Closed Bug 1490638 Opened 6 years ago Closed 6 years ago

Crash [@ ??] due to over-recursion with evalInWorker

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla64
Tracking Flags:
Tracking Status
firefox-esr60 --- wontfix
firefox62 --- wontfix
firefox63 --- wontfix
firefox64 --- fixed

People

(Reporter: decoder, Assigned: mgaudet)

Details

(4 keywords, Whiteboard: [jsbugmon:update,bisect][fuzzblocker])

Crash Data

Attachments

(1 file)

Bug 1490638 - Increase worker stack size for EvalInWorker r?jandem
46 bytes, text/x-phabricator-request
jandem
: review+
Details | Review
The following testcase crashes on mozilla-central revision 423bdf7a802b (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --disable-debug --enable-optimize, run with --fuzzing-safe): evalInWorker(` function f() { f.apply([], new Array(20000)); } f() `); Backtrace: received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7ffff48ff700 (LWP 17736)] 0x00003e4291d2c3e5 in ?? () #0 0x00003e4291d2c3e5 in ?? () #1 0xfff9800000000000 in ?? () [...] #127 0xfff9800000000000 in ?? () rax 0x3e4291d2c3a0 68455635272608 rbx 0x7ffff5f2a000 140737319706624 rcx 0x0 0 rdx 0x7ffff4182008 140737288609800 rsi 0x4e21 20001 rdi 0x3e4291d33f10 68455635304208 rbp 0x7ffff4805310 140737295438608 rsp 0x7ffff47e0000 140737295286272 r8 0x7ffff45238c0 140737292417216 r9 0x0 0 r10 0x7ffff4805950 140737295440208 r11 0x7ffff5f2a060 140737319706720 r12 0x8 8 r13 0x7ffff4183e30 140737288617520 r14 0x7ffff48052e0 140737295438560 r15 0x7ffff4805930 140737295440176 rip 0x3e4291d2c3e5 68455635272677 => 0x3e4291d2c3e5: pushq 0x0(%r13) 0x3e4291d2c3e9: jmp 0x3e4291d2c3d8
This can also crash with various other signatures depending on where it hits the stack limit. Marking as fuzzblocker.
status-firefox63: affected → ---
status-firefox64: --- → affected
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,bisect][fuzzblocker]
Flags: needinfo?(jdemooij)
Matthew, do you mind taking this one? It's a fuzzblocker for decoder/gary. The stack quota we set for worker threads in js/src/shell/js.cpp is probably wrong or does not include a big enough buffer of, say, 256 KB to handle function arguments in the EnterJIT trampoline.
Flags: needinfo?(jdemooij) → needinfo?(mgaudet)
Assignee: nobody → mgaudet
Status: NEW → ASSIGNED
Flags: needinfo?(mgaudet)
Comment on attachment 9010028 [details] Bug 1490638 - Increase worker stack size for EvalInWorker r?jandem Jan de Mooij [:jandem] has approved the revision.
Attachment #9010028 - Flags: review+
Pushed by mgaudet@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/c1f872c41359 Increase worker stack size for EvalInWorker r=jandem
https://hg.mozilla.org/mozilla-central/rev/c1f872c41359
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
status-firefox64: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla64
Jan, do you think that we should uplift this patch to 63 beta? Thanks
Flags: needinfo?(jdemooij)
(In reply to Pascal Chevrel:pascalc from comment #7) > Jan, do you think that we should uplift this patch to 63 beta? Thanks No it's just a shell-only issue. Ryan marked firefox63 as wontfix already so there's nothing else to do here.
Flags: needinfo?(jdemooij)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: