1511415 - Crash in js::jit::ICScript::purgeOptimizedStubs

Status: RESOLVED INCOMPLETE

(Core :: JavaScript Engine: JIT, defect, P3)

Description

[Calixte Denizet (:calixte)]

This bug was filed from the Socorro interface and is
report bp-b96b3b0d-8bd4-4313-bec9-920e50181130.
=============================================================

Top 10 frames of crashing thread:

0 xul.dll js::jit::ICScript::purgeOptimizedStubs js/src/jit/BaselineJIT.cpp:1090
1 xul.dll JS::Zone::discardJitCode js/src/gc/Zone.cpp:277
2 xul.dll js::gc::ArenaLists::relocateArenas js/src/gc/GC.cpp:2568
3 xul.dll js::gc::GCRuntime::compactPhase js/src/gc/GC.cpp:7087
4 xul.dll js::gc::GCRuntime::incrementalSlice js/src/gc/GC.cpp:7610
5 xul.dll js::gc::GCRuntime::gcCycle js/src/gc/GC.cpp:7914
6 xul.dll js::gc::GCRuntime::collect js/src/gc/GC.cpp:8095
7 xul.dll JS::IncrementalGCSlice js/src/gc/GC.cpp:9091
8 xul.dll nsJSContext::GarbageCollectNow dom/base/nsJSEnvironment.cpp:1212
9 xul.dll static bool InterSliceGCRunnerFired dom/base/nsJSEnvironment.cpp:1853

=============================================================

There is 1 crash in nightly 65 with buildid 20181129214405. In analyzing the backtrace, the regression may have been introduced by patch [1] to fix bug 1499644.

[1] https://hg.mozilla.org/mozilla-central/rev?node=6453222232be

Comment 1

[Jan de Mooij [:jandem]]

Just one crash, doesn't look actionable, and I did fix an issue in this area.

Comment 2

[Nicolas B. Pierron [:nbp]]

low volume & not-actionable (comment 1) -> P3

Comment 3

[Randell Jesup [:jesup] (needinfo me)]

Mix of wildptr and at least one clear UAF address

Probably should be re-triaged

Comment 4

[Steven DeTar [:sdetar]]

nbp: This bug should be re-triaged as per jesup's comment

Comment 5

[Liz Henry (:lizzard) (privacy/fingerprinting team)]

We could still take a fix here for 66, is this still considered P3?

Comment 6

[Nicolas B. Pierron [:nbp]]

(In reply to Liz Henry (:lizzard) (use needinfo) from comment #5)

We could still take a fix here for 66, is this still considered P3?

Nothing changed from comment 2. Yes.

Comment 7

[Ted Campbell [:tcampbell]]

Jan, this seems to have been growing in FF65. Did we mess with IC handling in that version? I'm trying to remember.

Comment 8

[Jan de Mooij [:jandem]]

(In reply to Ted Campbell [:tcampbell] from comment #7)

Jan, this seems to have been growing in FF65. Did we mess with IC handling in that version? I'm trying to remember.

We moved ICs from BaselineScript to ICScript in FF65, bug 1499644, so the signature is definitely new.

Looking at the crashes it seems to be memory corruption in the ICStub LifoAlloc. The fallback stubs in the ICScript's LifoAlloc are never freed before the ICScript itself is destroyed. The optimized stubs in the Zone-wide LifoAlloc are, but I can't think of any issues there. We've seen ICStub-related crashes for a long time, might be similar to the TI LifoAlloc ones. I'll think about it more.

Comment 9

[Pascal Chevrel:pascalc]

Unassigned P3, low volume of crashes, so fix-optional for our upcoming release.

Comment 10

[David Lawrence [:dkl]]

Removing employee no longer with company from CC list of private bugs.

Comment 11

[BugBot (nomail) [:suhaib / :marco/ :calixte]]

Since the bug is closed, the stalled keyword is now meaningless.
For more information, please visit auto_nag documentation.