727334 - JS OOM Testing: Crash [@ js::ReentrancyGuard::ReentrancyGuard]

Status: RESOLVED INCOMPLETE

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following command crashes on mozilla-central revision d45c7d7b0079:

js -m -n -a -A 1335 -f js/src/tests/shell.js -f js/src/tests/js1_7/shell.js -f js/src/tests/js1_7/geniter/shell.js -f js/src/tests/js1_7/geniter/regress-347739.js


==4501== Invalid read of size 1
==4501==    at 0x67CC8C: js::ReentrancyGuard::ReentrancyGuard<js::Vector<JSC::Yarr::PatternTerm, 0ul, js::SystemAllocPolicy> >(js::Vector<JSC::Yarr::PatternTerm, 0ul, js::SystemAllocPolicy>&) (Utility.h:840)
==4501==    by 0x764319: bool js::Vector<JSC::Yarr::PatternTerm, 0ul, js::SystemAllocPolicy>::append<JSC::Yarr::PatternTerm>(JSC::Yarr::PatternTerm) (Vector.h:786)
==4501==    by 0x76318F: void JSC::Yarr::Vector<JSC::Yarr::PatternTerm, 0ul>::append<JSC::Yarr::PatternTerm>(JSC::Yarr::PatternTerm const&) (wtfbridge.h:200)
==4501==    by 0x7615C4: JSC::Yarr::YarrPatternConstructor::atomPatternCharacter(unsigned short) (YarrPattern.cpp:298)
==4501==    by 0x767EBD: bool JSC::Yarr::Parser<JSC::Yarr::YarrPatternConstructor>::parseEscape<false, JSC::Yarr::YarrPatternConstructor>(JSC::Yarr::YarrPatternConstructor&) (YarrParser.h:398)
==4501==    by 0x766AD9: JSC::Yarr::Parser<JSC::Yarr::YarrPatternConstructor>::parseAtomEscape() (YarrParser.h:411)
==4501==    by 0x7657ED: JSC::Yarr::Parser<JSC::Yarr::YarrPatternConstructor>::parseTokens() (YarrParser.h:591)
==4501==    by 0x76470E: JSC::Yarr::Parser<JSC::Yarr::YarrPatternConstructor>::parse() (YarrParser.h:668)
==4501==    by 0x7632BB: JSC::Yarr::ErrorCode JSC::Yarr::parse<JSC::Yarr::YarrPatternConstructor>(JSC::Yarr::YarrPatternConstructor&, JSLinearString const&, unsigned int) (YarrParser.h:846)
==4501==    by 0x75F922: JSC::Yarr::YarrPattern::compile(JSLinearString const&) (YarrPattern.cpp:710)
==4501==    by 0x75FB8B: JSC::Yarr::YarrPattern::YarrPattern(JSLinearString const&, bool, bool, JSC::Yarr::ErrorCode*) (YarrPattern.cpp:754)
==4501==    by 0x678D18: js::detail::RegExpCode::compile(JSContext*, JSLinearString&, unsigned int*, js::RegExpFlag) (RegExpObject.cpp:248)
==4501==  Address 0x28 is not stack'd, malloc'd or (recently) free'd

S-s until triaged, as I cannot judge how critical this might be.

Comment 1

[Jesse Ruderman]

Weird, because ReentrancyGuard doesn't do any allocations of its own. I guess |this| is null at http://hg.mozilla.org/mozilla-central/annotate/24f2c7e26fbd/js/public/Vector.h#l786.  Can you get a stack trace with gdb so it shows what's null and what's not?

Comment 2

[Jesse Ruderman]

Also, can you get a stack trace for the failing allocation(s)? That would be useful in the OOM-test bugs in general.

Comment 3

[Daniel Veditz [:dveditz]]

causing an OOM at exactly this spot is probably not likely even if this invalid read is dangerous. guessing "moderate".

Comment 4

[Bob Clary [:bc] (inactive)]

I see this in automation on Windows 7 on an "image-suck" bug that eats ram. Ted's tool rates this as low exploitability.

Operating system: Windows NT
                  6.1.7601 Service Pack 1
CPU: x86
     GenuineIntel family 6 model 37 stepping 1
     2 CPUs

Crash reason:  EXCEPTION_ACCESS_VIOLATION_READ
Crash address: 0xffffffffdddddea9

Thread 0 (crashed)
 0  mozjs.dll!js::ReentrancyGuard::ReentrancyGuard<js::detail::HashTable<js::gc::Chunk * const,js::HashSet<js::gc::Chunk *,js::GCChunkHasher,js::SystemAllocPolicy>::SetOps,js::SystemAllocPolicy> const >(js::detail::HashTable<js::gc::Chunk * const,js::HashSet<js::gc::Chunk *,js::GCChunkHasher,js::SystemAllocPolicy>::SetOps,js::SystemAllocPolicy> const &) [Utility.h : 840 + 0x5]
    eip = 0x7144a477   esp = 0x00178dac   ebp = 0x00178db0   ebx = 0x00000001
    esi = 0x004faa60   edi = 0x00000000   eax = 0xdddddea9   ecx = 0x00178dc0
    edx = 0x00178dc0   efl = 0x00210296
    Found by: given as instruction pointer in context
 1  mozjs.dll!js::detail::HashTable<js::gc::Chunk * const,js::HashSet<js::gc::Chunk *,js::GCChunkHasher,js::SystemAllocPolicy>::SetOps,js::SystemAllocPolicy>::lookup(js::gc::Chunk * const &) [HashTable.h : 669 + 0xb]
    eip = 0x714433a5   esp = 0x00178db8   ebp = 0x00178dc8
    Found by: call frame info
 2  mozjs.dll!js::HashSet<js::gc::Chunk *,js::GCChunkHasher,js::SystemAllocPolicy>::has(js::gc::Chunk * const &) [HashTable.h : 1327 + 0xf]
    eip = 0x714424a9   esp = 0x00178dd0   ebp = 0x00178de0
    Found by: call frame info
 3  mozjs.dll!js::IsAddressableGCThing(JSRuntime *,unsigned int,js::gc::AllocKind *,js::gc::ArenaHeader * *,void * *) [jsgc.cpp : 1019 + 0x11]
    eip = 0x714375aa   esp = 0x00178de8   ebp = 0x00178e18
    Found by: call frame info
 4  mozjs.dll!js::MarkIfGCThingWord(JSTracer *,unsigned int) [jsgc.cpp : 1073 + 0x1a]
    eip = 0x7143734b   esp = 0x00178e20   ebp = 0x00178e80
    Found by: call frame info
 5  mozjs.dll!gc_root_traversal [jsgc.cpp : 2149 + 0xc]
    eip = 0x7143dd09   esp = 0x00178e88   ebp = 0x00178ec4
    Found by: call frame info

Releated assertions are:

Assertion failure: JS_GetContextThread(cx)
Assertion failure: compartment()->activeInference

Comment 5

[Bill McCloskey [inactive unless it's an emergency] (:billm)]

Bob, your crash stack looks a lot like bug 728976. We're having a hard time reproducing it. Do you happen to have a test case? Can you describe the circumstances when it happens? Is it definitely an OOM?

Comment 6

[Bob Clary [:bc] (inactive)]

It is very close to oom though in the particular cases where i've seen this it is during the browser shutdown. I've seen it in automation a couple of times, but trying to reproduce locally has been difficult since it hits oom here. It does seem more like  bug 728976 though. I have to step away for a bit, but will try to reproduce with a vm with slightly more memory and see what happens.

Comment 7

[Andrew McCreight [:mccr8]]

The stack trace in comment 0 is from Yarr, which has been removed, and the in comment 4 is some GC stuff, which has changed a lot in the last two years, so I'm just going to go ahead and close this.  Please reopen if you are still seeing these...