Closed
Bug 1337414
Opened 7 years ago
Closed 7 years ago
Crash [@ js::AutoClearTypeInferenceStateOnOOM::AutoClearTypeInferenceStateOnOOM] or Assertion failure: CurrentThreadCanAccessZone(zone), at vm/TypeInference.cpp:4536
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla54
People
(Reporter: decoder, Assigned: jonco)
References
Details
(5 keywords, Whiteboard: [jsbugmon:ignore])
Crash Data
Attachments
(1 file)
3.27 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 20a8536b0bfa (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off): var lfLogBuffer = ` gczeal(15,10); try { a = [] gczeal(2, 2)() } catch (e) {} a.every(function() {}) //corefuzz-dcd-endofdata //corefuzz-dcd-selectmode 5 `; lfLogBuffer = lfLogBuffer.split('\n'); lfPreamble = ` `; var lfCodeBuffer = ""; var lfRunTypeLimit = 7; var lfOffThreadGlobal = newGlobal(); try {} catch (lfVare5) {} var lfAccumulatedCode = lfPreamble; while (true) { var line = lfLogBuffer.shift(); if (line == null) { break; } else if (line == "//corefuzz-dcd-endofdata") { loadFile(lfCodeBuffer); } else if (line.indexOf("//corefuzz-dcd-selectmode ") === 0) { loadFile(line); } else { lfCodeBuffer += line + "\n"; } } if (lfCodeBuffer) loadFile(lfCodeBuffer); function loadFile(lfVarx) { try { if (lfVarx.indexOf("//corefuzz-dcd-selectmode ") === 0) { lfRunTypeId = parseInt(lfVarx.split(" ")[1]) % lfRunTypeLimit; } else { switch (lfRunTypeId) { case 5: evalInWorker(lfAccumulatedCode); evaluate(lfVarx); } } } catch (lfVare) { lfAccumulatedCode += "try { evaluate(`\n" + lfVarx + "\n`); } catch(exc) {}\n"; } } Backtrace: Program terminated with signal SIGSEGV, Segmentation fault. #0 js::AutoClearTypeInferenceStateOnOOM::AutoClearTypeInferenceStateOnOOM (zone=0x7fb26f91d000, this=0x7fb2692fc428) at js/src/vm/TypeInference.cpp:4576 #1 mozilla::Maybe<js::AutoClearTypeInferenceStateOnOOM>::emplace<JS::Zone*&> (this=0x7fb2692fc420) at dist/include/mozilla/Maybe.h:461 #2 EnsureHasAutoClearTypeInferenceStateOnOOM (oom=@0x7fb2692fc408: 0x0, zone=0x7fb26f91d000, fallback=...) at js/src/vm/TypeInference.cpp:4285 #3 0x00000000009cae2a in js::ObjectGroup::sweep (this=this@entry=0x7fb269629250, oom=oom@entry=0x0) at js/src/vm/TypeInference.cpp:4308 #4 0x0000000000b1411d in js::ObjectGroup::maybeSweep (this=this@entry=0x7fb269629250, oom=0x0) at js/src/vm/ObjectGroup-inl.h:26 #5 0x0000000000b1c37b in js::ObjectGroup::flags (this=0x7fb269629250) at js/src/vm/ObjectGroup-inl.h:32 #6 js::ObjectGroup::basePropertyCount (this=0x7fb269629250) at js/src/vm/TypeInference-inl.h:1058 #7 js::ObjectGroup::getPropertyCount (this=0x7fb269629250) at js/src/vm/TypeInference-inl.h:1134 #8 js::ObjectGroup::traceChildren (this=0x7fb269629250, trc=0x7fb2692fc5b8) at js/src/gc/Marking.cpp:1402 #9 0x0000000000b3a288 in js::TraceChildren (kind=<optimized out>, thing=0x7fb269629250, trc=0x7fb2692fc5b8) at js/src/gc/Tracer.cpp:126 #10 JS::TraceChildren (trc=trc@entry=0x7fb2692fc5b8, thing=...) at js/src/gc/Tracer.cpp:111 #11 0x0000000000b3a33f in CheckHeapTracer::check (this=this@entry=0x7fb2692fc5b0, lock=...) at js/src/gc/Verifier.cpp:549 #12 0x0000000000b3a4e0 in js::gc::CheckHeapAfterGC (rt=<optimized out>) at js/src/gc/Verifier.cpp:570 #13 0x00000000008362fc in js::gc::GCRuntime::collect (this=this@entry=0x7fb2694ed3c0, nonincrementalByAPI=nonincrementalByAPI@entry=true, budget=..., reason=<optimized out>, reason@entry=JS::gcreason::DEBUG_GC) at js/src/jsgc.cpp:6396 #14 0x00000000008363cb in js::gc::GCRuntime::gc (this=0x7fb2694ed3c0, gckind=<optimized out>, reason=JS::gcreason::DEBUG_GC) at js/src/jsgc.cpp:6426 #15 0x0000000000836837 in js::gc::GCRuntime::runDebugGC (this=this@entry=0x7fb2694ed3c0) at js/src/jsgc.cpp:6843 #16 0x0000000000aad920 in js::gc::GCRuntime::gcIfNeededPerAllocation (cx=0x7fb26f93a800, this=0x7fb2694ed3c0) at js/src/gc/Allocator.cpp:230 #17 js::gc::GCRuntime::checkAllocatorState<(js::AllowGC)1> (this=0x7fb2694ed3c0, cx=0x7fb26f93a800, kind=<optimized out>) at js/src/gc/Allocator.cpp:191 #18 0x0000000000aae336 in js::Allocate<JSObject, (js::AllowGC)1> (cx=cx@entry=0x7fb26f93a800, kind=js::gc::AllocKind::FUNCTION_EXTENDED, nDynamicSlots=0, heap=heap@entry=js::gc::TenuredHeap, clasp=clasp@entry=0x1b752a0 <JSFunction::class_>) at js/src/gc/Allocator.cpp:51 #19 0x000000000083eb17 in JSObject::create (cx=cx@entry=0x7fb26f93a800, kind=kind@entry=js::gc::AllocKind::FUNCTION_EXTENDED, heap=heap@entry=js::gc::TenuredHeap, shape=..., shape@entry=..., group=..., group@entry=...) at js/src/jsobjinlines.h:376 #20 0x000000000082080b in NewObject (cx=cx@entry=0x7fb26f93a800, group=..., group@entry=..., kind=kind@entry=js::gc::AllocKind::FUNCTION_EXTENDED, newKind=newKind@entry=js::SingletonObject, initialShapeFlags=initialShapeFlags@entry=0) at js/src/jsobj.cpp:650 #21 0x000000000082138d in js::NewObjectWithClassProtoCommon (cx=0x7fb26f93a800, clasp=0x1b752a0 <JSFunction::class_>, allocKind=allocKind@entry=js::gc::AllocKind::FUNCTION_EXTENDED, newKind=js::SingletonObject, protoArg=...) at js/src/jsobj.cpp:767 #22 0x00000000008214fa in js::NewObjectWithClassProtoCommon (cx=cx@entry=0x7fb26f93a800, clasp=clasp@entry=0x1b752a0 <JSFunction::class_>, protoArg=..., protoArg@entry=..., allocKind=allocKind@entry=js::gc::AllocKind::FUNCTION_EXTENDED, newKind=<optimized out>) at js/src/jsobj.cpp:780 #23 0x00000000007ef8fe in js::NewObjectWithClassProto (newKind=<optimized out>, allocKind=js::gc::AllocKind::FUNCTION_EXTENDED, proto=..., clasp=0x1b752a0 <JSFunction::class_>, cx=0x7fb26f93a800) at js/src/jsobjinlines.h:708 #24 NewFunctionClone (cx=cx@entry=0x7fb26f93a800, fun=..., fun@entry=..., newKind=newKind@entry=js::SingletonObject, allocKind=allocKind@entry=js::gc::AllocKind::FUNCTION_EXTENDED, proto=...) at js/src/jsfun.cpp:1974 #25 0x00000000007f326e in js::CloneFunctionAndScript (cx=cx@entry=0x7fb26f93a800, fun=fun@entry=..., enclosingEnv=..., enclosingEnv@entry=..., newScope=..., newScope@entry=..., allocKind=allocKind@entry=js::gc::AllocKind::FUNCTION_EXTENDED, proto=..., proto@entry=...) at js/src/jsfun.cpp:2049 #26 0x00000000009953e0 in CloneObject (cx=cx@entry=0x7fb26f93a800, selfHostedObject=..., selfHostedObject@entry=...) at js/src/vm/SelfHosting.cpp:3096 #27 0x0000000000995b72 in CloneValue (cx=cx@entry=0x7fb26f93a800, selfHostedValue=..., selfHostedValue@entry=..., vp=..., vp@entry=...) at js/src/vm/SelfHosting.cpp:3144 #28 0x0000000000995cf4 in JSRuntime::cloneSelfHostedValue (this=0x7fb2694ed000, cx=0x7fb26f93a800, name=..., vp=...) at js/src/vm/SelfHosting.cpp:3272 #29 0x00000000004d7ae2 in js::GlobalObject::getIntrinsicValue (value=..., name=..., global=..., cx=<optimized out>) at js/src/vm/GlobalObject.h:713 #30 js::GetIntrinsicOperation (vp=..., pc=<optimized out>, cx=<optimized out>) at js/src/vm/Interpreter-inl.h:236 #31 Interpret (cx=0x7fb26f93a800, state=...) at js/src/vm/Interpreter.cpp:3123 #32 0x00000000004d9e86 in js::RunScript (cx=cx@entry=0x7fb26f93a800, state=...) at js/src/vm/Interpreter.cpp:406 #33 0x00000000004da420 in js::InternalCallOrConstruct (cx=0x7fb26f93a800, args=..., construct=<optimized out>) at js/src/vm/Interpreter.cpp:478 #34 0x00000000004cc291 in js::CallFromStack (args=..., cx=<optimized out>) at js/src/vm/Interpreter.cpp:511 #35 Interpret (cx=0x7fb26f93a800, state=...) at js/src/vm/Interpreter.cpp:2957 #36 0x00000000004d9e86 in js::RunScript (cx=cx@entry=0x7fb26f93a800, state=...) at js/src/vm/Interpreter.cpp:406 #37 0x00000000004dc56d in js::ExecuteKernel (result=0x7fb269393098, evalInFrame=..., newTargetValue=..., envChainArg=..., script=..., cx=0x7fb26f93a800) at js/src/vm/Interpreter.cpp:687 #38 js::Execute (cx=cx@entry=0x7fb26f93a800, script=script@entry=..., envChainArg=..., rval=rval@entry=0x7fb269393098) at js/src/vm/Interpreter.cpp:720 #39 0x00000000007ac515 in ExecuteScript (cx=cx@entry=0x7fb26f93a800, scope=scope@entry=..., script=script@entry=..., rval=rval@entry=0x7fb269393098) at js/src/jsapi.cpp:4440 #40 0x00000000007b3cd0 in JS_ExecuteScript (cx=cx@entry=0x7fb26f93a800, scriptArg=scriptArg@entry=..., rval=rval@entry=...) at js/src/jsapi.cpp:4466 #41 0x000000000044ba1f in Evaluate (cx=0x7fb26f93a800, argc=<optimized out>, vp=0x7fb269393098) at js/src/shell/js.cpp:1812 #42 0x00000000004da376 in js::CallJSNative (args=..., native=<optimized out>, cx=0x7fb26f93a800) at js/src/jscntxtinlines.h:281 [...] #50 0x00000000007b3cd0 in JS_ExecuteScript (cx=cx@entry=0x7fb26f93a800, scriptArg=scriptArg@entry=..., rval=rval@entry=...) at js/src/jsapi.cpp:4466 #51 0x00000000004518cc in WorkerMain (arg=0x7fb2693f5400) at js/src/shell/js.cpp:3443 [...] #55 0x00007fb26fcaab5d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109 rax 0x1ba43e0 28984288 rbx 0x7fb2692fc408 140404245644296 rcx 0xdf4a80 14633600 rdx 0x7fb26f926800 140404352772096 rsi 0x7fb26f91d000 140404352733184 rdi 0x7fb26f946000 140404352901120 rbp 0x7fb2692fc3b0 140404245644208 rsp 0x7fb2692fc380 140404245644160 r8 0x7fb2692fc508 140404245644552 r9 0x7d2c516e 2100056430 r10 0x602 1538 r11 0x7d2c516e 2100056430 r12 0x7fb2692fc428 140404245644328 r13 0x7fb2692fc420 140404245644320 r14 0x7fb269629250 140404248973904 r15 0x7fb269629250 140404248973904 rip 0x9be2f8 <EnsureHasAutoClearTypeInferenceStateOnOOM(js::AutoClearTypeInferenceStateOnOOM*&, JS::Zone*, mozilla::Maybe<js::AutoClearTypeInferenceStateOnOOM>&)+184> => 0x9be2f8 <EnsureHasAutoClearTypeInferenceStateOnOOM(js::AutoClearTypeInferenceStateOnOOM*&, JS::Zone*, mozilla::Maybe<js::AutoClearTypeInferenceStateOnOOM>&)+184>: movl $0x0,0x0 0x9be303 <EnsureHasAutoClearTypeInferenceStateOnOOM(js::AutoClearTypeInferenceStateOnOOM*&, JS::Zone*, mozilla::Maybe<js::AutoClearTypeInferenceStateOnOOM>&)+195>: ud2 I didn't try to reduce this testcase further. It is already intermittent in its current form and gets more intermittent the smaller I try to make it.
Reporter | ||
Comment 1•7 years ago
|
||
Needinfo from jonco. Jon, can you also check why it is so hard to get a testcase for this? The fuzzer hits this issue really often but reproducing and reducing seem to be very difficult.
Flags: needinfo?(jcoppeard)
Comment 2•7 years ago
|
||
This looks like the "cross-runtime edges while cloning self-hosted code" issue but with CheckHeapTracer this time.
Assignee | ||
Updated•7 years ago
|
Assignee: nobody → jcoppeard
Comment 3•7 years ago
|
||
also: sec-rating?
Comment 4•7 years ago
|
||
(In reply to Randell Jesup [:jesup] from comment #3) > also: sec-rating? From comment 2, this sounds like a bug in the verifier, so it can probably be unhidden.
Assignee | ||
Comment 5•7 years ago
|
||
Yes, we just need to stop CheckHeapTracer from tracing into things owned by another runtime.
Flags: needinfo?(jcoppeard)
Attachment #8840054 -
Flags: review?(jdemooij)
Comment 6•7 years ago
|
||
Comment on attachment 8840054 [details] [diff] [review] bug1337414-check-heap-crash Review of attachment 8840054 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/gc/Verifier.cpp @@ +302,5 @@ > > void > js::gc::AssertSafeToSkipBarrier(TenuredCell* thing) > { > + mozilla::DebugOnly<Zone*> zone = thing->zoneFromAnyThread(); I was going to say wrap this in #ifdef DEBUG to be completely sure compilers don't emit any code for zoneFromAnyThread in opt builds, but this is gczeal-only so it doesn't matter.
Attachment #8840054 -
Flags: review?(jdemooij) → review+
Assignee | ||
Comment 7•7 years ago
|
||
Unhiding as it's a bug in code that is not present in release builds.
Group: javascript-core-security
Pushed by jcoppeard@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/f8c367bec5de Don't trace into GC things owned by other runtimes in CheckHeapTracer r=jandem
Comment 9•7 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/f8c367bec5de
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla54
Assignee | ||
Comment 10•7 years ago
|
||
This was caused by bug 1272604.
Blocks: 1272604
status-firefox51:
--- → wontfix
status-firefox52:
--- → wontfix
status-firefox53:
--- → wontfix
status-firefox-esr45:
--- → unaffected
status-firefox-esr52:
--- → wontfix
You need to log in
before you can comment on or make changes to this bug.
Description
•