Closed
Bug 1363229
Opened 9 years ago
Closed 9 years ago
Crash [@ js::gc::IsInsideNursery] with nukeCCW
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
People
(Reporter: decoder, Assigned: jonco)
References
Details
(5 keywords, Whiteboard: [jsbugmon:update,bisect][adv-main55-])
Crash Data
Attachments
(1 file)
|
6.00 KB,
patch
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 1fda52a1f3b8 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe):
evaluate(`
var g = newGlobal();
g.nukeCCW(() => {});
var fe="f";
try {
for (i=0; i<25;)
fe += fe;
} catch(ex) {
Function("with ({}) {} var undef, o; for (let z in [1, 2]) { " + fe + " }");
}
`);
Backtrace:
received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff5cfc700 (LWP 16017)]
0x00000000004ff318 in js::gc::IsInsideNursery (cell=0xfffe4b4b0fb003d0) at dist/include/js/HeapAPI.h:361
#0 0x00000000004ff318 in js::gc::IsInsideNursery (cell=0xfffe4b4b0fb003d0) at dist/include/js/HeapAPI.h:361
#1 js::gc::Cell::isTenured (this=0xfffe4b4b0fb003d0) at js/src/gc/Heap.h:251
#2 js::gc::TenuredCell::arena (this=0xfffe4b4b0fb003d0) at js/src/gc/Heap.h:1242
#3 0x0000000000df6eb3 in js::gc::TenuredCell::zoneFromAnyThread (this=<optimized out>) at js/src/gc/Heap.h:1271
#4 JSObject::zoneFromAnyThread (this=<optimized out>) at js/src/jsobj.h:308
#5 CheckIsMarkedThing<JSObject*> (thingp=0x7ffff5cfaed0) at js/src/gc/Marking.cpp:3073
#6 0x0000000000dfdc65 in IsAboutToBeFinalizedInternal<JSObject> (thingp=0x7ffff5cfaed0) at js/src/gc/Marking.cpp:3155
#7 0x0000000000e0faca in js::gc::IsAboutToBeFinalizedUnbarriered<JSObject*> (thingp=<optimized out>) at js/src/gc/Marking.cpp:3217
#8 0x0000000000976a88 in (anonymous namespace)::NeedsSweepUnbarrieredFunctor::operator()<JSObject*> (this=<synthetic pointer>, t=<optimized out>) at js/src/jscompartment.cpp:931
#9 js::CrossCompartmentKey::WrappedMatcher::match (this=<synthetic pointer>, obj=<optimized out>) at js/src/jscompartment.h:165
#10 mozilla::detail::VariantImplementation<unsigned char, 0ul, JSObject*, JSString*, mozilla::Tuple<js::NativeObject*, JSScript*>, mozilla::Tuple<js::NativeObject*, JSObject*, js::CrossCompartmentKey::DebuggerObjectKind> >::match<js::CrossCompartmentKey::applyToWrapped(F) [with F = (anonymous namespace)::NeedsSweepUnbarrieredFunctor; decltype (f(static_cast<JSObject**>(nullptr))) = bool]::WrappedMatcher&, mozilla::Variant<JSObject*, JSString*, mozilla::Tuple<js::NativeObject*, JSScript*>, mozilla::Tuple<js::NativeObject*, JSObject*, js::CrossCompartmentKey::DebuggerObjectKind> > > (aMatcher=<synthetic pointer>, aV=...) at dist/include/mozilla/Variant.h:266
#11 mozilla::Variant<JSObject*, JSString*, mozilla::Tuple<js::NativeObject*, JSScript*>, mozilla::Tuple<js::NativeObject*, JSObject*, js::CrossCompartmentKey::DebuggerObjectKind> >::match<js::CrossCompartmentKey::applyToWrapped(F) [with F = (anonymous namespace)::NeedsSweepUnbarrieredFunctor; decltype (f(static_cast<JSObject**>(nullptr))) = bool]::WrappedMatcher&> (aMatcher=<synthetic pointer>, this=0x7ffff5cfaed0) at dist/include/mozilla/Variant.h:625
#12 js::CrossCompartmentKey::applyToWrapped<(anonymous namespace)::NeedsSweepUnbarrieredFunctor> (this=0x7ffff5cfaed0, f=...) at js/src/jscompartment.h:170
#13 js::CrossCompartmentKey::needsSweep (this=0x7ffff5cfaed0) at js/src/jscompartment.cpp:945
#14 JS::StructGCPolicy<js::CrossCompartmentKey>::needsSweep (tp=0x7ffff5cfaed0) at dist/include/js/GCPolicyAPI.h:94
#15 JS::DefaultMapSweepPolicy<js::CrossCompartmentKey, js::detail::UnsafeBareReadBarriered<JS::Value> >::needsSweep (value=0x7ffff6985fe8, key=0x7ffff5cfaed0) at dist/include/js/GCHashTable.h:22
#16 js::GCRekeyableHashMap<js::CrossCompartmentKey, js::detail::UnsafeBareReadBarriered<JS::Value>, js::CrossCompartmentKey::Hasher, js::SystemAllocPolicy, JS::DefaultMapSweepPolicy<js::CrossCompartmentKey, js::detail::UnsafeBareReadBarriered<JS::Value> > >::sweep (this=<optimized out>) at dist/include/js/GCHashTable.h:122
#17 0x000000000099c680 in SweepCCWrappers (runtime=<optimized out>) at js/src/jsgc.cpp:4976
#18 0x0000000000b4cabf in js::GCParallelTask::runFromHelperThread (this=0x7fffffff9580, locked=...) at js/src/vm/HelperThreads.cpp:1236
#19 0x0000000000b5385c in js::HelperThread::handleGCParallelWorkload (this=this@entry=0x7ffff694ec80, locked=...) at js/src/vm/HelperThreads.cpp:1268
#20 0x0000000000b59f8a in js::HelperThread::threadLoop (this=this@entry=0x7ffff694ec80) at js/src/vm/HelperThreads.cpp:1960
#21 0x0000000000b5a100 in js::HelperThread::ThreadMain (arg=0x7ffff694ec80) at js/src/vm/HelperThreads.cpp:1490
#22 0x0000000000b62622 in js::detail::ThreadTrampoline<void (&)(void*), js::HelperThread*>::callMain<0ul> (this=0x7ffff691e0c0) at js/src/threading/Thread.h:234
#23 js::detail::ThreadTrampoline<void (&)(void*), js::HelperThread*>::Start (aPack=0x7ffff691e0c0) at js/src/threading/Thread.h:227
#24 0x00007ffff7bc16fa in start_thread (arg=0x7ffff5cfc700) at pthread_create.c:333
#25 0x00007ffff6c38b5d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109
rax 0xfffe4b4b0fbfffe8 -480164194549784
rbx 0x7ffff5cfaed0 140737317416656
rcx 0x0 0
rdx 0x0 0
rsi 0x7ffff5cfae90 140737317416592
rdi 0xfffe4b4b0fb003d0 -480164195597360
rbp 0x7ffff5cfae10 140737317416464
rsp 0x7ffff5cfae10 140737317416464
r8 0x0 0
r9 0x38 56
r10 0x0 0
r11 0x246 582
r12 0x7ffff695e000 140737330405376
r13 0x7ffff5cfaed0 140737317416656
r14 0xffffffffffffff 72057594037927935
r15 0x7ffff6985fc8 140737330569160
rip 0x4ff318 <js::gc::TenuredCell::arena() const+24>
=> 0x4ff318 <js::gc::TenuredCell::arena() const+24>: mov (%rax),%eax
0x4ff31a <js::gc::TenuredCell::arena() const+26>: lea -0x1(%rax),%edx
Marking s-s because this involves GC (nukeCCW) and the crash seems to be at a bad address.
|
Assignee | |
Comment 1•9 years ago
|
||
May be fallout from bug 1360526, but also involves nukeCCW so may be related to bug 1357022.
|
|
Assignee | |
Updated•9 years ago
|
Assignee: nobody → jcoppeard
Flags: needinfo?(jcoppeard)
|
|
Assignee | |
Comment 2•9 years ago
|
||
This is fallout from bug 1343261.
When we nuke a CCW it no longer keeps its target alive, but we still keep it in the map. When doing a zone GC we need to sweep CCW maps for non-collected zones in case any of them contain a nuked CCW for an object in a zone that we're sweeping and that object dies.
This involves an extra pass through the CCW map for non-collected zones, but fortunately we can optimise that with the hasDeadProxies flag.
I also slightly improved JSCompartment::traceIncomingCrossCompartmentEdgesForZoneGC.
Attachment #8867228 -
Flags: review?(sphink)
|
||
Updated•9 years ago
|
status-firefox53:
--- → wontfix
status-firefox54:
--- → affected
status-firefox-esr45:
--- → wontfix
status-firefox-esr52:
--- → affected
tracking-firefox54:
--- → ?
tracking-firefox55:
--- → ?
tracking-firefox-esr52:
--- → ?
|
|
Assignee | |
Comment 3•9 years ago
|
||
Comment on attachment 8867228 [details] [diff] [review]
bug1363229-sweep-incoming-ccws
Well this causes all sorts of failures on try. Cancelling review for now.
Attachment #8867228 -
Flags: review?(sphink)
|
|
Assignee | |
Comment 5•9 years ago
|
||
The proposed change in bug 1357022 fixes this.
|
|
Assignee | |
Comment 6•9 years ago
|
||
Moving to sec-other since nukeCCW is only present in the shell.
|
|
Assignee | |
Updated•9 years ago
|
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
|
|
Assignee | |
Comment 8•8 years ago
|
||
Updating tracking flags to match bug 1357022.
|
||
Updated•8 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,bisect][adv-main55-]
|
|
||
Updated•8 years ago
|
|
||
Updated•8 years ago
|
|
||
Updated•8 years ago
|
Group: javascript-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•