Closed Bug 1759107 Opened 3 years ago Closed 3 years ago

Crash in [@ js::gc::UnmarkGrayGCThingUnchecked]

Categories

(Core :: JavaScript: GC, defect, P1)

Product:
Core
Component:
JavaScript: GC
Platform:
Unspecified
All
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
100 Branch
Tracking Flags:
Tracking Status
firefox-esr91 --- unaffected
firefox98 --- unaffected
firefox99 --- unaffected
firefox100 --- fixed

People

(Reporter: aryx, Assigned: jonco)

References

(Regression)

Details

(Keywords: crash, regression)

Crash Data

Attachments

(1 file)

Bug 1759107 - Don't add gecko profiler stack frames when unmarking gray things on helper threads r?jandem
48 bytes, text/x-phabricator-request
Details | Review

There were single crashes with this signature before and 4 for Firefox 95.0.2 but in the last
2 days 5 different machines have submit 6 such crash reports. First affected build is Firefox 100.0a1 20220309213717, on all operating systems.

Crash report: https://crash-stats.mozilla.org/report/index/4662f456-1386-4e7f-a66f-62af90220310

Reason: EXC_BAD_ACCESS / KERN_INVALID_ADDRESS

Top 10 frames of crashing thread:

0 XUL js::gc::UnmarkGrayGCThingUnchecked js/src/gc/Marking.cpp:3044
1 XUL ShouldTraceCrossCompartment js/src/gc/Marking.cpp:358
2 XUL js::ProxyObject::trace js/src/proxy/Proxy.cpp:870
3 XUL js::GCMarker::markUntilBudgetExhausted js/src/gc/Marking.cpp:1797
4 XUL js::gc::GCRuntime::markUntilBudgetExhausted js/src/gc/GC.cpp:2780
5 XUL js::gc::BackgroundMarkTask::run js/src/gc/Sweeping.cpp:1714
6 XUL js::GCParallelTask::runHelperThreadTask js/src/gc/GCParallelTask.cpp:165
7 XUL js::GlobalHelperThreadState::runOneTask js/src/vm/HelperThreads.cpp:2629
8 XUL mozilla::ThreadFuncPoolThread xpcom/threads/TaskController.cpp:116
9 libnss3.dylib _pt_root nsprpub/pr/src/pthreads/ptthread.c:201
Assignee: nobody → jcoppeard
Flags: needinfo?(jcoppeard)
Priority: -- → P1
Regressed by: 1643586

This is a null pointer dereference because TlsContext is null on helper
threads.

We don't support adding profiler entries like this on helper threads at the
moment, but it's possible and we should maybe do this in the future.

Set release status flags based on info from the regressing bug 1643586

status-firefox98: --- → unaffected
status-firefox99: --- → unaffected
status-firefox-esr91: --- → unaffected
Crash Signature: [@ js::gc::UnmarkGrayGCThingUnchecked] → [@ js::gc::UnmarkGrayGCThingUnchecked] [@ js::gc::UnmarkGrayGCThingUnchecked(JSRuntime*, JS::GCCellPtr)]
Has Regression Range: --- → yes

This is a null deref, so it doesn't need to be hidden.

Group: javascript-core-security
Crash Signature: [@ js::gc::UnmarkGrayGCThingUnchecked] [@ js::gc::UnmarkGrayGCThingUnchecked(JSRuntime*, JS::GCCellPtr)] → [@ js::gc::UnmarkGrayGCThingUnchecked] [@ js::gc::UnmarkGrayGCThingUnchecked(JSRuntime*, JS::GCCellPtr)]
Pushed by ctuns@mozilla.com: https://hg.mozilla.org/mozilla-central/rev/5af2e0c7d94b Don't add gecko profiler stack frames when unmarking gray things on helper threads r=jandem

https://hg.mozilla.org/mozilla-central/rev/5af2e0c7d94b

Status: NEW → RESOLVED
Closed: 3 years ago
status-firefox100: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 100 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: