Closed
Bug 727334
Opened 12 years ago
Closed 10 years ago
JS OOM Testing: Crash [@ js::ReentrancyGuard::ReentrancyGuard]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
INCOMPLETE
People
(Reporter: decoder, Unassigned)
References
Details
(Keywords: crash, sec-moderate, testcase, Whiteboard: [sg:moderate])
Crash Data
The following command crashes on mozilla-central revision d45c7d7b0079: js -m -n -a -A 1335 -f js/src/tests/shell.js -f js/src/tests/js1_7/shell.js -f js/src/tests/js1_7/geniter/shell.js -f js/src/tests/js1_7/geniter/regress-347739.js ==4501== Invalid read of size 1 ==4501== at 0x67CC8C: js::ReentrancyGuard::ReentrancyGuard<js::Vector<JSC::Yarr::PatternTerm, 0ul, js::SystemAllocPolicy> >(js::Vector<JSC::Yarr::PatternTerm, 0ul, js::SystemAllocPolicy>&) (Utility.h:840) ==4501== by 0x764319: bool js::Vector<JSC::Yarr::PatternTerm, 0ul, js::SystemAllocPolicy>::append<JSC::Yarr::PatternTerm>(JSC::Yarr::PatternTerm) (Vector.h:786) ==4501== by 0x76318F: void JSC::Yarr::Vector<JSC::Yarr::PatternTerm, 0ul>::append<JSC::Yarr::PatternTerm>(JSC::Yarr::PatternTerm const&) (wtfbridge.h:200) ==4501== by 0x7615C4: JSC::Yarr::YarrPatternConstructor::atomPatternCharacter(unsigned short) (YarrPattern.cpp:298) ==4501== by 0x767EBD: bool JSC::Yarr::Parser<JSC::Yarr::YarrPatternConstructor>::parseEscape<false, JSC::Yarr::YarrPatternConstructor>(JSC::Yarr::YarrPatternConstructor&) (YarrParser.h:398) ==4501== by 0x766AD9: JSC::Yarr::Parser<JSC::Yarr::YarrPatternConstructor>::parseAtomEscape() (YarrParser.h:411) ==4501== by 0x7657ED: JSC::Yarr::Parser<JSC::Yarr::YarrPatternConstructor>::parseTokens() (YarrParser.h:591) ==4501== by 0x76470E: JSC::Yarr::Parser<JSC::Yarr::YarrPatternConstructor>::parse() (YarrParser.h:668) ==4501== by 0x7632BB: JSC::Yarr::ErrorCode JSC::Yarr::parse<JSC::Yarr::YarrPatternConstructor>(JSC::Yarr::YarrPatternConstructor&, JSLinearString const&, unsigned int) (YarrParser.h:846) ==4501== by 0x75F922: JSC::Yarr::YarrPattern::compile(JSLinearString const&) (YarrPattern.cpp:710) ==4501== by 0x75FB8B: JSC::Yarr::YarrPattern::YarrPattern(JSLinearString const&, bool, bool, JSC::Yarr::ErrorCode*) (YarrPattern.cpp:754) ==4501== by 0x678D18: js::detail::RegExpCode::compile(JSContext*, JSLinearString&, unsigned int*, js::RegExpFlag) (RegExpObject.cpp:248) ==4501== Address 0x28 is not stack'd, malloc'd or (recently) free'd S-s until triaged, as I cannot judge how critical this might be.
Comment 1•12 years ago
|
||
Weird, because ReentrancyGuard doesn't do any allocations of its own. I guess |this| is null at http://hg.mozilla.org/mozilla-central/annotate/24f2c7e26fbd/js/public/Vector.h#l786. Can you get a stack trace with gdb so it shows what's null and what's not?
Comment 2•12 years ago
|
||
Also, can you get a stack trace for the failing allocation(s)? That would be useful in the OOM-test bugs in general.
Comment 3•12 years ago
|
||
causing an OOM at exactly this spot is probably not likely even if this invalid read is dangerous. guessing "moderate".
Whiteboard: [sg:moderate]
Comment 4•12 years ago
|
||
I see this in automation on Windows 7 on an "image-suck" bug that eats ram. Ted's tool rates this as low exploitability. Operating system: Windows NT 6.1.7601 Service Pack 1 CPU: x86 GenuineIntel family 6 model 37 stepping 1 2 CPUs Crash reason: EXCEPTION_ACCESS_VIOLATION_READ Crash address: 0xffffffffdddddea9 Thread 0 (crashed) 0 mozjs.dll!js::ReentrancyGuard::ReentrancyGuard<js::detail::HashTable<js::gc::Chunk * const,js::HashSet<js::gc::Chunk *,js::GCChunkHasher,js::SystemAllocPolicy>::SetOps,js::SystemAllocPolicy> const >(js::detail::HashTable<js::gc::Chunk * const,js::HashSet<js::gc::Chunk *,js::GCChunkHasher,js::SystemAllocPolicy>::SetOps,js::SystemAllocPolicy> const &) [Utility.h : 840 + 0x5] eip = 0x7144a477 esp = 0x00178dac ebp = 0x00178db0 ebx = 0x00000001 esi = 0x004faa60 edi = 0x00000000 eax = 0xdddddea9 ecx = 0x00178dc0 edx = 0x00178dc0 efl = 0x00210296 Found by: given as instruction pointer in context 1 mozjs.dll!js::detail::HashTable<js::gc::Chunk * const,js::HashSet<js::gc::Chunk *,js::GCChunkHasher,js::SystemAllocPolicy>::SetOps,js::SystemAllocPolicy>::lookup(js::gc::Chunk * const &) [HashTable.h : 669 + 0xb] eip = 0x714433a5 esp = 0x00178db8 ebp = 0x00178dc8 Found by: call frame info 2 mozjs.dll!js::HashSet<js::gc::Chunk *,js::GCChunkHasher,js::SystemAllocPolicy>::has(js::gc::Chunk * const &) [HashTable.h : 1327 + 0xf] eip = 0x714424a9 esp = 0x00178dd0 ebp = 0x00178de0 Found by: call frame info 3 mozjs.dll!js::IsAddressableGCThing(JSRuntime *,unsigned int,js::gc::AllocKind *,js::gc::ArenaHeader * *,void * *) [jsgc.cpp : 1019 + 0x11] eip = 0x714375aa esp = 0x00178de8 ebp = 0x00178e18 Found by: call frame info 4 mozjs.dll!js::MarkIfGCThingWord(JSTracer *,unsigned int) [jsgc.cpp : 1073 + 0x1a] eip = 0x7143734b esp = 0x00178e20 ebp = 0x00178e80 Found by: call frame info 5 mozjs.dll!gc_root_traversal [jsgc.cpp : 2149 + 0xc] eip = 0x7143dd09 esp = 0x00178e88 ebp = 0x00178ec4 Found by: call frame info Releated assertions are: Assertion failure: JS_GetContextThread(cx) Assertion failure: compartment()->activeInference
Bob, your crash stack looks a lot like bug 728976. We're having a hard time reproducing it. Do you happen to have a test case? Can you describe the circumstances when it happens? Is it definitely an OOM?
Comment 6•12 years ago
|
||
It is very close to oom though in the particular cases where i've seen this it is during the browser shutdown. I've seen it in automation a couple of times, but trying to reproduce locally has been difficult since it hits oom here. It does seem more like bug 728976 though. I have to step away for a bit, but will try to reproduce with a vm with slightly more memory and see what happens.
Updated•12 years ago
|
Keywords: sec-moderate
Updated•10 years ago
|
Group: javascript-core-security
Updated•10 years ago
|
Group: javascript-core-security
Assignee | ||
Updated•10 years ago
|
Assignee: general → nobody
Comment 7•10 years ago
|
||
The stack trace in comment 0 is from Yarr, which has been removed, and the in comment 4 is some GC stuff, which has changed a lot in the last two years, so I'm just going to go ahead and close this. Please reopen if you are still seeing these...
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → INCOMPLETE
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•