Closed Bug 1493475 Opened 6 years ago Closed 6 years ago

Assertion failure: !markCount, at js/src/ds/LifoAlloc.h:783

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla64
Tracking Flags:
Tracking Status
firefox-esr60 --- wontfix
firefox62 --- wontfix
firefox63 --- wontfix
firefox64 --- fixed

People

(Reporter: gkw, Assigned: tcampbell)

References

Details

(4 keywords, Whiteboard: [fuzzblocker][jsbugmon:update])

Attachments

(2 files)

Detailed Crash Information
17.58 KB, text/plain
Details
Cleanup asm.js parser cleanup
1.92 KB, patch
luke
: review+
Details | Diff | Splinter Review 
The following testcase crashes on mozilla-central revision 221c18ebe962 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-baseline --no-ion):

offThreadCompileScript("\
    (function(stdlib, foreign) {\
        \"use asm\";\
        function() {};\
    })();\
");

Backtrace:

#0  0x0000557fd2c75f24 in js::LifoAlloc::releaseAll (this=0x7f50350019e0) at js/src/ds/LifoAlloc.h:783
#1  0x0000557fd33d21a4 in js::HelperThread::maybeFreeUnusedMemory (this=<optimized out>, cx=<optimized out>) at js/src/vm/HelperThreads.cpp:2623
#2  js::HelperThread::threadLoop (this=0x7f5035604d80) at js/src/vm/HelperThreads.cpp:2581
#3  0x0000557fd33ce39d in js::HelperThread::ThreadMain (arg=0x7f50367b9680 <_IO_2_1_stderr_>) at js/src/vm/HelperThreads.cpp:2020
#4  0x0000557fd33ffa3f in js::detail::ThreadTrampoline<void (&)(void*), js::HelperThread*>::callMain<0ul> (this=0x7f5035619080) at js/src/threading/Thread.h:243
/snip

For detailed crash information, see attachment.

Memory allocation may be involved, so setting s-s as a start.
autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/7a9384b6a6c9
user:        Jon Coppeard
date:        Tue Sep 18 13:56:45 2018 +0100
summary:     Bug 1491037 - Periodically free helper thread LifoAlloc memory r=nbp

Jon, is bug 1491037 a likely regressor?
Blocks: 1491037
Flags: needinfo?(jcoppeard)
Setting [fuzzblocker] as this seems to be happening quite frequently.
Whiteboard: [jsbugmon:update] → [fuzzblocker][jsbugmon:update]

        Attachment #9011635 -
        Flags: review?(luke)

    
    

    
  
Error path for asm.js parse verification creates a mark but doesn't cleanup the mark. This screws up the mark count checks.

Side effects are this debug assert, some memory cleanup heuristics won't work (but this won't come up on well-formed script), and ParserBase::traceListHead won't get restored. This should all be fine since this was added as a perf/mem optimization. Probably can open this bug (I'll wait for review first).
Assignee: nobody → tcampbell
Flags: needinfo?(jcoppeard)

    
    

    
  
Comment on attachment 9011635 [details] [diff] [review]
Cleanup asm.js parser cleanup

Review of attachment 9011635 [details] [diff] [review]:
-----------------------------------------------------------------

Whoa, this bug is ancient (https://hg.mozilla.org/mozilla-central/rev/541c383c1698)!  So I guess, before this patch, there simply were never freeAll() calls on the parser's LifoAlloc.  A long time ago I added freeAllIfHugeAndUnused() (https://hg.mozilla.org/mozilla-central/file/7a9384b6a6c9/js/src/frontend/Parser.cpp#l953) but of course a leaked markCount prevents it from freeing all.

It really seems like ~Mark() should own the markCount (releasing itself in the dtor or at least asserting that it has been released), but this seems like the right quick fix.

        Attachment #9011635 -
        Flags: review?(luke) → review+

    
    

    
  
Unhiding and landing testcase with it.
Group: javascript-core-security

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/8b553d15956a
https://hg.mozilla.org/mozilla-central/rev/beb1b19a7ea1
Status: NEW → RESOLVED
Closed: 6 years ago

          status-firefox64:
          affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla64

    
    

    
  
Is this something we need to worry about backporting or can it ride the trains?

          status-firefox62:
          --- → wontfix

          status-firefox63:
          --- → affected

          status-firefox-esr60:
          --- → affected
Flags: needinfo?(tcampbell)
Flags: in-testsuite+

    
    

    
  
Ride the trains. This is not a sec issue, affected code is years old, and it surfaced to fuzzing only because of better tooling that landed in FF64.

          status-firefox63:
          affectedwontfix

          status-firefox-esr60:
          affectedwontfix
Flags: needinfo?(tcampbell)

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: