Crash [@ js::RemapWrapper] with stackTest

RESOLVED FIXED in Firefox 64

Status

()

defect
--
critical
RESOLVED FIXED
9 months ago
8 months ago

People

(Reporter: decoder, Assigned: jandem)

Tracking

(Blocks 2 bugs, {crash, jsbugmon, testcase})

Trunk
mozilla65
x86_64
Linux
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox-esr60 unaffected, firefox63 unaffected, firefox64 fixed, firefox65 fixed)

Details

(Whiteboard: [jsbugmon:update], crash signature)

Attachments

(4 attachments)

Reporter

Description

9 months ago
The following testcase crashes on mozilla-central revision f903cbfa3c01 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe):

stackTest(function() {
  eval(`var g = newGlobal();
    recomputeWrappers(this, g);
  `);
});


Backtrace:

received signal SIGSEGV, Segmentation fault.
0x0000555555cc11a5 in js::RemapWrapper (cx=<optimized out>, cx@entry=0x7ffff5f16000, wobjArg=<optimized out>, wobjArg@entry=0x7ffff4d98340, newTargetArg=<optimized out>) at js/src/proxy/CrossCompartmentWrapper.cpp:663
#0  0x0000555555cc11a5 in js::RemapWrapper (cx=<optimized out>, cx@entry=0x7ffff5f16000, wobjArg=<optimized out>, wobjArg@entry=0x7ffff4d98340, newTargetArg=<optimized out>) at js/src/proxy/CrossCompartmentWrapper.cpp:663
#1  0x0000555555cc35f5 in js::RecomputeWrappers (cx=0x7ffff5f16000, sourceFilter=..., targetFilter=...) at js/src/proxy/CrossCompartmentWrapper.cpp:746
#2  0x000055555566225f in RecomputeWrappers (cx=0x7ffff5f16000, argc=<optimized out>, vp=<optimized out>) at js/src/shell/js.cpp:6172
#3  0x00005555557e9bb5 in CallJSNative (cx=0x7ffff5f16000, native=0x555555662180 <RecomputeWrappers(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/Interpreter.cpp:461
[...]
#34 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:10975
rax	0x0	0
rbx	0x7fffffffb4f0	140737488336112
rcx	0x7ffff6c212dd	140737333301981
rdx	0x0	0
rsi	0x7ffff6ef0770	140737336248176
rdi	0x7ffff6eef540	140737336243520
rbp	0x7fffffffb550	140737488336208
rsp	0x7fffffffb3d0	140737488335824
r8	0x7ffff6ef0770	140737336248176
r9	0x7ffff7fe4780	140737354024832
r10	0x58	88
r11	0x7ffff6b977a0	140737332737952
r12	0x7ffff5f16000	140737319624704
r13	0x7fffffffb430	140737488335920
r14	0x7fffffffb450	140737488335952
r15	0x7fffffffb470	140737488335984
rip	0x555555cc11a5 <js::RemapWrapper(JSContext*, JSObject*, JSObject*)+1685>
=> 0x555555cc11a5 <js::RemapWrapper(JSContext*, JSObject*, JSObject*)+1685>:	movl   $0x0,0x0
   0x555555cc11b0 <js::RemapWrapper(JSContext*, JSObject*, JSObject*)+1696>:	ud2

Updated

9 months ago
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]

Comment 1

9 months ago
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/343c194c1a08
user:        Jan de Mooij
date:        Wed Sep 19 11:42:45 2018 +0200
summary:     Bug 1492406 - Add a recomputeWrappers function to the JS shell for js::RecomputeWrappers. r=jonco

This iteration took 287.473 seconds to run.
Assignee

Comment 2

9 months ago
Ugh, this is just a MOZ_CRASH that needs to be made more fuzzing-friendly now that this code is reachable in the shell.
Flags: needinfo?(jdemooij)
Assignee

Updated

8 months ago
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Assignee

Comment 6

8 months ago
Bah, there's some code in the tree or a (GTK?) header that #defines None because I can't use that in an enum class in js/public/Utility.h Renaming None to Nothing fixes it...

Comment 7

8 months ago
Pushed by jandemooij@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/271d76b2997b
part 1 - Change JSObject::swap return type from bool to void (it always returned true). r=jonco
https://hg.mozilla.org/integration/autoland/rev/9697472e6ab7
part 2 - Unify OOM testing state variables for different kinds to make AutoEnterOOMUnsafeRegion work for stack checks. r=jonco
https://hg.mozilla.org/integration/autoland/rev/72ce1b22eee8
part 3 - Use AutoEnterOOMUnsafeRegion in js::RemapWrapper. r=jonco
Assignee

Updated

8 months ago
Blocks: 1501200

Comment 8

8 months ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/271d76b2997b
https://hg.mozilla.org/mozilla-central/rev/9697472e6ab7
https://hg.mozilla.org/mozilla-central/rev/72ce1b22eee8
Status: ASSIGNED → RESOLVED
Closed: 8 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla65
It would be nice to land this on mozilla-beta as well to reduce fuzzing noise for the recomputeWrappers function.
Flags: needinfo?(jdemooij)
Assignee

Comment 10

8 months ago
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #9)
> It would be nice to land this on mozilla-beta as well to reduce fuzzing
> noise for the recomputeWrappers function.

Are we actually fuzzing beta?

Part 2 here is pretty big so if this is really an issue I'd prefer just marking the recomputeWrappers shell function as fuzzing-unsafe on beta instead of uplifting this.
Marking it fuzzing-unsafe on beta works for me.

And yes, I'm fuzzing beta occasionally too. Thanks!
Assignee

Comment 12

8 months ago
Flags: needinfo?(jdemooij)
Attachment #9020797 - Flags: review?(jcoppeard)
Comment on attachment 9020797 [details] [diff] [review]
Mark the recomputeWrappers shell function as fuzzing-unsafe on beta

Review of attachment 9020797 [details] [diff] [review]:
-----------------------------------------------------------------

WFM.
Attachment #9020797 - Flags: review?(jcoppeard) → review+
You need to log in before you can comment on or make changes to this bug.