Crash in [@ (anonymous namespace)::BytecodeParser::parse]
Categories
(Core :: JavaScript Engine, defect, P3)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr78 | --- | affected |
People
(Reporter: aryx, Unassigned, NeedInfo)
References
(Blocks 1 open bug)
Details
(Keywords: crash, leave-open)
Crash Data
Attachments
(1 file)
Crash report: https://crash-stats.mozilla.org/report/index/43f6df47-e514-4493-85a4-775770201011
Reason: EXC_BAD_ACCESS / KERN_INVALID_ADDRESS
Top 2 frames of crashing thread:
0 XUL js/src/vm/BytecodeUtil.cpp:869
1 XUL js::DecompileValueGenerator js/src/vm/BytecodeUtil.cpp:2432
Reporter | ||
Comment 1•4 years ago
|
||
From bug 1665664 comment 7:
(In reply to Simon Bennetts from comment #7)
Looks like this isnt hapenning in my other profiles, so that one could have become corrupted?
I'll keep it for now in case you need more details but it looks like I can use a new one to get around this problem...
Comment 2•4 years ago
|
||
Crash-stat reports is highly strange, I would not have expected a bug which is mostly on Mac.
Additional point, while looking like a recent issue on crash-stat, it crashes on all channels, and only a few build-id are reported.
This definitely sounds like it could be a compiler issue …
Comment 3•4 years ago
|
||
Here's a report on Linux (there's a few, but it's really rare, and maybe a different problem):
https://crash-stats.mozilla.org/report/index/41ce5324-239d-457c-9933-af5470201021
Updated•4 years ago
|
Crash-stat reports is highly strange, I would not have expected a bug which is mostly on Mac.
This was an inadvertent filtering due to signature differences. Mac spells (anonymous namespace)
with parens. Windows spells it with a backtick.
Comment 5•4 years ago
|
||
Ok, back to JS world then.
Thanks for noticing this symbol issue.
In case it helps, in the Windows minidumps I see values of stackDepth
like -1 and -2 at https://searchfox.org/mozilla-central/rev/25d5a4443a7e13cfa58eff38f1faa5e69f0b170f/js/src/vm/BytecodeUtil.cpp#611.
Comment 7•4 years ago
|
||
That's super helpful, dmajor. Thank you.
DecompileValueGenerator
is not terribly hot code, so we can add a release assertion to crash before segfaulting, and perhaps get more information.
Comment 8•4 years ago
|
||
dmajor observed that in some crash reports for this bug, stackDepth
has negative values. It seems unlikely we have a simple, deterministic
bug computing the stack depth; the fuzzers tend to find that sort of thing
very quickly. However, it is easy enough to strengthen these assertions,
as the code is very cold, to reduce security risk. And perhaps we will
learn something.
Comment 9•3 years ago
|
||
There's a r+ patch which didn't land and no activity in this bug for 2 weeks.
:jorendorff, could you have a look please?
For more information, please visit auto_nag documentation.
Updated•3 years ago
|
Updated•3 years ago
|
Comment 10•3 years ago
|
||
Pushed by jorendorff@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/8cde5fbfa29f Strengthen assertions around stackDepth. r=nbp
Comment 11•3 years ago
|
||
bugherder |
Updated•3 years ago
|
Comment 12•3 years ago
|
||
We should double check the logic of the Bytecode Parser, to ensure that this is correct.
Updated•3 years ago
|
Comment 13•3 years ago
|
||
Next step would be to add a debug-only phase which verify that this property of simulating each opcode works as soon as the bytecode is generated.
-
If this fails, this would be reporting a bug which state that the BytecodeParser::parse function is not capable of simulating every opcode.
-
If this does not fail, this would report that our bytecode gets mutated in the mean time, which is not supposed to ever happen. In which case we might consider mprotect-ing Stencil and immutable data to do a page fault on write.
Based on the number of crashes per day, this bug remains a low priority at the moment.
Comment 14•2 years ago
|
||
The leave-open keyword is there and there is no activity for 6 months.
:sdetar, maybe it's time to close this bug?
For more information, please visit auto_nag documentation.
Updated•2 years ago
|
Updated•2 years ago
|
Description
•