DEBUG_GC) at js/src/jsgc.cpp:6426
#15 0x0000000000836837 in js::gc::GCRuntime::runDebugGC (this=this@entry=0x7fb2694ed3c0) at js/src/jsgc.cpp:6843
#16 0x0000000000aad920 in js::gc::GCRuntime::gcIfNeededPerAllocation (cx=0x7fb26f93a800, this=0x7fb2694ed3c0) at js/src/gc/Allocator.cpp:230
#17 js::gc::GCRuntime::checkAllocatorState<(js::AllowGC)1> (this=0x7fb2694ed3c0, cx=0x7fb26f93a800, kind=<optimized out>) at js/src/gc/Allocator.cpp:191
#18 0x0000000000aae336 in js::Allocate<JSObject, (js::AllowGC)1> (cx=cx@entry=0x7fb26f93a800, kind=js::gc::AllocKind::FUNCTION_EXTENDED, nDynamicSlots=0, heap=heap@entry=js::gc::TenuredHeap, clasp=clasp@entry=0x1b752a0 <JSFunction::class_>) at js/src/gc/Allocator.cpp:51
#19 0x000000000083eb17 in JSObject::create (cx=cx@entry=0x7fb26f93a800, kind=kind@entry=js::gc::AllocKind::FUNCTION_EXTENDED, heap=heap@entry=js::gc::TenuredHeap, shape=..., shape@entry=..., group=..., group@entry=...) at js/src/jsobjinlines.h:376
#20 0x000000000082080b in NewObject (cx=cx@entry=0x7fb26f93a800, group=..., group@entry=..., kind=kind@entry=js::gc::AllocKind::FUNCTION_EXTENDED, newKind=newKind@entry=js::SingletonObject, initialShapeFlags=initialShapeFlags@entry=0) at js/src/jsobj.cpp:650
#21 0x000000000082138d in js::NewObjectWithClassProtoCommon (cx=0x7fb26f93a800, clasp=0x1b752a0 <JSFunction::class_>, allocKind=allocKind@entry=js::gc::AllocKind::FUNCTION_EXTENDED, newKind=js::SingletonObject, protoArg=...) at js/src/jsobj.cpp:767
#22 0x00000000008214fa in js::NewObjectWithClassProtoCommon (cx=cx@entry=0x7fb26f93a800, clasp=clasp@entry=0x1b752a0 <JSFunction::class_>, protoArg=..., protoArg@entry=..., allocKind=allocKind@entry=js::gc::AllocKind::FUNCTION_EXTENDED, newKind=<optimized out>) at js/src/jsobj.cpp:780
#23 0x00000000007ef8fe in js::NewObjectWithClassProto (newKind=<optimized out>, allocKind=js::gc::AllocKind::FUNCTION_EXTENDED, proto=..., clasp=0x1b752a0 <JSFunction::class_>, cx=0x7fb26f93a800) at js/src/jsobjinlines.h:708
#24 NewFunctionClone (cx=cx@entry=0x7fb26f93a800, fun=..., fun@entry=..., newKind=newKind@entry=js::SingletonObject, allocKind=allocKind@entry=js::gc::AllocKind::FUNCTION_EXTENDED, proto=...) at js/src/jsfun.cpp:1974
#25 0x00000000007f326e in js::CloneFunctionAndScript (cx=cx@entry=0x7fb26f93a800, fun=fun@entry=..., enclosingEnv=..., enclosingEnv@entry=..., newScope=..., newScope@entry=..., allocKind=allocKind@entry=js::gc::AllocKind::FUNCTION_EXTENDED, proto=..., proto@entry=...) at js/src/jsfun.cpp:2049
#26 0x00000000009953e0 in CloneObject (cx=cx@entry=0x7fb26f93a800, selfHostedObject=..., selfHostedObject@entry=...) at js/src/vm/SelfHosting.cpp:3096
#27 0x0000000000995b72 in CloneValue (cx=cx@entry=0x7fb26f93a800, selfHostedValue=..., selfHostedValue@entry=..., vp=..., vp@entry=...) at js/src/vm/SelfHosting.cpp:3144
#28 0x0000000000995cf4 in JSRuntime::cloneSelfHostedValue (this=0x7fb2694ed000, cx=0x7fb26f93a800, name=..., vp=...) at js/src/vm/SelfHosting.cpp:3272
#29 0x00000000004d7ae2 in js::GlobalObject::getIntrinsicValue (value=..., name=..., global=..., cx=<optimized out>) at js/src/vm/GlobalObject.h:713
#30 js::GetIntrinsicOperation (vp=..., pc=<optimized out>, cx=<optimized out>) at js/src/vm/Interpreter-inl.h:236
#31 Interpret (cx=0x7fb26f93a800, state=...) at js/src/vm/Interpreter.cpp:3123
#32 0x00000000004d9e86 in js::RunScript (cx=cx@entry=0x7fb26f93a800, state=...) at js/src/vm/Interpreter.cpp:406
#33 0x00000000004da420 in js::InternalCallOrConstruct (cx=0x7fb26f93a800, args=..., construct=<optimized out>) at js/src/vm/Interpreter.cpp:478
#34 0x00000000004cc291 in js::CallFromStack (args=..., cx=<optimized out>) at js/src/vm/Interpreter.cpp:511
#35 Interpret (cx=0x7fb26f93a800, state=...) at js/src/vm/Interpreter.cpp:2957
#36 0x00000000004d9e86 in js::RunScript (cx=cx@entry=0x7fb26f93a800, state=...) at js/src/vm/Interpreter.cpp:406
#37 0x00000000004dc56d in js::ExecuteKernel (result=0x7fb269393098, evalInFrame=..., newTargetValue=..., envChainArg=..., script=..., cx=0x7fb26f93a800) at js/src/vm/Interpreter.cpp:687
#38 js::Execute (cx=cx@entry=0x7fb26f93a800, script=script@entry=..., envChainArg=..., rval=rval@entry=0x7fb269393098) at js/src/vm/Interpreter.cpp:720
#39 0x00000000007ac515 in ExecuteScript (cx=cx@entry=0x7fb26f93a800, scope=scope@entry=..., script=script@entry=..., rval=rval@entry=0x7fb269393098) at js/src/jsapi.cpp:4440
#40 0x00000000007b3cd0 in JS_ExecuteScript (cx=cx@entry=0x7fb26f93a800, scriptArg=scriptArg@entry=..., rval=rval@entry=...) at js/src/jsapi.cpp:4466
#41 0x000000000044ba1f in Evaluate (cx=0x7fb26f93a800, argc=<optimized out>, vp=0x7fb269393098) at js/src/shell/js.cpp:1812
#42 0x00000000004da376 in js::CallJSNative (args=..., native=<optimized out>, cx=0x7fb26f93a800) at js/src/jscntxtinlines.h:281
[...]
#50 0x00000000007b3cd0 in JS_ExecuteScript (cx=cx@entry=0x7fb26f93a800, scriptArg=scriptArg@entry=..., rval=rval@entry=...) at js/src/jsapi.cpp:4466
#51 0x00000000004518cc in WorkerMain (arg=0x7fb2693f5400) at js/src/shell/js.cpp:3443
[...]
#55 0x00007fb26fcaab5d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109
rax	0x1ba43e0	28984288
rbx	0x7fb2692fc408	140404245644296
rcx	0xdf4a80	14633600
rdx	0x7fb26f926800	140404352772096
rsi	0x7fb26f91d000	140404352733184
rdi	0x7fb26f946000	140404352901120
rbp	0x7fb2692fc3b0	140404245644208
rsp	0x7fb2692fc380	140404245644160
r8	0x7fb2692fc508	140404245644552
r9	0x7d2c516e	2100056430
r10	0x602	1538
r11	0x7d2c516e	2100056430
r12	0x7fb2692fc428	140404245644328
r13	0x7fb2692fc420	140404245644320
r14	0x7fb269629250	140404248973904
r15	0x7fb269629250	140404248973904
rip	0x9be2f8 <EnsureHasAutoClearTypeInferenceStateOnOOM(js::AutoClearTypeInferenceStateOnOOM*&, JS::Zone*, mozilla::Maybe<js::AutoClearTypeInferenceStateOnOOM>&)+184>
=> 0x9be2f8 <EnsureHasAutoClearTypeInferenceStateOnOOM(js::AutoClearTypeInferenceStateOnOOM*&, JS::Zone*, mozilla::Maybe<js::AutoClearTypeInferenceStateOnOOM>&)+184>:	movl   $0x0,0x0
   0x9be303 <EnsureHasAutoClearTypeInferenceStateOnOOM(js::AutoClearTypeInferenceStateOnOOM*&, JS::Zone*, mozilla::Maybe<js::AutoClearTypeInferenceStateOnOOM>&)+195>:	ud2    


I didn't try to reduce this testcase further. It is already intermittent in its current form and gets more intermittent the smaller I try to make it.
Needinfo from jonco. Jon, can you also check why it is so hard to get a testcase for this? The fuzzer hits this issue really often but reproducing and reducing seem to be very difficult.
Flags: needinfo?(jcoppeard)
This looks like the "cross-runtime edges while cloning self-hosted code" issue but with CheckHeapTracer this time.
Assignee: nobody → jcoppeard
also: sec-rating?
(In reply to Randell Jesup [:jesup] from comment #3)
> also: sec-rating?

From comment 2, this sounds like a bug in the verifier, so it can probably be unhidden.
Yes, we just need to stop CheckHeapTracer from tracing into things owned by another runtime.
Flags: needinfo?(jcoppeard)
Attachment #8840054 - Flags: review?(jdemooij)
Comment on attachment 8840054 [details] [diff] [review]
bug1337414-check-heap-crash

Review of attachment 8840054 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/gc/Verifier.cpp
@@ +302,5 @@
>  
>  void
>  js::gc::AssertSafeToSkipBarrier(TenuredCell* thing)
>  {
> +    mozilla::DebugOnly<Zone*> zone = thing->zoneFromAnyThread();

I was going to say wrap this in #ifdef DEBUG to be completely sure compilers don't emit any code for zoneFromAnyThread in opt builds, but this is gczeal-only so it doesn't matter.
Attachment #8840054 - Flags: review?(jdemooij) → review+
Unhiding as it's a bug in code that is not present in release builds.
Group: javascript-core-security
Pushed by jcoppeard@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/f8c367bec5de
Don't trace into GC things owned by other runtimes in CheckHeapTracer r=jandem
https://hg.mozilla.org/mozilla-central/rev/f8c367bec5de
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla54
You need to log in before you can comment on or make changes to this bug.