Closed
Bug 1493475
Opened 6 years ago
Closed 6 years ago
Assertion failure: !markCount, at js/src/ds/LifoAlloc.h:783
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla64
People
(Reporter: gkw, Assigned: tcampbell)
References
Details
(4 keywords, Whiteboard: [fuzzblocker][jsbugmon:update])
Attachments
(2 files)
17.58 KB,
text/plain
|
Details | |
1.92 KB,
patch
|
luke
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 221c18ebe962 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-baseline --no-ion): offThreadCompileScript("\ (function(stdlib, foreign) {\ \"use asm\";\ function() {};\ })();\ "); Backtrace: #0 0x0000557fd2c75f24 in js::LifoAlloc::releaseAll (this=0x7f50350019e0) at js/src/ds/LifoAlloc.h:783 #1 0x0000557fd33d21a4 in js::HelperThread::maybeFreeUnusedMemory (this=<optimized out>, cx=<optimized out>) at js/src/vm/HelperThreads.cpp:2623 #2 js::HelperThread::threadLoop (this=0x7f5035604d80) at js/src/vm/HelperThreads.cpp:2581 #3 0x0000557fd33ce39d in js::HelperThread::ThreadMain (arg=0x7f50367b9680 <_IO_2_1_stderr_>) at js/src/vm/HelperThreads.cpp:2020 #4 0x0000557fd33ffa3f in js::detail::ThreadTrampoline<void (&)(void*), js::HelperThread*>::callMain<0ul> (this=0x7f5035619080) at js/src/threading/Thread.h:243 /snip For detailed crash information, see attachment. Memory allocation may be involved, so setting s-s as a start.
Reporter | ||
Comment 1•6 years ago
|
||
Reporter | ||
Comment 2•6 years ago
|
||
autobisectjs shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/7a9384b6a6c9 user: Jon Coppeard date: Tue Sep 18 13:56:45 2018 +0100 summary: Bug 1491037 - Periodically free helper thread LifoAlloc memory r=nbp Jon, is bug 1491037 a likely regressor?
Blocks: 1491037
Flags: needinfo?(jcoppeard)
Reporter | ||
Comment 3•6 years ago
|
||
Setting [fuzzblocker] as this seems to be happening quite frequently.
Whiteboard: [jsbugmon:update] → [fuzzblocker][jsbugmon:update]
Assignee | ||
Comment 4•6 years ago
|
||
Attachment #9011635 -
Flags: review?(luke)
Assignee | ||
Comment 5•6 years ago
|
||
Error path for asm.js parse verification creates a mark but doesn't cleanup the mark. This screws up the mark count checks. Side effects are this debug assert, some memory cleanup heuristics won't work (but this won't come up on well-formed script), and ParserBase::traceListHead won't get restored. This should all be fine since this was added as a perf/mem optimization. Probably can open this bug (I'll wait for review first).
Assignee: nobody → tcampbell
Flags: needinfo?(jcoppeard)
Comment 6•6 years ago
|
||
Comment on attachment 9011635 [details] [diff] [review] Cleanup asm.js parser cleanup Review of attachment 9011635 [details] [diff] [review]: ----------------------------------------------------------------- Whoa, this bug is ancient (https://hg.mozilla.org/mozilla-central/rev/541c383c1698)! So I guess, before this patch, there simply were never freeAll() calls on the parser's LifoAlloc. A long time ago I added freeAllIfHugeAndUnused() (https://hg.mozilla.org/mozilla-central/file/7a9384b6a6c9/js/src/frontend/Parser.cpp#l953) but of course a leaked markCount prevents it from freeing all. It really seems like ~Mark() should own the markCount (releasing itself in the dtor or at least asserting that it has been released), but this seems like the right quick fix.
Attachment #9011635 -
Flags: review?(luke) → review+
Assignee | ||
Comment 7•6 years ago
|
||
Unhiding and landing testcase with it.
Group: javascript-core-security
Pushed by tcampbell@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/8b553d15956a Cleanup asm.js parser cleanup. r=luke
Pushed by tcampbell@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/beb1b19a7ea1 Fixup broken test. r=bustage
Comment 10•6 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/8b553d15956a https://hg.mozilla.org/mozilla-central/rev/beb1b19a7ea1
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla64
Comment 11•6 years ago
|
||
Is this something we need to worry about backporting or can it ride the trains?
status-firefox62:
--- → wontfix
status-firefox63:
--- → affected
status-firefox-esr60:
--- → affected
Flags: needinfo?(tcampbell)
Flags: in-testsuite+
Assignee | ||
Comment 12•6 years ago
|
||
Ride the trains. This is not a sec issue, affected code is years old, and it surfaced to fuzzing only because of better tooling that landed in FF64.
Flags: needinfo?(tcampbell)
You need to log in
before you can comment on or make changes to this bug.
Description
•