Closed Bug 1563889 Opened 5 years ago Closed 5 years ago

Hit MOZ_CRASH(Failed to allocate profile string) at js/src/jit/JitScript.cpp:197

Categories

(Core :: JavaScript Engine: JIT, defect, P1)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla70
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox-esr68 --- unaffected
firefox68 --- unaffected
firefox69 --- wontfix
firefox70 --- fixed

People

(Reporter: gkw, Assigned: jandem)

References

(Regression)

Details

(4 keywords, Whiteboard: [jsbugmon:update])

Attachments

(2 files)

Detailed Crash Information
10.46 KB, text/plain
Details
Bug 1563889 - Use AutoEnterOOMUnsafeRegion in JitScript::ensureProfileString. r?djvj!
47 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 2b1bee2c7734 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-ion):

// jsfunfuzz-generated
(function exploreBuiltins() {
    function exploreDeeper(a, an) {
        try {
            h = a[hn];
        } catch (e) {}
    }
    function exploreConstructors() {
        var gns = Object.getOwnPropertyNames(this);
        for (var i = 0; i < gns.length; ++i) {
            var gn = gns[i];
            var g = this[gn];
            if (typeof g === "function" && g.toString().indexOf("]") !== -1) {
                exploreDeeper(g.prototype, `${gn}.prototype`);
            }
        }
    }
    exploreConstructors();
})();
function makeAsmJSFunction(d, b) {
    handlerFactoryText += ")";
}
var recursiveFunctions = [{
        text: "function g(){}",
    },
    {
        text: "function g(){@}",
    }
];
for (var i = 0; i < 2; ++i) {
    var a = recursiveFunctions[i];
    var text = a.text;
    eval(text.replace(/@/g, "")); /* eslint-disable-line no-eval */
}
makeBuilderStatement = function(d, b) {};
var asmvals = [
    1, Math.PI, 42,
];
var pureForeign = {}
var confusableVals = [];
// Adapted from randomly chosen test: js/src/jit-test/tests/parser/bug-1263355-44.js
oomTest(async function() {
    enableGeckoProfiling();
})

Backtrace:

#0  js::jit::JitScript::ensureProfileString (this=0x7fd602939000, cx=<optimized out>, script=<optimized out>) at js/src/jit/JitScript.cpp:197
#1  0x000055d4c8a30225 in js::jit::ToggleBaselineProfiling (cx=<optimized out>, enable=<optimized out>) at js/src/jit/BaselineJIT.cpp:1065
#2  0x000055d4c81a6797 in js::GeckoProfilerRuntime::enable (this=<optimized out>, enabled=true) at js/src/vm/GeckoProfiler.cpp:119
#3  0x000055d4c7ec0e03 in EnableGeckoProfiling (cx=0x7fd603117000, argc=<optimized out>, vp=<optimized out>) at js/src/shell/js.cpp:6627
#4  0x000055d4c7f6aff5 in CallJSNative (cx=0x7fd603117000, native=0x55d4c7ec0d30 <EnableGeckoProfiling(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/Interpreter.cpp:448
#5  0x000055d4c7f5ae9f in js::InternalCallOrConstruct (cx=<optimized out>, args=..., construct=<optimized out>) at js/src/vm/Interpreter.cpp:540
/snip

For detailed crash information, see attachment.

Setting s-s as a start as it is a JIT bug. However, it involves profiling via enableGeckoProfiling, so I'm now in not-sure territory.

autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/ce56e2779818
user: Jan de Mooij
date: Fri Jun 21 16:13:48 2019 +0000
summary: Bug 1551499 - Support Baseline Interpreter code in the profiler. r=djvj

Jan, is bug 1551499 a likely regressor?

Flags: needinfo?(jdemooij)
Regressed by: 1551499

That MOZ_CRASH should be an AutoEnterOOMUnsafeRegion. I should have seen that.

Assignee: nobody → jdemooij
Group: javascript-core-security
Severity: critical → normal
Status: NEW → ASSIGNED
Type: -- → defect
Priority: -- → P1
Flags: needinfo?(jdemooij)

Jan - this looks ready to land; is anything blocking it? Will you be requesting uplift to 69?

Flags: needinfo?(jdemooij)

(In reply to Randell Jesup [:jesup] (needinfo me) from comment #5)

Jan - this looks ready to land; is anything blocking it? Will you be requesting uplift to 69?

Thanks for the ping. I'll land this today and request uplift.

Flags: needinfo?(jdemooij)
Pushed by jdemooij@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/e0fb78ca5c55
Use AutoEnterOOMUnsafeRegion in JitScript::ensureProfileString. r=djvj

https://hg.mozilla.org/mozilla-central/rev/e0fb78ca5c55

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox70: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla70

Actually since the browser behavior is exactly the same with or without the patch (a crash when OOM when enabling the profiler) I think this can just ride the trains.

status-firefox69: affectedwontfix
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: