Closed
Bug 1434391
Opened 7 years ago
Closed 6 years ago
Crash [@ js::gc::Chunk::withinValidRange] with OOM and Debugger
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
RESOLVED
FIXED
mozilla64
People
(Reporter: decoder, Assigned: jorendorff)
References
(Blocks 1 open bug)
Details
(4 keywords, Whiteboard: [jsbugmon:])
Crash Data
Attachments
(1 file, 1 obsolete file)
1.46 KB,
patch
|
jorendorff
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 9746e0a0a81c (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe):
oomTest(new Function(`
var g = newGlobal();
var dbg = new Debugger();
var gw = dbg.addDebuggee(g);
assertEq(gw.executeInGlobal("(42).toString(0)").throw.errorMessageName, "JSMSG_BAD_RADIX");
for (let arg of Args)
dbg();
`));
Backtrace:
received signal SIGSEGV, Segmentation fault.
0x00000000004710c0 in js::gc::Chunk::withinValidRange (addr=0) at js/src/gc/Heap.h:748
#0 0x00000000004710c0 in js::gc::Chunk::withinValidRange (addr=0) at js/src/gc/Heap.h:748
#1 js::gc::Cell::address (this=0x0) at js/src/gc/Cell.h:223
#2 js::gc::TenuredCell::arena (this=0x0) at js/src/gc/Cell.h:312
#3 0x00000000009efb50 in js::gc::TenuredCell::zoneFromAnyThread (this=0x0) at js/src/gc/Cell.h:340
#4 JSCompartment::wrap (this=<optimized out>, cx=0x7ffff5f16000, strp=..., strp@entry=...) at js/src/jscompartment.cpp:334
#5 0x0000000000b1109c in js::DebuggerObject::getErrorMessageName (cx=cx@entry=0x7ffff5f16000, object=..., object@entry=..., result=...) at js/src/vm/Debugger.cpp:10223
#6 0x0000000000b111cb in js::DebuggerObject::errorMessageNameGetter (cx=cx@entry=0x7ffff5f16000, argc=argc@entry=0, vp=vp@entry=0x7fffffffbeb0) at js/src/vm/Debugger.cpp:9162
#7 0x00000000008ee0d4 in js::jit::CallNativeGetter (cx=0x7ffff5f16000, callee=..., obj=..., result=...) at js/src/jit/VMFunctions.cpp:1554
#8 0x00002dc34d0b0167 in ?? ()
[...]
#38 0x0000000000000000 in ?? ()
rax 0x0 0
rbx 0xf5f16001 4126236673
rcx 0x0 0
rdx 0x7fffffffbd01 140737488338177
rsi 0x7ffff5f16000 140737319624704
rdi 0x0 0
rbp 0x7fffffffbc00 140737488337920
rsp 0x7fffffffbc00 140737488337920
r8 0x7fffffffbd00 140737488338176
r9 0x8 8
r10 0x7fffffffbf48 140737488338760
r11 0xfff9800000000000 -1829587348619264
r12 0x7ffff5f2d000 140737319718912
r13 0x0 0
r14 0x7fffffffbd68 140737488338280
r15 0x7fffffffbdb0 140737488338352
rip 0x4710c0 <js::gc::TenuredCell::arena() const+80>
=> 0x4710c0 <js::gc::TenuredCell::arena() const+80>: cmpq $0x0,0xffff0(%rcx)
0x4710c8 <js::gc::TenuredCell::arena() const+88>: je 0x4710e0 <js::gc::TenuredCell::arena() const+112>
Most likely not s-s because the OOM is in Debugger.
Updated•7 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Comment 1•7 years ago
|
||
JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===
The "good" changeset has the timestamp "20160406195351" and the hash "4f662b15f40b63818e4c0bf707c434f82321deb4".
The "bad" changeset has the timestamp "20160406195952" and the hash "4b76e05f7ecf45a4a6877517f27c3d4d067802cd".
Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=4f662b15f40b63818e4c0bf707c434f82321deb4&tochange=4b76e05f7ecf45a4a6877517f27c3d4d067802cd
Jim, is bug 1261904 a likely regressor?
Blocks: 1261904
Flags: needinfo?(jimb)
Assignee | ||
Updated•7 years ago
|
Priority: -- → P1
Updated•7 years ago
|
Assignee: nobody → jimb
Updated•7 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
Comment 4•7 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision dc70d241f90d).
Updated•7 years ago
|
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:bisectfix]
Updated•7 years ago
|
Whiteboard: [jsbugmon:bisectfix] → [jsbugmon:]
Comment 5•7 years ago
|
||
JSBugMon: Fix Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===
The "good" changeset has the timestamp "20160406195351" and the hash "4f662b15f40b63818e4c0bf707c434f82321deb4".
The "bad" changeset has the timestamp "20160406195952" and the hash "4b76e05f7ecf45a4a6877517f27c3d4d067802cd".
Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=4f662b15f40b63818e4c0bf707c434f82321deb4&tochange=4b76e05f7ecf45a4a6877517f27c3d4d067802cd
Reporter | ||
Comment 6•7 years ago
|
||
This is an automated crash issue comment:
Summary: Crash [@ js::gc::Chunk::withinValidRange]
Build version: mozilla-central revision 23885c14f025
Build flags: --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize
Runtime options: --fuzzing-safe --ion-offthread-compile=off
Testcase:
let g = newGlobal();
var lfLogBuffer = `
evaluate("");
var dbg = new Debugger();
var gw = dbg.addDebuggee(g);
gw.executeInGlobal("(42).toString(0)").throw.errorMessageName
const Args = []
`;
loadFile(lfLogBuffer);
loadFile(lfLogBuffer);
function loadFile(lfVarx) {
oomTest(function() {
eval(lfVarx);
});
}
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 js::gc::Chunk::withinValidRange (addr=0) at js/src/gc/Heap.h:731
#1 js::gc::Cell::address (this=0x0) at js/src/gc/Cell.h:234
#2 js::gc::TenuredCell::arena (this=this@entry=0x0) at js/src/gc/Cell.h:333
#3 0x0000000000adc38d in js::gc::TenuredCell::zoneFromAnyThread (this=<optimized out>) at js/src/gc/Cell.h:361
#4 JSString::zoneFromAnyThread (this=0x0) at js/src/vm/StringType.h:572
#5 JS::Compartment::wrap (this=0x7ffff487f660, cx=0x7ffff5f17000, strp=...) at js/src/vm/Compartment.cpp:151
#6 0x0000000000af34af in js::DebuggerObject::getErrorMessageName (cx=<optimized out>, object=..., object@entry=..., result=...) at js/src/vm/Debugger.cpp:10162
#7 0x0000000000af4ae9 in js::DebuggerObject::errorMessageNameGetter (cx=<optimized out>, argc=<optimized out>, vp=<optimized out>) at js/src/vm/Debugger.cpp:9103
#8 0x00000000005ba1f7 in CallJSNative (cx=0x7ffff5f17000, native=0xaf4a50 <js::DebuggerObject::errorMessageNameGetter(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/Interpreter.cpp:443
#9 0x00000000005aead7 in js::InternalCallOrConstruct (cx=<optimized out>, cx@entry=0x7ffff5f17000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:531
#10 0x00000000005af0fd in InternalCall (cx=cx@entry=0x7ffff5f17000, args=...) at js/src/vm/Interpreter.cpp:582
#11 0x00000000005af280 in js::Call (cx=cx@entry=0x7ffff5f17000, fval=..., fval@entry=..., thisv=..., thisv@entry=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:601
#12 0x00000000005af448 in js::CallGetter (cx=0x7ffff5f17000, thisv=..., thisv@entry=..., getter=..., getter@entry=..., rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:721
#13 0x0000000000bf1aa8 in CallGetter (vp=..., shape=..., receiver=..., obj=..., cx=<optimized out>) at js/src/vm/NativeObject.cpp:2140
#14 GetExistingProperty<(js::AllowGC)1> (cx=0x7ffff5f17000, receiver=..., obj=..., shape=..., vp=...) at js/src/vm/NativeObject.cpp:2197
#15 0x0000000000bf5bb5 in NativeGetPropertyInline<(js::AllowGC)1> (cx=<optimized out>, cx@entry=0x7ffff5f17000, obj=..., receiver=..., id=..., nameLookup=nameLookup@entry=NotNameLookup, vp=...) at js/src/vm/NativeObject.cpp:2406
#16 0x0000000000bf6360 in js::NativeGetProperty (cx=cx@entry=0x7ffff5f17000, obj=..., receiver=..., receiver@entry=..., id=..., id@entry=..., vp=..., vp@entry=...) at js/src/vm/NativeObject.cpp:2442
#17 0x00000000005b7734 in js::GetProperty (cx=0x7ffff5f17000, obj=..., receiver=..., id=..., vp=...) at js/src/vm/NativeObject.h:1688
#18 0x000000000059bcfe in js::GetProperty (vp=..., name=<optimized out>, receiver=..., obj=..., cx=<optimized out>) at js/src/vm/JSObject.h:787
#19 js::GetProperty (cx=<optimized out>, v=..., name=..., vp=...) at js/src/vm/Interpreter.cpp:4527
#20 0x00000000005a25a4 in GetPropertyOperation (vp=..., lval=..., pc=<optimized out>, script=..., fp=<optimized out>, cx=0x7ffff5f17000) at js/src/vm/Interpreter.cpp:217
#21 Interpret (cx=0x7ffff5f17000, state=...) at js/src/vm/Interpreter.cpp:2912
#22 0x00000000005ae5f6 in js::RunScript (cx=0x7ffff5f17000, state=...) at js/src/vm/Interpreter.cpp:423
#23 0x00000000005b195d in js::ExecuteKernel (cx=<optimized out>, cx@entry=0x7ffff5f17000, script=..., script@entry=..., envChainArg=..., newTargetValue=..., evalInFrame=..., evalInFrame@entry=..., result=<optimized out>) at js/src/vm/Interpreter.cpp:771
#24 0x00000000005ea3b0 in EvalKernel (cx=0x7ffff5f17000, v=..., v@entry=..., evalType=evalType@entry=DIRECT_EVAL, caller=..., env=env@entry=..., pc=<optimized out>, vp=...) at js/src/builtin/Eval.cpp:319
#25 0x00000000005eabbe in js::DirectEval (cx=<optimized out>, v=..., vp=...) at js/src/builtin/Eval.cpp:427
#26 0x000000000069a683 in js::jit::DoCallFallback (cx=<optimized out>, frame=0x7fffffffbec8, stub_=<optimized out>, argc=<optimized out>, vp=0x7fffffffbe78, res=...) at js/src/jit/BaselineIC.cpp:2641
#27 0x00003251409f828c in ?? ()
[...]
#59 0x0000000000000000 in ?? ()
rax 0x0 0
rbx 0x0 0
rcx 0x0 0
rdx 0x0 0
rsi 0x7ffff5f17000 140737319628800
rdi 0x0 0
rbp 0x7fffffffa090 140737488330896
rsp 0x7fffffffa080 140737488330880
r8 0x7ffff488b1a0 140737295987104
r9 0x19 25
r10 0x4 4
r11 0x0 0
r12 0x7ffff5f17000 140737319628800
r13 0x7ffff487f660 140737295939168
r14 0x7fffffffa228 140737488331304
r15 0x7fffffffa270 140737488331376
rip 0x4d6e8c <js::gc::TenuredCell::arena() const+44>
=> 0x4d6e8c <js::gc::TenuredCell::arena() const+44>: cmpq $0x0,0xffff0(%rax)
0x4d6e94 <js::gc::TenuredCell::arena() const+52>: je 0x4d6eb8 <js::gc::TenuredCell::arena() const+88>
Updated•7 years ago
|
Keywords: regression
Assignee | ||
Comment 7•6 years ago
|
||
This is a trivial null-crash. I've got a patch but it's not critical to get this into 62.
status-firefox62:
--- → fix-optional
status-firefox63:
--- → affected
Assignee | ||
Comment 8•6 years ago
|
||
Attachment #9005244 -
Flags: review?(jimb)
Assignee | ||
Updated•6 years ago
|
Assignee: jimb → jorendorff
Status: NEW → ASSIGNED
Comment 9•6 years ago
|
||
Comment on attachment 9005244 [details] [diff] [review]
Fix OOM handling bug in Debugger (and eliminate an unnecessary wrap() call)
Review of attachment 9005244 [details] [diff] [review]:
-----------------------------------------------------------------
I don't know why the javascript engine should have an opinion about what sort of radixes I put in my salad. These are my culture's traditions!
Attachment #9005244 -
Flags: review?(jimb) → review+
Assignee | ||
Updated•6 years ago
|
Keywords: checkin-needed
Comment 10•6 years ago
|
||
Pushed by apavel@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/a5b2607fc188
Fix OOM handling bug in Debugger (and eliminate an unnecessary wrap() call). r=jimb
Keywords: checkin-needed
Comment 11•6 years ago
|
||
Backed out for failing linux sm build bustages
Push that started the failures: https://treeherder.mozilla.org/#/jobs?repo=mozilla-inbound&revision=a5b2607fc1885b4f86cc7421fda89a19737788e4
Failure log: https://treeherder.mozilla.org/logviewer.html#?job_id=198143992&repo=mozilla-inbound&lineNumber=50131
Backout: https://hg.mozilla.org/integration/mozilla-inbound/rev/b04a830d12cdaa298b97a8135c10b64255d88ffe
Flags: needinfo?(jorendorff)
Comment 12•6 years ago
|
||
And also jit failures at tests/jit-test/jit-test/tests/debug/bug1434391.js
Failure log: https://treeherder.mozilla.org/logviewer.html#?job_id=198148434&repo=mozilla-inbound&lineNumber=4633
[task 2018-09-07T22:06:58.033Z] 22:06:58 INFO - TEST-PASS | tests/jit-test/jit-test/tests/debug/bug1432764.js | Success (code 3, args "--no-baseline --no-ion") [0.1 s]
[task 2018-09-07T22:06:58.033Z] 22:06:58 INFO - {"action": "test_start", "jitflags": "--no-baseline --no-ion", "pid": 4993, "source": "jittests", "test": "debug/bug1432764.js", "thread": "main", "time": 1536358017.962396}
[task 2018-09-07T22:06:58.033Z] 22:06:58 INFO - {"action": "test_end", "extra": {"jitflags": "--no-baseline --no-ion", "pid": 4993}, "jitflags": "--no-baseline --no-ion", "message": "Success", "pid": 4993, "source": "jittests", "status": "PASS", "test": "debug/bug1432764.js", "thread": "main", "time": 1536358018.031581}
[task 2018-09-07T22:06:58.057Z] 22:06:58 INFO - /builds/worker/workspace/build/tests/jit-test/jit-test/tests/debug/bug1434391.js:4:1 ReferenceError: oomTest is not defined
[task 2018-09-07T22:06:58.058Z] 22:06:58 INFO - Stack:
[task 2018-09-07T22:06:58.058Z] 22:06:58 INFO - @/builds/worker/workspace/build/tests/jit-test/jit-test/tests/debug/bug1434391.js:4:1
[task 2018-09-07T22:06:58.058Z] 22:06:58 INFO - Exit code: 3
[task 2018-09-07T22:06:58.059Z] 22:06:58 INFO - FAIL - debug/bug1434391.js
[task 2018-09-07T22:06:58.060Z] 22:06:58 WARNING - TEST-UNEXPECTED-FAIL | tests/jit-test/jit-test/tests/debug/bug1434391.js | /builds/worker/workspace/build/tests/jit-test/jit-test/tests/debug/bug1434391.js:4:1 ReferenceError: oomTest is not defined (code 3, args "") [0.1 s]
[task 2018-09-07T22:06:58.062Z] 22:06:58 INFO - {"action": "test_start", "jitflags": "", "pid": 4997, "source": "jittests", "test": "debug/bug1434391.js", "thread": "main", "time": 1536358017.992245}
[task 2018-09-07T22:06:58.063Z] 22:06:58 INFO - {"action": "test_end", "extra": {"jitflags": "", "pid": 4997}, "jitflags": "", "message": "/builds/worker/workspace/build/tests/jit-test/jit-test/tests/debug/bug1434391.js:4:1 ReferenceError: oomTest is not defined", "pid": 4997, "source": "jittests", "status": "FAIL", "test": "debug/bug1434391.js", "thread": "main", "time": 1536358018.055976}
[task 2018-09-07T22:06:58.064Z] 22:06:58 INFO - INFO exit-status : 3
[task 2018-09-07T22:06:58.065Z] 22:06:58 INFO - INFO timed-out : False
[task 2018-09-07T22:06:58.065Z] 22:06:58 INFO - INFO stderr 2> /builds/worker/workspace/build/tests/jit-test/jit-test/tests/debug/bug1434391.js:4:1 ReferenceError: oomTest is not defined
[task 2018-09-07T22:06:58.066Z] 22:06:58 INFO - INFO stderr 2> Stack:
[task 2018-09-07T22:06:58.067Z] 22:06:58 INFO - INFO stderr 2> @/builds/worker/workspace/build/tests/jit-test/jit-test/tests/debug/bug1434391.js:4:1
[task 2018-09-07T22:06:58.108Z] 22:06:58 INFO - /builds/worker/workspace/build/tests/jit-test/jit-test/tests/debug/bug1434391.js:4:1 ReferenceError: oomTest is not defined
[task 2018-09-07T22:06:58.109Z] 22:06:58 INFO - Stack:
[task 2018-09-07T22:06:58.110Z] 22:06:58 INFO - @/builds/worker/workspace/build/tests/jit-test/jit-test/tests/debug/bug1434391.js:4:1
[task 2018-09-07T22:06:58.112Z] 22:06:58 INFO - Exit code: 3
[task 2018-09-07T22:06:58.113Z] 22:06:58 INFO - FAIL - debug/bug1434391.js
[task 2018-09-07T22:06:58.113Z] 22:06:58 WARNING - TEST-UNEXPECTED-FAIL | tests/jit-test/jit-test/tests/debug/bug1434391.js | /builds/worker/workspace/build/tests/jit-test/jit-test/tests/debug/bug1434391.js:4:1 ReferenceError: oomTest is not defined (code 3, args "--ion-eager --ion-offthread-compile=off") [0.1 s]
[task 2018-09-07T22:06:58.115Z] 22:06:58 INFO - {"action": "test_start", "jitflags": "--ion-eager --ion-offthread-compile=off", "pid": 5001, "source": "jittests", "test": "debug/bug1434391.js", "thread": "main", "time": 1536358018.035578}
[task 2018-09-07T22:06:58.116Z] 22:06:58 INFO - {"action": "test_end", "extra": {"jitflags": "--ion-eager --ion-offthread-compile=off", "pid": 5001}, "jitflags": "--ion-eager --ion-offthread-compile=off", "message": "/builds/worker/workspace/build/tests/jit-test/jit-test/tests/debug/bug1434391.js:4:1 ReferenceError: oomTest is not defined", "pid": 5001, "source": "jittests", "status": "FAIL", "test": "debug/bug1434391.js", "thread": "main", "time": 1536358018.108395}
[task 2018-09-07T22:06:58.117Z] 22:06:58 INFO - INFO exit-status : 3
[task 2018-09-07T22:06:58.118Z] 22:06:58 INFO - INFO timed-out : False
[task 2018-09-07T22:06:58.119Z] 22:06:58 INFO - INFO stderr 2> /builds/worker/workspace/build/tests/jit-test/jit-test/tests/debug/bug1434391.js:4:1 ReferenceError: oomTest is not defined
[task 2018-09-07T22:06:58.120Z] 22:06:58 INFO - INFO stderr 2> Stack:
[task 2018-09-07T22:06:58.121Z] 22:06:58 INFO - INFO stderr 2> @/builds/worker/workspace/build/tests/jit-test/jit-test/tests/debug/bug1434391.js:4:1
[task 2018-09-07T22:06:58.154Z] 22:06:58 INFO - /builds/worker/workspace/build/tests/jit-test/jit-test/tests/debug/bug1434391.js:4:1 ReferenceError: oomTest is not defined
[task 2018-09-07T22:06:58.154Z] 22:06:58 INFO - Stack:
[task 2018-09-07T22:06:58.154Z] 22:06:58 INFO - @/builds/worker/workspace/build/tests/jit-test/jit-test/tests/debug/bug1434391.js:4:1
[task 2018-09-07T22:06:58.155Z] 22:06:58 INFO - Exit code: 3
[task 2018-09-07T22:06:58.156Z] 22:06:58 INFO - FAIL - debug/bug1434391.js
Assignee | ||
Comment 13•6 years ago
|
||
Assignee | ||
Updated•6 years ago
|
Attachment #9005244 -
Attachment is obsolete: true
Assignee | ||
Comment 14•6 years ago
|
||
Comment on attachment 9007669 [details] [diff] [review]
Fix OOM handling bug in Debugger (and eliminate an unnecessary wrap() call)
Trivial fix to previous version of patch.
Flags: needinfo?(jorendorff)
Attachment #9007669 -
Flags: review+
Assignee | ||
Updated•6 years ago
|
Keywords: checkin-needed
Comment 15•6 years ago
|
||
Pushed by dvarga@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/f33e65ea17cf
Fix OOM handling bug in Debugger (and eliminate an unnecessary wrap() call). r=jimb r=jorendorff
Keywords: checkin-needed
Comment 16•6 years ago
|
||
bugherder |
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
status-firefox64:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla64
Updated•6 years ago
|
Updated•6 years ago
|
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•