Closed Bug 1363229 Opened 3 years ago Closed 3 years ago

Crash [@ js::gc::IsInsideNursery] with nukeCCW

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 1357022
Tracking Status
firefox-esr45 --- wontfix
firefox-esr52 55+ fixed
firefox53 --- wontfix
firefox54 + wontfix
firefox55 + verified

People

(Reporter: decoder, Assigned: jonco)

References

(Blocks 1 open bug)

Details

(5 keywords, Whiteboard: [jsbugmon:update,bisect][adv-main55-])

Crash Data

Attachments

(1 file)

The following testcase crashes on mozilla-central revision 1fda52a1f3b8 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe):

evaluate(`
var g = newGlobal();
g.nukeCCW(() => {});
var fe="f";
try {
  for (i=0; i<25;)
    fe += fe;
} catch(ex) {
  Function("with ({}) {} var undef, o; for (let z in [1, 2]) { " + fe + " }");
}
`);



Backtrace:

 received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff5cfc700 (LWP 16017)]
0x00000000004ff318 in js::gc::IsInsideNursery (cell=0xfffe4b4b0fb003d0) at dist/include/js/HeapAPI.h:361
#0  0x00000000004ff318 in js::gc::IsInsideNursery (cell=0xfffe4b4b0fb003d0) at dist/include/js/HeapAPI.h:361
#1  js::gc::Cell::isTenured (this=0xfffe4b4b0fb003d0) at js/src/gc/Heap.h:251
#2  js::gc::TenuredCell::arena (this=0xfffe4b4b0fb003d0) at js/src/gc/Heap.h:1242
#3  0x0000000000df6eb3 in js::gc::TenuredCell::zoneFromAnyThread (this=<optimized out>) at js/src/gc/Heap.h:1271
#4  JSObject::zoneFromAnyThread (this=<optimized out>) at js/src/jsobj.h:308
#5  CheckIsMarkedThing<JSObject*> (thingp=0x7ffff5cfaed0) at js/src/gc/Marking.cpp:3073
#6  0x0000000000dfdc65 in IsAboutToBeFinalizedInternal<JSObject> (thingp=0x7ffff5cfaed0) at js/src/gc/Marking.cpp:3155
#7  0x0000000000e0faca in js::gc::IsAboutToBeFinalizedUnbarriered<JSObject*> (thingp=<optimized out>) at js/src/gc/Marking.cpp:3217
#8  0x0000000000976a88 in (anonymous namespace)::NeedsSweepUnbarrieredFunctor::operator()<JSObject*> (this=<synthetic pointer>, t=<optimized out>) at js/src/jscompartment.cpp:931
#9  js::CrossCompartmentKey::WrappedMatcher::match (this=<synthetic pointer>, obj=<optimized out>) at js/src/jscompartment.h:165
#10 mozilla::detail::VariantImplementation<unsigned char, 0ul, JSObject*, JSString*, mozilla::Tuple<js::NativeObject*, JSScript*>, mozilla::Tuple<js::NativeObject*, JSObject*, js::CrossCompartmentKey::DebuggerObjectKind> >::match<js::CrossCompartmentKey::applyToWrapped(F) [with F = (anonymous namespace)::NeedsSweepUnbarrieredFunctor; decltype (f(static_cast<JSObject**>(nullptr))) = bool]::WrappedMatcher&, mozilla::Variant<JSObject*, JSString*, mozilla::Tuple<js::NativeObject*, JSScript*>, mozilla::Tuple<js::NativeObject*, JSObject*, js::CrossCompartmentKey::DebuggerObjectKind> > > (aMatcher=<synthetic pointer>, aV=...) at dist/include/mozilla/Variant.h:266
#11 mozilla::Variant<JSObject*, JSString*, mozilla::Tuple<js::NativeObject*, JSScript*>, mozilla::Tuple<js::NativeObject*, JSObject*, js::CrossCompartmentKey::DebuggerObjectKind> >::match<js::CrossCompartmentKey::applyToWrapped(F) [with F = (anonymous namespace)::NeedsSweepUnbarrieredFunctor; decltype (f(static_cast<JSObject**>(nullptr))) = bool]::WrappedMatcher&> (aMatcher=<synthetic pointer>, this=0x7ffff5cfaed0) at dist/include/mozilla/Variant.h:625
#12 js::CrossCompartmentKey::applyToWrapped<(anonymous namespace)::NeedsSweepUnbarrieredFunctor> (this=0x7ffff5cfaed0, f=...) at js/src/jscompartment.h:170
#13 js::CrossCompartmentKey::needsSweep (this=0x7ffff5cfaed0) at js/src/jscompartment.cpp:945
#14 JS::StructGCPolicy<js::CrossCompartmentKey>::needsSweep (tp=0x7ffff5cfaed0) at dist/include/js/GCPolicyAPI.h:94
#15 JS::DefaultMapSweepPolicy<js::CrossCompartmentKey, js::detail::UnsafeBareReadBarriered<JS::Value> >::needsSweep (value=0x7ffff6985fe8, key=0x7ffff5cfaed0) at dist/include/js/GCHashTable.h:22
#16 js::GCRekeyableHashMap<js::CrossCompartmentKey, js::detail::UnsafeBareReadBarriered<JS::Value>, js::CrossCompartmentKey::Hasher, js::SystemAllocPolicy, JS::DefaultMapSweepPolicy<js::CrossCompartmentKey, js::detail::UnsafeBareReadBarriered<JS::Value> > >::sweep (this=<optimized out>) at dist/include/js/GCHashTable.h:122
#17 0x000000000099c680 in SweepCCWrappers (runtime=<optimized out>) at js/src/jsgc.cpp:4976
#18 0x0000000000b4cabf in js::GCParallelTask::runFromHelperThread (this=0x7fffffff9580, locked=...) at js/src/vm/HelperThreads.cpp:1236
#19 0x0000000000b5385c in js::HelperThread::handleGCParallelWorkload (this=this@entry=0x7ffff694ec80, locked=...) at js/src/vm/HelperThreads.cpp:1268
#20 0x0000000000b59f8a in js::HelperThread::threadLoop (this=this@entry=0x7ffff694ec80) at js/src/vm/HelperThreads.cpp:1960
#21 0x0000000000b5a100 in js::HelperThread::ThreadMain (arg=0x7ffff694ec80) at js/src/vm/HelperThreads.cpp:1490
#22 0x0000000000b62622 in js::detail::ThreadTrampoline<void (&)(void*), js::HelperThread*>::callMain<0ul> (this=0x7ffff691e0c0) at js/src/threading/Thread.h:234
#23 js::detail::ThreadTrampoline<void (&)(void*), js::HelperThread*>::Start (aPack=0x7ffff691e0c0) at js/src/threading/Thread.h:227
#24 0x00007ffff7bc16fa in start_thread (arg=0x7ffff5cfc700) at pthread_create.c:333
#25 0x00007ffff6c38b5d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109
rax	0xfffe4b4b0fbfffe8	-480164194549784
rbx	0x7ffff5cfaed0	140737317416656
rcx	0x0	0
rdx	0x0	0
rsi	0x7ffff5cfae90	140737317416592
rdi	0xfffe4b4b0fb003d0	-480164195597360
rbp	0x7ffff5cfae10	140737317416464
rsp	0x7ffff5cfae10	140737317416464
r8	0x0	0
r9	0x38	56
r10	0x0	0
r11	0x246	582
r12	0x7ffff695e000	140737330405376
r13	0x7ffff5cfaed0	140737317416656
r14	0xffffffffffffff	72057594037927935
r15	0x7ffff6985fc8	140737330569160
rip	0x4ff318 <js::gc::TenuredCell::arena() const+24>
=> 0x4ff318 <js::gc::TenuredCell::arena() const+24>:	mov    (%rax),%eax
   0x4ff31a <js::gc::TenuredCell::arena() const+26>:	lea    -0x1(%rax),%edx


Marking s-s because this involves GC (nukeCCW) and the crash seems to be at a bad address.
Flags: needinfo?(jcoppeard)
Keywords: sec-high
May be fallout from bug 1360526, but also involves nukeCCW so may be related to bug 1357022.
Assignee: nobody → jcoppeard
Flags: needinfo?(jcoppeard)
This is fallout from bug 1343261.

When we nuke a CCW it no longer keeps its target alive, but we still keep it in the map.  When doing a zone GC we need to sweep CCW maps for non-collected zones in case any of them contain a nuked CCW for an object in a zone that we're sweeping and that object dies.

This involves an extra pass through the CCW map for non-collected zones, but fortunately we can optimise that with the hasDeadProxies flag.

I also slightly improved JSCompartment::traceIncomingCrossCompartmentEdgesForZoneGC.
Attachment #8867228 - Flags: review?(sphink)
Blocks: 1343261
Comment on attachment 8867228 [details] [diff] [review]
bug1363229-sweep-incoming-ccws

Well this causes all sorts of failures on try.  Cancelling review for now.
Attachment #8867228 - Flags: review?(sphink)
Track 54+/55+ as sec-high.
The proposed change in bug 1357022 fixes this.
Moving to sec-other since nukeCCW is only present in the shell.
Keywords: sec-highsec-other
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1357022
Updating tracking flags to match bug 1357022.
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,bisect][adv-main55-]
Group: javascript-core-security
You need to log in before you can comment on or make changes to this bug.