Assertion failure: addr % Cell::CellSize == 0, at ../../jsgc.h:861 or Crash [@ js::gc::ChunkBitmap::markIfUnmarked]

VERIFIED FIXED in Firefox 13

Status

()

Core
JavaScript Engine
--
critical
VERIFIED FIXED
6 years ago
5 years ago

People

(Reporter: decoder, Assigned: billm)

Tracking

(Blocks: 1 bug, 4 keywords)

Trunk
mozilla13
x86_64
Linux
assertion, crash, regression, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox10- unaffected, firefox11- unaffected, firefox12- unaffected, firefox13+ fixed, firefox-esr10- unaffected)

Details

(Whiteboard: [sg:critical] js-triage-needed [advisory-tracking+], crash signature)

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
The following test crashes on mozilla-central revision 1c3b291d0830+ (options -m -n -a):


gczeal(2,1);
var count = 0;
var a = {__noSuchMethod__: function() { count++; } }
for (var i = 0; i < 10; 0) {
  a.b();
}


Stepping through crashes:

Program received signal SIGSEGV, Segmentation fault.
0x00000000004b8320 in js::gc::ChunkBitmap::markIfUnmarked (this=0xdadadadadadfc0b8, cell=0xdadadadadadadada, color=0) at /srv/repos/mozilla-central/js/src/jsgc.h:674
674             if (*word & mask)
(gdb) bt
#0  0x00000000004b8320 in js::gc::ChunkBitmap::markIfUnmarked (this=0xdadadadadadfc0b8, cell=0xdadadadadadadada, color=0) at /srv/repos/mozilla-central/js/src/jsgc.h:674
#1  0x00000000004b869d in js::gc::Cell::markIfUnmarked (this=0xdadadadadadadada, color=0) at /srv/repos/mozilla-central/js/src/jsgc.h:972
#2  0x00000000004cbd22 in js::gc::PushMarkStack (gcmarker=0x7ffff7fae220, thing=0xdadadadadadadada) at /srv/repos/mozilla-central/js/src/jsgcmark.cpp:457
#3  0x00000000004d2439 in js::GCMarker::processMarkStackTop (this=0x7ffff7fae220, budget=...) at /srv/repos/mozilla-central/js/src/jsgcmark.cpp:1112
#4  0x00000000004cd882 in js::GCMarker::drainMarkStack (this=0x7ffff7fae220, budget=...) at /srv/repos/mozilla-central/js/src/jsgcmark.cpp:1172
#5  0x00000000004b3eb7 in MarkAndSweep (cx=0xb64b40, gckind=js::GC_NORMAL) at /srv/repos/mozilla-central/js/src/jsgc.cpp:3300
#6  0x00000000004b4d6f in GCCycle (cx=0xb64b40, comp=0x0, budget=0, gckind=js::GC_NORMAL) at /srv/repos/mozilla-central/js/src/jsgc.cpp:3642
#7  0x00000000004b503e in Collect (cx=0xb64b40, comp=0x0, budget=0, gckind=js::GC_NORMAL, reason=js::gcreason::LAST_DITCH) at /srv/repos/mozilla-central/js/src/jsgc.cpp:3707
#8  0x00000000004b5174 in js::GC (cx=0xb64b40, comp=0x0, gckind=js::GC_NORMAL, reason=js::gcreason::LAST_DITCH) at /srv/repos/mozilla-central/js/src/jsgc.cpp:3727
#9  0x00000000004b02ce in js::gc::RunLastDitchGC (cx=0xb64b40) at /srv/repos/mozilla-central/js/src/jsgc.cpp:1722
#10 0x00000000004b5dc1 in js::gc::RunDebugGC (cx=0xb64b40) at /srv/repos/mozilla-central/js/src/jsgc.cpp:3967
#11 0x0000000000463874 in js::gc::NewGCThing<JSObject> (cx=0xb64b40, kind=js::gc::FINALIZE_OBJECT8, thingSize=96) at ../jsgcinlines.h:408
#12 0x000000000045f2b4 in js_NewGCObject (cx=0xb64b40, kind=js::gc::FINALIZE_OBJECT8) at ../jsgcinlines.h:454
#13 0x00000000004615dd in JSObject::createDenseArray (cx=0xb64b40, kind=js::gc::FINALIZE_OBJECT8, shape=..., type=..., length=0) at ../jsobjinlines.h:1088
#14 0x000000000045c95d in js::NewArray<true> (cx=0xb64b40, length=0, proto=0x7ffff6105060) at /srv/repos/mozilla-central/js/src/jsarray.cpp:3804
#15 0x00000000004591a5 in js::NewDenseCopiedArray (cx=0xb64b40, length=0, vp=0x7ffff63fb0b0, proto=0x0) at /srv/repos/mozilla-central/js/src/jsarray.cpp:3859
#16 0x00000000004f9c84 in NoSuchMethod (cx=0xb64b40, argc=0, vp=0x7ffff63fb0a0) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:414
#17 0x00000000004f9fb3 in js::InvokeKernel (cx=0xb64b40, args=..., construct=js::NO_CONSTRUCT) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:485
#18 0x0000000000506213 in js::Interpret (cx=0xb64b40, entryFrame=0x7ffff63fb030, interpMode=js::JSINTERP_NORMAL) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:2699
#19 0x0000000000692b45 in js::mjit::EnterMethodJIT (cx=0xb64b40, fp=0x7ffff63fb030, code=0x7ffff7f3c078, stackLimit=0x7ffff67db000, partial=false)
    at /srv/repos/mozilla-central/js/src/methodjit/MethodJIT.cpp:1079
#20 0x0000000000692cf6 in CheckStackAndEnterMethodJIT (cx=0xb64b40, fp=0x7ffff63fb030, code=0x7ffff7f3c078, partial=false)
    at /srv/repos/mozilla-central/js/src/methodjit/MethodJIT.cpp:1111


S-s and sg:critical due to GC related crash with dangerous address pattern.
(Reporter)

Comment 1

6 years ago
Not sure how reliable this bisect is but it looks realistic:

The first bad revision is:
changeset:   86695:fbef6a165cf8
user:        Bill McCloskey
date:        Fri Feb 10 18:32:08 2012 -0800
summary:     Bug 723313 - Stop using conservative stack scanner for VM stack marking (r=luke,bhackett)
(Assignee)

Comment 2

6 years ago
Created attachment 602046 [details] [diff] [review]
patch

Sometimes I do stuff like this just so that if I ever do something smart it seems really impressive.
Assignee: general → wmccloskey
Status: NEW → ASSIGNED
Attachment #602046 - Flags: review?(luke)

Comment 3

6 years ago
Comment on attachment 602046 [details] [diff] [review]
patch

Ouch
Attachment #602046 - Flags: review?(luke) → review+
(Assignee)

Comment 4

6 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/ecd394385340
Target Milestone: --- → mozilla13

Updated

6 years ago
status-firefox-esr10: --- → unaffected
status-firefox10: --- → wontfix
status-firefox11: --- → wontfix
status-firefox12: --- → unaffected
status-firefox13: --- → affected
tracking-firefox-esr10: --- → -
tracking-firefox10: --- → -
tracking-firefox11: --- → -
tracking-firefox12: --- → -
tracking-firefox13: --- → +

Updated

6 years ago
status-firefox10: wontfix → unaffected
status-firefox11: wontfix → unaffected
The bisect in comment 1 may not line up with the patch, which changes a single line added in bug 728086 a couple of weeks later.

https://hg.mozilla.org/integration/mozilla-inbound/rev/0fe3483946f9

So is there a different bug that decoder was seeing in mid February, possibly not fixed by this patch?
Blocks: 728086, 723313
Keywords: regression
(Assignee)

Comment 6

6 years ago
Comment 1 is correct. This is a regression from bug 723313. Then a bug was discovered in bug 728086, which I fixed in an incorrect way. (I needed to initialize some bytes, but I didn't initialize enough.) This patch corrects the problem.

All of this only affects Firefox 13.
(Assignee)

Comment 7

6 years ago
https://hg.mozilla.org/mozilla-central/rev/ecd394385340
Status: ASSIGNED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
(Reporter)

Comment 8

6 years ago
Fix includes test, marking verified based on that.
Status: RESOLVED → VERIFIED
Marking status 13 fixed since I believe trunk was 13 for comment 7.
status-firefox13: affected → fixed
Group: core-security
Whiteboard: [sg:critical] js-triage-needed → [sg:critical] js-triage-needed [advisory-tracking+]
(Reporter)

Comment 10

5 years ago
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug732087.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.