Closed
Bug 1688190
Opened 3 years ago
Closed 3 years ago
AddressSanitizer: SEGV or Assertion failure: !warmUpData_.isEnclosingScript() (Enclosing scope is not computed yet), at vm/JSScript.cpp:705
Categories
(Core :: JavaScript Engine, defect, P3)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
86 Branch
| Tracking | Status | |
|---|---|---|
| firefox-esr78 | --- | unaffected |
| firefox84 | --- | unaffected |
| firefox85 | --- | unaffected |
| firefox86 | --- | fixed |
People
(Reporter: gkw, Assigned: arai)
References
(Regression)
Details
(Keywords: regression, testcase)
Attachments
(7 files)
|
5.29 KB,
text/plain
|
Details | |
|
48 bytes,
text/x-phabricator-request
|
Details | Review | |
|
48 bytes,
text/x-phabricator-request
|
Details | Review | |
|
48 bytes,
text/x-phabricator-request
|
Details | Review | |
|
48 bytes,
text/x-phabricator-request
|
Details | Review | |
|
48 bytes,
text/x-phabricator-request
|
Details | Review | |
|
48 bytes,
text/x-phabricator-request
|
Details | Review |
setDiscardSource();
let f = async function* () {};
f().next().then(function() {
f().next().then(function() {});
});
AddressSanitizer:DEADLYSIGNAL
=================================================================
==4156==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x5614b98966a7 bp 0x7ffe7ddd3d70 sp 0x7ffe7ddd3d70 T0)
==4156==The signal is caused by a WRITE memory access.
==4156==Hint: address points to the zero page.
#0 0x5614b98966a7 in mozilla::Span<JS::GCCellPtr const, 18446744073709551615ul>::operator[](unsigned long) const /home/skygentoo/shell-cache/js-64-asan-linux-x86_64-a3cd8f83fefa/objdir-js/dist/include/mozilla/Span.h:713:5
#1 0x5614b98966a7 in js::BaseScript::enclosingScope() const /home/skygentoo/trees/mozilla-central/js/src/vm/JSScript.cpp:713:10
#2 0x5614b994543e in JSFunction::enclosingScope() const /home/skygentoo/trees/mozilla-central/js/src/vm/JSFunction.h:457:60
#3 0x5614b994543e in js::frontend::CompilationInput::initFromLazy(js::BaseScript*) /home/skygentoo/trees/mozilla-central/js/src/frontend/CompilationInfo.h:203:40
#4 0x5614b994543e in bool DelazifyCanonicalScriptedFunctionImpl<mozilla::Utf8Unit>(JSContext*, JS::Handle<JSFunction*>, JS::Handle<js::BaseScript*>, js::ScriptSource*) /home/skygentoo/trees/mozilla-central/js/src/vm/JSFunction.cpp:1573:25
#5 0x5614b9890473 in DelazifyCanonicalScriptedFunction(JSContext*, JS::Handle<JSFunction*>) /home/skygentoo/trees/mozilla-central/js/src/vm/JSFunction.cpp:1621:12
#6 0x5614b9890473 in JSFunction::delazifyLazilyInterpretedFunction(JSContext*, JS::Handle<JSFunction*>) /home/skygentoo/trees/mozilla-central/js/src/vm/JSFunction.cpp:1660:10
#7 0x5614b9909445 in JSFunction::getOrCreateScript(JSContext*, JS::Handle<JSFunction*>) /home/skygentoo/trees/mozilla-central/js/src/vm/JSFunction.h:410:12
#8 0x5614b98900ef in JSFunction::delazifyLazilyInterpretedFunction(JSContext*, JS::Handle<JSFunction*>) /home/skygentoo/trees/mozilla-central/js/src/vm/JSFunction.cpp:1648:24
#9 0x5614b92d52c8 in JSFunction::getOrCreateScript(JSContext*, JS::Handle<JSFunction*>) /home/skygentoo/trees/mozilla-central/js/src/vm/JSFunction.h:410:12
#10 0x5614b92d52c8 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:605:8
#11 0x5614b92d89a1 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:647:10
#12 0x5614b92d89a1 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:664:8
#13 0x5614b971fd01 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.h:106:10
#14 0x5614b971fd01 in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) /home/skygentoo/trees/mozilla-central/js/src/builtin/Promise.cpp:1904:10
#15 0x5614b92d5e84 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:503:13
#16 0x5614b92d5e84 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:594:12
#17 0x5614b92d89a1 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:647:10
#18 0x5614b92d89a1 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /home/skygentoo/trees/mozilla-central/js/src/vm/Interpreter.cpp:664:8
#19 0x5614b9ebd32b in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/skygentoo/trees/mozilla-central/js/src/jsapi.cpp:2861:10
#20 0x5614b9879c82 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JSObject*>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/skygentoo/trees/mozilla-central/js/src/jsapi.h:1472:10
#21 0x5614b9879c82 in js::InternalJobQueue::runJobs(JSContext*) /home/skygentoo/trees/mozilla-central/js/src/vm/JSContext.cpp:777:14
#22 0x5614b9878cde in js::RunJobs(JSContext*) /home/skygentoo/trees/mozilla-central/js/src/vm/JSContext.cpp:714:17
#23 0x5614b90fb987 in RunShellJobs(JSContext*) /home/skygentoo/trees/mozilla-central/js/src/shell/js.cpp:1082:5
#24 0x5614b90e9604 in Shell(JSContext*, js::cli::OptionParser*, char**) /home/skygentoo/trees/mozilla-central/js/src/shell/js.cpp:11136:3
#25 0x5614b90debd2 in main /home/skygentoo/trees/mozilla-central/js/src/shell/js.cpp:12012:12
#26 0x7fc14b39ce39 in __libc_start_main (/lib64/libc.so.6+0x23e39)
#27 0x5614b9013d99 in _start (/home/skygentoo/shell-cache/js-64-asan-linux-x86_64-a3cd8f83fefa/js-64-asan-linux-x86_64-a3cd8f83fefa+0x18bcd99)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/skygentoo/shell-cache/js-64-asan-linux-x86_64-a3cd8f83fefa/objdir-js/dist/include/mozilla/Span.h:713:5 in mozilla::Span<JS::GCCellPtr const, 18446744073709551615ul>::operator[](unsigned long) const
==4156==ABORTING
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/bad2b6719d73
user: Ted Campbell
date: Sun Jan 17 22:54:10 2021 +0000
summary: Bug 1687174 - Avoid extra loops in Stencil instantiation for full parse. r=arai
Run with --fuzzing-safe --no-threads --no-baseline --no-ion, compile with AR=ar sh ./configure --enable-address-sanitizer --disable-jemalloc --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests, tested on m-c rev a3cd8f83fefa.
Not sure if this is s-s, I'd leave it to Ted/arai.
Flags: sec-bounty?
Flags: needinfo?(tcampbell)
|
||
Comment 1•3 years ago
|
||
Set release status flags based on info from the regressing bug 1687174
status-firefox84:
--- → unaffected
status-firefox85:
--- → unaffected
status-firefox-esr78:
--- → unaffected
|
Assignee | |
Comment 2•3 years ago
•
|
||
Thanks!
This doesn't happen outside of JS shell.
The issue is that, we disallow lazy parsing (setDiscardSource) after lazily parsed the top-level script,
and the condition at https://searchfox.org/mozilla-central/rev/358fbca0398ac651f5ea6030be39b1870ec180a5/js/src/frontend/Stencil.cpp#762
depends on consistent RealmBehaviors::discardSource() value,
across top-level compilation and delazification.
Here's the list of RealmBehaviors::setDiscardSource callsites:
https://searchfox.org/mozilla-central/search?q=symbol:_ZN2JS14RealmBehaviors16setDiscardSourceEb&redirect=false
DedicatedWorkerGlobalScope::WrapGlobalObjectcase- passed to
JS_NewGlobalObject
- passed to
JSRuntime::createSelfHostingGlobalcase- passed to
NewRealm
- passed to
xpc::CreateSandboxObjectcase- passed to
JS_NewGlobalObject
- passed to
xpc::InitGlobalObjectOptionscase- passed to
JS_NewGlobalObject
- passed to
XRE_XPCShellMaincase (also testing only)- alters after creating global, but before parsing any script
SetDiscardSourcecase (JS shell testing function)- alters anytime
So, only JS shell testing function can alter the flag after parsing script.
We could do:
- add debug assertion that
CanLazilyParseis true for delazification, - remove the testing functions (
setDiscardSourceandsetLazyParsingDisabled) and instead add command-line parameter to flip those behaviors - or, ignore those
RealmBehavioroptions for delazifications
|
|
Assignee | |
Comment 3•3 years ago
|
||
(In reply to Tooru Fujisawa [:arai] from comment #2)
- remove the testing functions (
setDiscardSourceandsetLazyParsingDisabled) and instead add command-line parameter to flip those behaviors
or use newGlobal({ disableLazyParsing: true}) in those testcases, and add discardSource option too.
|
|
Assignee | |
Updated•3 years ago
|
Assignee: nobody → arai.unmht
Status: NEW → ASSIGNED
|
|
Assignee | |
Updated•3 years ago
|
Severity: -- → S4
Priority: -- → P3
|
|
Assignee | |
Comment 4•3 years ago
|
||
Plan:
- add
discardSourceoption tonewGlobal - rewrite testcases to use
newGlobalinstead ofsetDiscardSourceandsetLazyParsingDisabledfunctions - remove
setDiscardSourceandsetLazyParsingDisabled - make most of
RealmBehaviorsfields immutable after creating realm:- add public API for
RealmBehaviors::setNonLive - make
RealmBehaviorsRefreturn const reference - remove mutable variant of
Realm::behaviors
- add public API for
|
|
Assignee | |
Comment 5•3 years ago
|
||
|
|
Assignee | |
Comment 6•3 years ago
|
||
Depends on D102757
|
|
Assignee | |
Comment 7•3 years ago
|
||
Depends on D102758
|
|
Assignee | |
Comment 8•3 years ago
|
||
Depends on D102759
|
|
Assignee | |
Comment 9•3 years ago
|
||
Depends on D102760
|
|
Assignee | |
Comment 10•3 years ago
|
||
Depends on D102761
|
||
Comment 11•3 years ago
|
||
Thanks for the report Gary! As :arai points out, this depends on discardSource which is only used in the jsshell and privilege chrome-js code.
The ScriptWarmupData and BaseScript cleanup last year has also been paying off by making these sorts of bugs into robust nullptr crashes instead.
@sectriage: This bug can be un-hidden.
Flags: needinfo?(tcampbell)
|
||
Updated•3 years ago
|
Group: core-security
|
||
Comment 12•3 years ago
|
||
Pushed by arai_a@mac.com: https://hg.mozilla.org/integration/autoland/rev/22bf465ca004 Part 1: Add discardSource option to newGlobal. r=tcampbell https://hg.mozilla.org/integration/autoland/rev/0a62713c08b4 Part 2: Use newGlobal with discardSource option in testcases. r=tcampbell https://hg.mozilla.org/integration/autoland/rev/ff856aa267d0 Part 3: Use newGlobal with disableLazyParsing option in testcases. r=tcampbell https://hg.mozilla.org/integration/autoland/rev/f416c198c3e9 Part 4: Remove setLazyParsingDisabled and setDiscardSource testing functions. r=tcampbell https://hg.mozilla.org/integration/autoland/rev/598768646a01 Part 5: Add JS::SetRealmNonLive. r=tcampbell https://hg.mozilla.org/integration/autoland/rev/f2e017b239ac Part 6: Make JS::RealmBehaviorsRef return const reference. r=tcampbell
|
||
Comment 13•3 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/22bf465ca004
https://hg.mozilla.org/mozilla-central/rev/0a62713c08b4
https://hg.mozilla.org/mozilla-central/rev/ff856aa267d0
https://hg.mozilla.org/mozilla-central/rev/f416c198c3e9
https://hg.mozilla.org/mozilla-central/rev/598768646a01
https://hg.mozilla.org/mozilla-central/rev/f2e017b239ac
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → 86 Branch
|
|
||
Updated•3 years ago
|
Keywords: regression
|
||
Updated•3 years ago
|
Flags: sec-bounty? → sec-bounty-
|
||
Updated•3 years ago
|
Has Regression Range: --- → yes
You need to log in
before you can comment on or make changes to this bug.
Description
•