Closed Bug 1672760 Opened 11 months ago Closed 11 months ago

Crash in [@ js::GlobalHelperThreadState::finishParseTaskCommon]

Categories

(Core :: JavaScript Engine, defect)

x86
Windows 7
defect

Tracking

()

RESOLVED FIXED
84 Branch
Tracking Status
firefox-esr78 --- unaffected
firefox81 --- unaffected
firefox82 --- unaffected
firefox83 --- unaffected
firefox84 + fixed

People

(Reporter: aryx, Assigned: jonco)

References

(Regression)

Details

(4 keywords, Whiteboard: [sec-survey][post-critsmash-triage])

Crash Data

Attachments

(1 file)

Failure observed on several machines, first build it has been reported for is Nightly 84.0a1 20201021213007

Pushlog between previous build and that one: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=d8861d51b01e9489672f998648d67662a60a8b3a&tochange=7d6d66062e843a75b7aafb4ec0ae2dff355755e7

Crash report: https://crash-stats.mozilla.org/report/index/63e6e42c-4666-4c82-b306-678d10201022

Reason: EXCEPTION_ACCESS_VIOLATION_WRITE

Top 10 frames of crashing thread:

0 xul.dll js::GlobalHelperThreadState::finishParseTaskCommon js/src/vm/HelperThreads.cpp:1918
1 xul.dll js::GlobalHelperThreadState::finishSingleParseTask js/src/vm/HelperThreads.cpp:2039
2 xul.dll nsJSUtils::ExecutionContext::JoinDecode dom/base/nsJSUtils.cpp:299
3 xul.dll mozilla::dom::ScriptLoader::EvaluateScript dom/script/ScriptLoader.cpp:2937
4 xul.dll mozilla::dom::ScriptLoader::ProcessRequest dom/script/ScriptLoader.cpp:2535
5 xul.dll mozilla::dom::`anonymous namespace'::NotifyOffThreadScriptLoadCompletedRunnable::Run dom/script/ScriptLoader.cpp:2235
6 xul.dll mozilla::SchedulerGroup::Runnable::Run xpcom/threads/SchedulerGroup.cpp:146
7 xul.dll mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal xpcom/threads/TaskController.cpp:515
8 xul.dll mozilla::detail::RunnableFunction<`lambda at /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:85:7'>::Run xpcom/threads/nsThreadUtils.h:577
9 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:1197

The signature itself seems to go back quite a ways -- I see ESR 68 and 78 crashes in there -- but the reported crash addresses do seem to have changed in character. Other than one 0xe5e5.... crash in 82-beta these didn't really start showing up until 84. But there was clearly something wrong here before, too.

Ted and Jon, any ideas? Bug 1672172 and bug 1657025 are in the regression range in comment 0, and look like the only parser-related patches I can see in there. Thanks.

Flags: needinfo?(tcampbell)
Flags: needinfo?(jcoppeard)
Assignee: nobody → jcoppeard
Flags: needinfo?(jcoppeard)
Regressed by: 1657025
Flags: needinfo?(tcampbell)

The problem here was cancelling parse tasks without the browser's knowledge (I
didn't realise that the cancel method did anything beyond waiting).

Group: javascript-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 11 months ago
Resolution: --- → FIXED
Target Milestone: --- → 84 Branch

As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.

Please visit this google form to reply.

Flags: needinfo?(jcoppeard)
Whiteboard: [sec-survey]

(In reply to Release mgmt bot [:sylvestre / :calixte / :marco for bugbug] from comment #5)
Done.

Flags: needinfo?(jcoppeard)
Flags: qe-verify-
Whiteboard: [sec-survey] → [sec-survey][post-critsmash-triage]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.