Closed Bug 1376090 Opened 7 years ago Closed 7 years ago

Crash in FindScopeIndex

Categories

(Core :: JavaScript Engine, defect, P3)

Product:
Core
Component:
JavaScript Engine
Version:
51 Branch
Platform:
All
Windows
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1367896
Tracking Flags:
Tracking Status
firefox-esr52 --- affected
firefox54 --- wontfix
firefox55 --- affected
firefox56 --- ?

People

(Reporter: philipp, Unassigned)

References

Details

(Keywords: crash)

Crash Data

This bug was filed from the Socorro interface and is 
report bp-6740fa37-66ea-4c93-b978-ff6780170623.
=============================================================
Crashing Thread (0)
Frame 	Module 	Signature 	Source
0 	xul.dll 	FindScopeIndex 	js/src/jsscript.cpp:299
1 	xul.dll 	js::CloneScriptIntoFunction(JSContext*, JS::Handle<js::Scope*>, JS::Handle<JSFunction*>, JS::Handle<JSScript*>) 	js/src/jsscript.cpp:3665
2 	xul.dll 	CloneInnerInterpretedFunction 	js/src/jsscript.cpp:3373
3 	xul.dll 	JS::StructGCPolicy<JS::GCVector<js::IdValuePair, 0, js::TempAllocPolicy> >::trace(JSTracer*, JS::GCVector<js::IdValuePair, 0, js::TempAllocPolicy>*, char const*) 	obj-firefox/dist/include/js/GCPolicyAPI.h:87
4 	xul.dll 	js::detail::CopyScript(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSScript*>, JS::MutableHandle<JS::GCVector<js::Scope*, 0, js::TempAllocPolicy> >) 	js/src/jsscript.cpp:3463
5 	xul.dll 	js::detail::CopyScript(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSScript*>, JS::MutableHandle<JS::GCVector<js::Scope*, 0, js::TempAllocPolicy> >) 	js/src/jsscript.cpp:3463
6 	xul.dll 	js::MallocProvider<JS::Zone>::pod_malloc<unsigned char>(unsigned int) 	js/src/vm/MallocProvider.h:89
7 	xul.dll 	mozilla::Vector<char, 0, mozilla::MallocAllocPolicy>::convertToHeapStorage(unsigned int) 	obj-firefox/dist/include/mozilla/Vector.h:938
8 	xul.dll 	js::CloneGlobalScript(JSContext*, js::ScopeKind, JS::Handle<JSScript*>) 	js/src/jsscript.cpp:3622
9 	xul.dll 	js::CloneGlobalScript(JSContext*, js::ScopeKind, JS::Handle<JSScript*>) 	js/src/jsscript.cpp:3622
10 	xul.dll 	JS::StructGCPolicy<JS::GCHashSet<jsid, js::DefaultHasher<jsid>, js::TempAllocPolicy> >::trace(JSTracer*, JS::GCHashSet<jsid, js::DefaultHasher<jsid>, js::TempAllocPolicy>*, char const*) 	obj-firefox/dist/include/js/GCPolicyAPI.h:87
11 	xul.dll 	JS::CloneAndExecuteScript(JSContext*, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) 	js/src/jsapi.cpp:4616
12 	xul.dll 	mozJSComponentLoader::ObjectForLocation(ComponentLoaderInfo&, nsIFile*, JS::MutableHandle<JSObject*>, JS::MutableHandle<JSScript*>, char**, bool, JS::MutableHandle<JS::Value>) 	js/xpconnect/loader/mozJSComponentLoader.cpp:741
13 	dxgi.dll 	_allmul 	
14 	xul.dll 	mozJSComponentLoader::ImportInto(nsACString const&, JS::Handle<JSObject*>, JSContext*, JS::MutableHandle<JSObject*>) 	js/xpconnect/loader/mozJSComponentLoader.cpp:974
15 	xul.dll 	mozJSComponentLoader::Import(nsACString const&, JS::Handle<JS::Value>, JSContext*, unsigned char, JS::MutableHandle<JS::Value>) 	js/xpconnect/loader/mozJSComponentLoader.cpp:820
16 	xul.dll 	nsXPCComponents_Utils::Import(nsACString const&, JS::Handle<JS::Value>, JSContext*, unsigned char, JS::MutableHandle<JS::Value>) 	js/xpconnect/src/XPCComponents.cpp:2504
17 	xul.dll 	NS_InvokeByIndex 	xpcom/reflect/xptcall/md/win32/xptcinvoke_asm_x86_msvc.asm:54
18 	xul.dll 	XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) 	js/xpconnect/src/XPCWrappedNativeJSOps.cpp:982
19 	xul.dll 	js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) 	js/src/vm/Interpreter.cpp:470
20 	xul.dll 	InternalCall 	js/src/vm/Interpreter.cpp:515
21 	xul.dll 	Interpret 	js/src/vm/Interpreter.cpp:3064
22 	xul.dll 	js::RunScript(JSContext*, js::RunState&) 	js/src/vm/Interpreter.cpp:410
23 	xul.dll 	js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) 	js/src/vm/Interpreter.cpp:699
24 	xul.dll 	js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) 	js/src/vm/Interpreter.cpp:731
25 	xul.dll 	mozJSComponentLoader::ObjectForLocation(ComponentLoaderInfo&, nsIFile*, JS::MutableHandle<JSObject*>, JS::MutableHandle<JSScript*>, char**, bool, JS::MutableHandle<JS::Value>) 	js/xpconnect/loader/mozJSComponentLoader.cpp:741
26 	dxgi.dll 	_allmul

this is a (low volume) signature from users on windows appearing since firefox 51 and with MOZ_CRASH("Scope not found");
Taking a glace at the code, it appears to me that the |GCPtrScope* vector| in CopyScript is a GC hazard. If we got hit by a compacting GC during Scope::clone, the vector would not point to right place anymore. This would explain why FindScopeIndex might fail.

Steve, what do you think? Am I missing something special about scopes or GCPtr<T>*? And if I'm not crazy, why did hazard analysis miss it?

https://searchfox.org/mozilla-central/rev/2ef8bd8a46a02c68ddbb1d5f25fa254dd7be1fbd/js/src/jsscript.cpp#3524

Also,
https://searchfox.org/mozilla-central/rev/2ef8bd8a46a02c68ddbb1d5f25fa254dd7be1fbd/js/src/jsscript.cpp#718
Flags: needinfo?(sphink)
Priority: -- → P3
On IRC, :jonco explained that the vector itself is malloc'd memory and therefore doesn't move. Problem must be something else (or just random allocation problem due to an earlier corruption).
Flags: needinfo?(sphink)
I believe this is a duplicate of Bug 1367896. We somehow corrupt the JSScript::data buffer through use of XDR, resulting in scopes()->vector having bogus data and the MOZ_CRASH firing.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.