Closed Bug 1654186 Opened 4 years ago Closed 4 years ago

Crash [@ js::gc::GCRuntime::decommitFreeArenasWithoutUnlocking] with OOM

Categories

(Core :: JavaScript: GC, defect, P1)

Product:
Core
Component:
JavaScript: GC
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla80
Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox-esr78 --- unaffected
firefox78 --- unaffected
firefox79 --- unaffected
firefox80 --- fixed

People

(Reporter: decoder, Assigned: jonco)

References

(Regression)

Details

(Keywords: crash, regression, testcase, Whiteboard: [bugmon:update,bisect,confirmed])

Crash Data

Attachments

(2 files)

Testcase
112 bytes, text/plain
Details
Bug 1654186 - Call onOutOfMallocMemory() on OOM in GCRuntime::decommitFreeArenas so that we release protected free areans before trying to decommit them r?sfink
47 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 20200720-015515bcba1f (debug build, run with --fuzzing-safe --ion-offthread-compile=off --more-compartments):

gczeal(14, 5);
var g = newGlobal();
g.eval("(" + function() {
    oomAfterAllocations(100);
} + ")()");
f.x("");

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x00005555562241c3 in js::gc::GCRuntime::decommitFreeArenasWithoutUnlocking(js::AutoLockGC const&) ()
#1  0x0000555556223d1f in js::gc::GCRuntime::decommitFreeArenas(bool const&, js::AutoLockGC&) ()
#2  0x000055555622391a in js::gc::BackgroundDecommitTask::run() ()
#3  0x00005555562544ec in js::GCParallelTask::runTask() ()
#4  0x000055555620005c in js::GCParallelTask::joinWithLockHeld(js::AutoLockHelperThreadState&) ()
#5  0x0000555556213280 in js::GCParallelTask::join() ()
#6  0x0000555556244388 in js::gc::GCRuntime::waitForBackgroundTask(js::GCParallelTask&, js::SliceBudget&) ()
#7  0x0000555556243b62 in js::gc::GCRuntime::incrementalSlice(js::SliceBudget&, mozilla::Maybe<JSGCInvocationKind> const&, JS::GCReason, js::gc::AutoGCSession&) ()
#8  0x00005555562466f5 in js::gc::GCRuntime::gcCycle(bool, js::SliceBudget, mozilla::Maybe<JSGCInvocationKind> const&, JS::GCReason) ()
#9  0x0000555556248370 in js::gc::GCRuntime::collect(bool, js::SliceBudget, mozilla::Maybe<JSGCInvocationKind> const&, JS::GCReason) ()
#10 0x000055555624e04e in js::gc::GCRuntime::runDebugGC() ()
#11 0x00005555561faa43 in bool js::gc::GCRuntime::checkAllocatorState<(js::AllowGC)1>(JSContext*, js::gc::AllocKind) ()
#12 0x00005555561fcb19 in JSString* js::AllocateStringImpl<JSString, (js::AllowGC)1>(JSContext*, js::gc::InitialHeap) ()
#13 0x0000555555daab14 in js::NewInlineString<(js::AllowGC)1, unsigned char> ()
#14 0x0000555555dac79b in JSLinearString* js::NewStringCopyNDontDeflate<(js::AllowGC)1, unsigned char>(JSContext*, unsigned char const*, unsigned long, js::gc::InitialHeap) ()
#15 0x0000555555dad207 in JSLinearString* js::NewStringCopyUTF8N<(js::AllowGC)1>(JSContext*, JS::UTF8Chars, js::gc::InitialHeap) ()
#16 0x0000555555a4fd68 in JS_NewStringCopyUTF8Z(JSContext*, JS::ConstUTF8CharsZ) ()
#17 0x0000555555a5e084 in js::ErrorToException(JSContext*, JSErrorReport*, JSErrorFormatString const* (*)(void*, unsigned int), void*) ()
#18 0x0000555555b619df in js::ReportErrorNumberVA(JSContext*, js::IsWarning, JSErrorFormatString const* (*)(void*, unsigned int), void*, unsigned int, js::ErrorArgumentsType, __va_list_tag*) ()
#19 0x0000555555a312ef in JS_ReportErrorNumberUTF8(JSContext*, JSErrorFormatString const* (*)(void*, unsigned int), void*, unsigned int, ...) ()
#20 0x0000555555c2c5d5 in js::ReportIsNotDefined(JSContext*, JS::Handle<js::PropertyName*>) ()
#21 0x000055555592ff74 in bool js::FetchName<(js::GetNameMode)0>(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<js::PropertyName*>, JS::Handle<JS::PropertyResult>, JS::MutableHandle<JS::Value>) ()
#22 0x00005555559633f5 in bool js::GetEnvironmentName<(js::GetNameMode)0>(JSContext*, JS::Handle<JSObject*>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) ()
#23 0x000055555593c7ba in Interpret(JSContext*, js::RunState&) ()
[...]
#32 0x00005555557bbcea in main ()
rax	0x0	0
rbx	0x2d	45
rcx	0x2d	45
rdx	0x1	1
rsi	0x7fffffffb030	140737488334896
rdi	0x7ffff602ae28	140737320758824
rbp	0x7fffffffaf80	140737488334720
rsp	0x7fffffffaf50	140737488334672
r8	0x7ffff602ae28	140737320758824
r9	0x4000001	67108865
r10	0x1	1
r11	0x246	582
r12	0x2cac55400000	49118676254720
r13	0x2000	8192
r14	0x1	1
r15	0x2cac5542d000	49118676439040
rip	0x5555562241c3 <js::gc::GCRuntime::decommitFreeArenasWithoutUnlocking(js::AutoLockGC const&)+179>
=> 0x5555562241c3 <_ZN2js2gc9GCRuntime34decommitFreeArenasWithoutUnlockingERKNS_10AutoLockGCE+179>:	movzbl 0x18(%r15),%eax
   0x5555562241c8 <_ZN2js2gc9GCRuntime34decommitFreeArenasWithoutUnlockingERKNS_10AutoLockGCE+184>:	cmp    $0x22,%al

This is a crash I have been seeing for a while but so far, I was never able to reproduce it reliably until I found the test above. Marking as s-s because the crash looks bad. It might be hard to reproduce without without the helpers, as it requires an OOM and GC at the right time apparently, but certainly not impossible.

Attached file Testcase 
Keywords: bugmon
Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisect,confirmed]

    
    

    
  
Bugmon Analysis:
Unable to reproduce bug using the following builds:
> mozilla-central 20200721032334-f0ed5585b6ad
> mozilla-central 20200720031207-015515bcba1f
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.

    
  
Assignee: nobody → jcoppeard
Severity: -- → S4
Priority: -- → P1
Regressed by: 1652019

    
  
Has Regression Range: --- → yes

    
    

    
  


  
Compacting temporarily mprotects released arenas in debug builds to catch problems. This interferes with Chunk::decommitFreeArenasWithoutUnlocking which checks for free arenas by looking at every arena in the chunk. This is different to Chunk::decommitOneFreeArena which uses the list of free arenas.



    
    

    
  
Set release status flags based on info from the regressing bug 1652019



          status-firefox78:
          --- → unaffected

          status-firefox79:
          --- → unaffected

          status-firefox-esr68:
          --- → unaffected

          status-firefox-esr78:
          --- → unaffected

    
    

    
  
This only affects debug builds so it's not security sensitive.


Group: javascript-core-security

    
    

    
  
Pushed by jcoppeard@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/1937b90d16a4
Call onOutOfMallocMemory() on OOM in GCRuntime::decommitFreeArenas so that we release protected free areans before trying to decommit them r=sfink

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/1937b90d16a4


Status: NEW → RESOLVED
Closed: 4 years ago

          status-firefox80:
          affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla80

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: