Crash in js::gcstats::Statistics::beginPhase at js/src/gc/Statistics.cpp:890

RESOLVED DUPLICATE of bug 1218900

Status

()

RESOLVED DUPLICATE of bug 1218900
a year ago
a year ago

People

(Reporter: kangyan91, Unassigned)

Tracking

unspecified
Points:
---
Bug Flags:
sec-bounty -

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

a year ago
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Safari/537.36 Edge/13.10586

Steps to reproduce:

The following testcase crashes on mozilla-central revision f8c5d91b1b3a.

I built firefox with :  ./mach build

testcase.js:

(function() {
    for (var a = 0;
        "" + {
            __proto__: 'aaa'
        }; a++) {
        var a = stopTimingMutator();
        assertEq(-false, -0.0);
    }
})();


Actual results:

Program received signal SIGSEGV, Segmentation fault. 0x00000000009746c8 in js::gcstats::Statistics::beginPhase (this=this@entry=0x3070108, phase=phase@entry=js::gcstats::PHASE_MINOR_GC)at /firefox/js/src/gc/Statistics.cpp:890
	 phaseNesting[phaseNestingDepth] = phase;

Backtrace:
#0  0x00000000009746c8 in js::gcstats::Statistics::beginPhase (this=this@entry=0x3070108, phase=phase@entry=js::gcstats::PHASE_MINOR_GC)
    at /firefox/js/src/gc/Statistics.cpp:890
#1  0x000000000121d990 in AutoPhase (phase=js::gcstats::PHASE_MINOR_GC, stats=..., this=<synthetic pointer>)
    at /firefox/js/src/gc/Statistics.h:262
#2  js::gc::GCRuntime::minorGC (this=this@entry=0x3069f70, cx=cx@entry=0x30b3150, reason=reason@entry=JS::gcreason::OUT_OF_NURSERY)
    at /firefox/js/src/jsgc.cpp:6494
#3  0x00000000012e0ec3 in minorGC (reason=JS::gcreason::OUT_OF_NURSERY, this=0x30b3150)
    at /firefox/js/src/jscntxt.h:558
#4  AllocateObjectForCacheHit<(js::AllowGC)1> (heap=js::gc::DefaultHeap, kind=<optimized out>, cx=0x30b3150)
    at /firefox/js/src/jsgcinlines.h:667
#5  newObjectFromHit<(js::AllowGC)1> (heap=js::gc::DefaultHeap, entry_=<optimized out>, cx=0x30b3150, this=<optimized out>)
    at /firefox/js/src/vm/Runtime-inl.h:67
#6  js::NewObjectWithClassProtoCommon (cxArg=0x30b3150, clasp=0x30323c0 <JSObject::class_>, protoArg=<optimized out>, 
    parentArg=<optimized out>, allocKind=<optimized out>, newKind=js::GenericObject)
    at /firefox/js/src/jsobj.cpp:1609
#7  0x00000000012e1055 in js::NewObjectWithClassProtoCommon (cxArg=cxArg@entry=0x30b3150, clasp=<optimized out>, 
    protoArg=protoArg@entry=0x0, parentArg=parentArg@entry=0x0, allocKind=<optimized out>, newKind=newKind@entry=js::GenericObject)
    at /firefox/js/src/jsobj.cpp:1644
#8  0x0000000000f6cbca in NewObjectWithClassProto (newKind=js::GenericObject, allocKind=<optimized out>, parent=0x0, proto=0x0, 
    clasp=<optimized out>, cx=0x30b3150) at /firefox/js/src/jsobjinlines.h:659
#9  NewBuiltinClassInstance (newKind=js::GenericObject, allocKind=<optimized out>, clasp=<optimized out>, cx=0x30b3150)
    at /firefox/js/src/jsobjinlines.h:690
#10 CopyInitializerObject (newKind=js::GenericObject, baseobj=..., cx=0x30b3150)
    at /firefox/js/src/vm/NativeObject-inl.h:382
#11 js::jit::NewInitObject (cx=0x30b3150, templateObject=...) at /firefox/js/src/jit/VMFunctions.cpp:291
#12 0x00007ffff5016254 in ?? ()
#13 0x00000000030b3150 in ?? ()
#14 0x00007fffffffcd08 in ?? ()
#15 0xfff8800000000001 in ?? ()
#16 0x000000000304c7c0 in js::jit::NewInitObjectWithClassPrototypeInfo ()
#17 0x00007fffc7f52880 in ?? ()
#18 0x00007ffff7fe6411 in ?? ()
#19 0x0000000000000500 in ?? ()
#20 0x00007fffc7f5d080 in ?? ()
#21 0xfff9000000000000 in ?? ()
#22 0x00007ffff4100000 in ?? ()
#23 0xfff9000000000000 in ?? ()
#24 0x8000000000000000 in ?? ()
#25 0x8000000000000000 in ?? ()
#26 0x0000000000000000 in ?? ()

register info :
rax            0xffffffffffff0011	-65519
rbx            0x3070108	50790664
rcx            0x7fffffffcbd0	140737488341968
rdx            0xa	10
rsi            0x2c	44
rdi            0x3070108	50790664
rbp            0x2c	0x2c
rsp            0x7fffffffcb00	0x7fffffffcb00
r8             0xfffffffe	4294967294
r9             0x1b	27
r10            0x1	1
r11            0x30a8220	51020320
r12            0x30323c0	50537408
r13            0x30b3150	51065168
r14            0x3070108	50790664
r15            0x30b3168	51065192
rip            0x9746c8	0x9746c8 <js::gcstats::Statistics::beginPhase(js::gcstats::Phase)+264>
eflags         0x10246	[ PF ZF IF RF ]
cs             0x33	51
ss             0x2b	43
ds             0x0	0
es             0x0	0
fs             0x0	0
gs             0x0	0

$pc info:
=> 0x9746c8 <js::gcstats::Statistics::beginPhase(js::gcstats::Phase)+264>:	mov    %ebp,0x7f8(%rbx,%rax,4)
   0x9746cf <js::gcstats::Statistics::beginPhase(js::gcstats::Phase)+271>:	add    $0x1,%rax
   0x9746d3 <js::gcstats::Statistics::beginPhase(js::gcstats::Phase)+275>:	mov    %rax,0x818(%rbx)
   0x9746da <js::gcstats::Statistics::beginPhase(js::gcstats::Phase)+282>:	callq  0x13fb010 <PRMJ_Now()>
   0x9746df <js::gcstats::Statistics::beginPhase(js::gcstats::Phase)+287>:	mov    %rax,0x388(%rbx,%rbp,8)
   0x9746e7 <js::gcstats::Statistics::beginPhase(js::gcstats::Phase)+295>:	add    $0x8,%rsp
   0x9746eb <js::gcstats::Statistics::beginPhase(js::gcstats::Phase)+299>:	pop    %rbx
   0x9746ec <js::gcstats::Statistics::beginPhase(js::gcstats::Phase)+300>:	pop    %rbp
   0x9746ed <js::gcstats::Statistics::beginPhase(js::gcstats::Phase)+301>:	retq   
   0x9746ee <js::gcstats::Statistics::beginPhase(js::gcstats::Phase)+302>:	xchg   %ax,%ax
I'm curious why you're testing on that old revision.
f8c5d91b1b3a was pushed 2014-12-01 and it's firefox 37, that's no more supported.

also, the testcase just throws error with today's central.
> Error: stopTimingMutator called when not timing the mutator
Group: javascript-core-security
Flags: sec-bounty?
Status: UNCONFIRMED → RESOLVED
Last Resolved: a year ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1218900
Group: javascript-core-security
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.