Closed Bug 1518720 Opened 5 years ago Closed 5 years ago

Crash [@ ArenaCollection::GetById]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1518495
Tracking Flags:
Tracking Status
firefox66 --- fixed

People

(Reporter: gkw, Unassigned)

References

Details

(5 keywords, Whiteboard: [jsbugmon:])

Crash Data

Attachments

(2 files)

Detailed Crash Information
21.41 KB, text/plain
Details
Another crash log
22.42 KB, text/plain
Details

The following testcase crashes on mozilla-central revision 1f7a8905fa7c (build with , run with --fuzzing-safe --wasm-gc --test-wasm-await-tier2 --no-wasm-ion --ion-instruction-reordering=on --ion-extra-checks --ion-warmup-threshold=100 --ion-edgecase-analysis=off --ion-limit-script-size=off --ion-osr=off --ion-inlining=off --ion-eager --ion-offthread-compile=off --gc-zeal=2,179 --no-incremental-gc -e maxRunTime=12000 -f):

See attachment.

Backtrace:

#0 ArenaCollection::GetById (aArenaId=<optimized out>, aIsPrivate=255, this=<optimized out>) at memory/build/mozjemalloc.cpp:4316
#1 Allocator<MozJemallocBase>::moz_arena_malloc (aArenaId=<optimized out>, arg1=<optimized out>) at memory/build/malloc_decls.h:37
#2 moz_arena_malloc (arg1=1073741824, arg2=17310282101867588693) at memory/build/malloc_decls.h:115
#3 0x000056068090fc49 in js_arena_malloc (arena=<optimized out>, bytes=<optimized out>) at /home/ubuntu/shell-cache/js-64-linux-1f7a8905fa7c/objdir-js/dist/include/js/Utility.h:353
#4 JSRuntime::onOutOfMemory (this=<optimized out>, allocFunc=js::AllocFunction::Malloc, arena=1073741824, nbytes=17310282101867588693, reallocPtr=0x0, maybecx=0x7ff675016000) at js/src/vm/Runtime.cpp:711
#5 0x00005606806e1214 in js::TempAllocPolicy::onOutOfMemoryTyped<unsigned char> (this=0x7ffea959e290, allocFunc=js::AllocFunction::Malloc, reallocPtr=0x0, numElems=<optimized out>) at /home/ubuntu/shell-cache/js-64-linux-1f7a8905fa7c/objdir-js/dist/include/js/AllocPolicy.h:94
#6 js::TempAllocPolicy::pod_malloc<unsigned char> (this=<optimized out>, numElems=<optimized out>) at /home/ubuntu/shell-cache/js-64-linux-1f7a8905fa7c/objdir-js/dist/include/js/AllocPolicy.h:104
/snip

For detailed crash information, see attachment.

I don't have a good reliable testcase, but filing this first.

autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/752c683e631d
user: André Bargull
date: Mon Jan 07 05:47:09 2019 -0800
summary: Bug 1517823 - Part 2: Pass arena to MallocProvider client. r=sfink

Somehow I also have a potential regression window. Andre, is bug 1517823 a likely regressor?

Blocks: 1517823
Flags: needinfo?(andrebargull)
Attached file Another crash log

This time, the error shown is:

Assertion failure: result, at memory/build/mozjemalloc.cpp:4316

This looks like a dup of bug 1518495.

In bug 1517823, I messed up the parameter order of the "arena id" and the requested byte size for malloc (both are size_ts). So for example instead of allocating 1073741824 bytes and the arena with the id 17310282101867588693, we ended up requesting 17310282101867588693 bytes in the arena with the id 1073741824!

Flags: needinfo?(andrebargull)

Opening up and duping then, thanks!

Group: javascript-core-security
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: