Closed Bug 1596117 Opened 6 years ago Closed 6 years ago

Crash in [@ <name omitted> | XDRLazyClosedOverBindings<T>]

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla72
Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox70 --- unaffected
firefox71 --- unaffected
firefox72 --- fixed

People

(Reporter: marcia, Assigned: iain)

Details

(Keywords: crash, regression)

Crash Data

Attachments

(1 file)

Bug 1596117: Fail early on bad atom table indices in XDR decoding r=tcampbell
47 bytes, text/x-phabricator-request
Details | Review

This bug is for crash report bp-1cdc7564-569f-43ec-beec-bbbf80191111.

Small volume macOS crash which started in 20191110095330: https://bit.ly/2rz1M2v. Some code appears to have been touched in Bug 1587638. ni on :ianin for any clues

Possible regression range based on build id: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=caf55914ccddba34d462a1206530d7868b6c4992&tochange=72c52c0101cfd102b207224646c3007d6872e65c

Top 10 frames of crashing thread:

0 XUL <name omitted> js/src/vm/JSAtom.cpp:1262
1 XUL mozilla::Result<mozilla::Ok, JS::TranscodeResult> XDRLazyClosedOverBindings< js/src/vm/JSScript.cpp:257
2 XUL mozilla::Result<mozilla::Ok, JS::TranscodeResult> js::XDRLazyScript< js/src/vm/JSScript.cpp:1309
3 XUL mozilla::Result<mozilla::Ok, JS::TranscodeResult> js::XDRInterpretedFunction< js/src/vm/JSFunction.cpp:627
4 XUL mozilla::Result<mozilla::Ok, JS::TranscodeResult> js::XDRLazyScript< js/src/vm/JSScript.cpp:1319
5 XUL mozilla::Result<mozilla::Ok, JS::TranscodeResult> js::XDRInterpretedFunction< js/src/vm/JSFunction.cpp:627
6 XUL mozilla::Result<mozilla::Ok, JS::TranscodeResult> js::XDRScript< js/src/vm/JSScript.cpp:1184
7 XUL mozilla::Result<mozilla::Ok, JS::TranscodeResult> js::XDRInterpretedFunction< js/src/vm/JSFunction.cpp:629
8 XUL mozilla::Result<mozilla::Ok, JS::TranscodeResult> js::XDRScript< js/src/vm/JSScript.cpp:1184
9 XUL mozilla::Result<mozilla::Ok, JS::TranscodeResult> js::XDRInterpretedFunction< js/src/vm/JSFunction.cpp:629
Flags: needinfo?(iireland)

The line of code where this is crashing was added in bug 1587638, so this definitely seems related to that patch.

There are five crashes: three on 20191111215252 which all share one install time, and two on 20191110095330 which share another. Based on differing hardware, it doesn't look like all five crashes came from the same person

We crash while trying to retrieve an atom from the atom table during XDR decoding. This implies that either the index is wrong or the atom table pointer itself is bad. It's easiest to validate the index, so let's try doing that first and see if anybody else runs into the problem.

Assignee: nobody → iireland
Flags: needinfo?(iireland)
Keywords: leave-open

Before we read an atom from the atom table, verify that the index is valid.

Instead of checking for null atoms when we read them out of the atom table, check when the atom table is created.

Pushed by iireland@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/f6825602e27a Fail early on bad atom table indices in XDR decoding r=tcampbell
Priority: -- → P1
Crash Signature: [@ <name omitted> | XDRLazyClosedOverBindings<T>] → [@ <name omitted> | XDRLazyClosedOverBindings<T>] [@ XDRLazyClosedOverBindings<T> ]
OS: macOS → All
Hardware: Unspecified → All

the patch seems to have worked judging on last week's nightly crash data.

Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox72: affectedfixed
Keywords: leave-open
Resolution: --- → FIXED
Target Milestone: --- → mozilla72
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: