Closed Bug 1459555 Opened 7 years ago Closed 6 years ago

Firefox crashes on BinAST encoded version of Facebook.com

Categories

(Core :: JavaScript Engine, defect, P3)

Product:
Core
Component:
JavaScript Engine
Platform:
Unspecified
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla64
Tracking Flags:
Tracking Status
firefox61 --- wontfix
firefox62 --- wontfix
firefox63 --- wontfix
firefox64 --- fixed

People

(Reporter: vladan, Assigned: efaust)

References

Details

Attachments

(5 files)

consolelog.txt
5.09 KB, text/plain
Details
Crash Stack
12.74 KB, text/plain
Details
[Part 1] Allow throwing BinAST errors off-main-thread
9.10 KB, patch
arai
: review+
Details | Diff | Splinter Review
[Part 2] Improve off-main-thread BinAST performance
4.80 KB, patch
arai
: review+
Details | Diff | Splinter Review
[Part 3] Re-enable off-main-thread BinAST parsing
851 bytes, patch
arai
: review+
Details | Diff | Splinter Review
Attached file consolelog.txt
This is a 100% reproducible crash from loading the BinAST versions of the following Facebook.com snapshots: * https://vdjeric.github.io/fb_bench/newsfeed_bench.htm * https://vdjeric.github.io/fb_bench/comments_bench.htm Crash log attached, no Breakpad crash log cause it's a dev build. How to reproduce the crash: To reproduce: 1. Build mozilla-central with patches from bug 1454352 and bug 1444956 2. Toggle “dom.script_loader.binast_encoding.enabled” pref in about:config to true 3. Start webserver from binast/binast-server repo against the fb_bench/ directory in the same repo, as follows: ./serveBinAST.py ./fb_bench/ 4. Observe that the custom build crashes reliably on both of the following URLs if BinAST is enabled. It loads fine if BinAST is preffed off. https://localhost:8443/comments_bench.htm https://localhost:8443/newsfeed_bench.htm Notes: * The first URL is a simpler benchmark so might be a bit easier to debug * The "simple.html" BinAST test case in the same repo does work end to end * The files in that fb_bench directory are encoded with default encoder options, so that seems like an easy test
Do you have a stack at hand, by any chance?
I don't have one atm, but I'll get one tomorrow
Flags: needinfo?(vladan.bugzilla)
Flags: needinfo?(jcoppeard)
Attached file Crash Stack
Flags: needinfo?(vladan.bugzilla)
Looks like we have two bugs: 1) We're not properly handling exceptions off-main-thread. 2) We've got an error in BinAST that's causing us to try to throw an exception :)
At first glance it looks like BinTokenReaderBase::raiseError needs to be more like GeneralParser::error and call ReportCompileError instead of JS_ReportErrorASCII.
Yup. Will patch.
Blocks: 1444956
As suggested I've landed bug 1444956 with off-thread decoding disabled in CanDoOffThread.
Flags: needinfo?(jcoppeard)
Priority: -- → P3
Assignee: nobody → efaustbmo
Attachment #9012841 - Flags: review?(arai.unmht)
Status: NEW → ASSIGNED
Comment on attachment 9012841 [details] [diff] [review] [Part 1] Allow throwing BinAST errors off-main-thread Review of attachment 9012841 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/js.msg @@ +677,5 @@ > MSG_DEF(JSMSG_BIGINT_INVALID_SYNTAX, 0, JSEXN_SYNTAXERR, "invalid BigInt syntax") > MSG_DEF(JSMSG_NOT_BIGINT, 0, JSEXN_TYPEERR, "not a BigInt") > MSG_DEF(JSMSG_BIGINT_NOT_SERIALIZABLE, 0, JSEXN_TYPEERR, "BigInt value can't be serialized in JSON") > + > +MSG_DEF(JSMSG_BINAST, 1, JSEXN_SYNTAXERR, "BinAST Parsing Error: {0}") can you add "// BinAST" above this line?
Attachment #9012841 - Flags: review?(arai.unmht) → review+
Comment on attachment 9012842 [details] [diff] [review] [Part 2] Improve off-main-thread BinAST performance Review of attachment 9012842 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/frontend/BinToken.cpp @@ +89,2 @@ > { > + MOZ_ASSERT(!cx->helperThread()); can you add a comment that explains this should be called in main thread before starting the helper thread, for off-main-thread case? so it's clear what this assertion means. (at a first glance, this looks like it's not initialized for helper thread case) @@ +109,2 @@ > { > + MOZ_ASSERT(!cx->helperThread()); same here.
Attachment #9012842 - Flags: review?(arai.unmht) → review+
Comment on attachment 9012843 [details] [diff] [review] [Part 3] Re-enable off-main-thread BinAST parsing Review of attachment 9012843 [details] [diff] [review]: ----------------------------------------------------------------- \o/
Attachment #9012843 - Flags: review?(arai.unmht) → review+
Pushed by efaustbmo@gmail.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/8f2f2bcd57d2 Part 1: Allow throwing BinAST errors off main thread. (r=arai) https://hg.mozilla.org/integration/mozilla-inbound/rev/ccdbc1449e13 Part 2: Don't take locks in BinSourceRuntimeSuppert::*. (r=arai) https://hg.mozilla.org/integration/mozilla-inbound/rev/90505ae78229 Part 3: Allow off-main-thread BinAST compilation. (r=arai)
Pushed by efaustbmo@gmail.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/1487cec16a9c Part 1: Allow throwing BinAST errors off main thread. (r=arai) https://hg.mozilla.org/integration/mozilla-inbound/rev/ac5bef60b83b Part 2: Don't take locks in BinSourceRuntimeSuppert::*. (r=arai) https://hg.mozilla.org/integration/mozilla-inbound/rev/3a7453938961 Part 3: Allow off-main-thread BinAST compilation. (r=arai)
https://hg.mozilla.org/mozilla-central/rev/1487cec16a9c https://hg.mozilla.org/mozilla-central/rev/ac5bef60b83b https://hg.mozilla.org/mozilla-central/rev/3a7453938961
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
status-firefox64: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla64
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: