Closed Bug 1707979 Opened 3 years ago Closed 1 year ago

Delazification Crashes, loading immutableFlags_ off null (0x38 crashes)

Categories

(Core :: JavaScript Engine, defect, P3)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox-esr78 --- wontfix
firefox88 --- wontfix
firefox89 --- wontfix
firefox90 --- wontfix

People

(Reporter: aryx, Assigned: tcampbell)

References

(Blocks 1 open bug)

Details

(Keywords: crash)

Crash Data

Attachments

(1 file)

Bug 1707979 - Prevent debugger exposing "ghost" functions. r?arai!
48 bytes, text/x-phabricator-request
Details | Review

Prex-existing crash but frequency increased for Firefox 88 (already 62 crashes vs. 53 for the whole Firefox 87 cycle).

Crash report: https://crash-stats.mozilla.org/report/index/1675336d-9266-4288-bfec-507080210427

Reason: EXCEPTION_ACCESS_VIOLATION_READ

Top 10 frames of crashing thread:

0 xul.dll js::frontend::GeneralParser<js::frontend::FullParseHandler, mozilla::Utf8Unit>::statementListItem js/src/frontend/Parser.cpp:8888
1 xul.dll js::frontend::GeneralParser<js::frontend::FullParseHandler, mozilla::Utf8Unit>::functionFormalParametersAndBody js/src/frontend/Parser.cpp:3461
2 xul.dll js::frontend::Parser<js::frontend::FullParseHandler, mozilla::Utf8Unit>::standaloneLazyFunction js/src/frontend/Parser.cpp:3326
3 xul.dll js::frontend::DelazifyCanonicalScriptedFunction js/src/frontend/BytecodeCompiler.cpp:1145
4 xul.dll static JSFunction::delazifyLazilyInterpretedFunction js/src/vm/JSFunction.cpp:1548
5 xul.dll static JSFunction::getOrCreateScript js/src/vm/JSFunction.h:406
6 xul.dll static JSFunction::delazifyLazilyInterpretedFunction js/src/vm/JSFunction.cpp:1536
7 xul.dll Interpret js/src/vm/Interpreter.cpp:3260
8 xul.dll js::ExecuteKernel js/src/vm/Interpreter.cpp:776
9 xul.dll js::Execute js/src/vm/Interpreter.cpp:808

A good chunk of these are at offset 0x38 (56). A repeated theme of the parser crashes is the crashing lines calling pos().begin

See Also: 1705761
Severity: -- → S3
Priority: -- → P3
See Also: → 1710881
Summary: Crash in [@ js::frontend::GeneralParser<T>::statementListItem] → Delazification Crashes, loading immutableFlags_ off null (0x38 crashes)
Crash Signature: [@ js::frontend::GeneralParser<T>::statementListItem] → [@ js::frontend::GeneralParser<T>::statementListItem] [@ js::frontend::GeneralParser<T>::primaryExpr]
Crash Signature: [@ js::frontend::GeneralParser<T>::statementListItem] [@ js::frontend::GeneralParser<T>::primaryExpr] → [@ js::frontend::GeneralParser<T>::statementListItem] [@ js::frontend::GeneralParser<T>::primaryExpr] [@ js::frontend::Parser<T>::skipLazyInnerFunction]
Crash Signature: [@ js::frontend::GeneralParser<T>::statementListItem] [@ js::frontend::GeneralParser<T>::primaryExpr] [@ js::frontend::Parser<T>::skipLazyInnerFunction] → [@ js::frontend::GeneralParser<T>::statementListItem] [@ js::frontend::GeneralParser<T>::primaryExpr] [@ js::frontend::Parser<T>::skipLazyInnerFunction] [@ js::frontend::GeneralParser<T>::functionExpr]

So in Bug 1706429, Comment 9, my analysis led me to a JSFunction in the skipped-inner-function list that seems to report having a BaseScript according to Function flags, but has nullptr in the union.

Arai: This seems relevant to your delazification work; not sure if the above gives you any hypotheses.

Flags: needinfo?(arai.unmht)
Crash Signature: [@ js::frontend::GeneralParser<T>::statementListItem] [@ js::frontend::GeneralParser<T>::primaryExpr] [@ js::frontend::Parser<T>::skipLazyInnerFunction] [@ js::frontend::GeneralParser<T>::functionExpr] → [@ js::frontend::GeneralParser<T>::statementListItem] [@ js::frontend::GeneralParser<T>::primaryExpr] [@ js::frontend::Parser<T>::skipLazyInnerFunction] [@ js::frontend::GeneralParser<T>::functionExpr] [@ js::frontend::GeneralParser<T>::functionStmt]
Crash Signature: [@ js::frontend::GeneralParser<T>::statementListItem] [@ js::frontend::GeneralParser<T>::primaryExpr] [@ js::frontend::Parser<T>::skipLazyInnerFunction] [@ js::frontend::GeneralParser<T>::functionExpr] [@ js::frontend::GeneralParser<T>::functionStmt] → [@ js::frontend::GeneralParser<T>::statementListItem] [@ js::frontend::GeneralParser<T>::primaryExpr] [@ js::frontend::Parser<T>::skipLazyInnerFunction] [@ js::frontend::GeneralParser<T>::functionExpr] [@ js::frontend::GeneralParser<T>::functionStmt] […

Hello,

For what it's worth, my crashes of yesterday (→ bug1705761) are solved by the update from 89.0b13 to 89.0b14 (Firefox DevEdition, Linux).

Cheers,
Florent

Crash Signature: [@ js::frontend::GeneralParser<T>::statementListItem] [@ js::frontend::GeneralParser<T>::primaryExpr] [@ js::frontend::Parser<T>::skipLazyInnerFunction] [@ js::frontend::GeneralParser<T>::functionExpr] [@ js::frontend::GeneralParser<T>::functionStmt] [… → [@ js::frontend::GeneralParser<T>::statementListItem] [@ js::frontend::GeneralParser<T>::primaryExpr] [@ js::frontend::Parser<T>::skipLazyInnerFunction] [@ js::frontend::GeneralParser<T>::functionExpr] [@ js::frontend::GeneralParser<T>::functionStmt] …

(In reply to Florent Fayolle from comment #11)

Hello,

For what it's worth, my crashes of yesterday (→ bug1705761) are solved by the update from 89.0b13 to 89.0b14 (Firefox DevEdition, Linux).

Cheers,
Florent

Thanks for the update. Nothing relevant changed between those versions which suggests what changed was the cache file was cleared on update and there is a risk the issue will reappear :(

Had another crash just now: https://crash-stats.mozilla.org/report/index/0c096d1e-31c5-4c91-b757-ecc230210520

This time it had nothing to do with dev-tools, but it still happend when executing JavaScript. It was solved again by SHIFT-reloading the page (and all scripts).

These placeholder functions should not be exposed to the debugger. This adds a
few more early-returns to parts of the debugger that might leak. Also add a
diagnostic assert to delazification to get more meaningful stack traces. This is
an investigation and I do not have a concrete testcase that produces crashes.

Assignee: nobody → tcampbell
Status: NEW → ASSIGNED
Pushed by tcampbell@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/725361ac47bc
Prevent debugger exposing "ghost" functions. r=arai
Keywords: leave-open
Flags: needinfo?(arai.unmht)

Given that the patch on this bug seems to have ameliorated the problem, should we consider uplift? Just duped Bug 1717480, which was on release, here.

The leave-open keyword is there and there is no activity for 6 months.
:tcampbell, maybe it's time to close this bug?
For more information, please visit auto_nag documentation.

Flags: needinfo?(tcampbell)

The severity field for this bug is relatively low, S3. However, the bug has 6 duplicates.
:tcampbell, could you consider increasing the bug severity?

For more information, please visit auto_nag documentation.

Flags: needinfo?(tcampbell)

The leave-open keyword is there and there is no activity for 6 months.
:tcampbell, maybe it's time to close this bug?
For more information, please visit auto_nag documentation.

Flags: needinfo?(tcampbell)
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
Flags: needinfo?(tcampbell)
Keywords: leave-open
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: