Closed
Bug 746768
Opened 13 years ago
Closed 12 years ago
Crash [@ js::gc::Chunk::allocateArena]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 754242
People
(Reporter: decoder, Assigned: billm)
Details
(4 keywords, Whiteboard: [sg:dupe 754242][js:p1:fx16][advisory-tracking-])
Crash Data
Attachments
(3 files)
|
39.71 KB,
application/x-gtar-compressed
|
Details | |
|
383.79 KB,
text/plain
|
Details | |
|
1.57 KB,
patch
|
Details | Diff | Splinter Review |
The attached test crashes on mozilla-central revision df9ea73ec1f4. This test requires a 64 bit opt-build (--disable-debug --enable-optimize --enable-valgrind). Running instructions are in the README file in the archive. The test is very large and fragile, if you cannot reproduce, let me know.
Backtrace in GDB:
Program received signal SIGSEGV, Segmentation fault.
js::gc::Chunk::allocateArena (this=0x7ffff0a00420, comp=<value optimized out>, thingKind=js::gc::FINALIZE_TYPE_OBJECT) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/jsgc.cpp:756
756 : fetchNextDecommittedArena();
(gdb) bt 8
#0 js::gc::Chunk::allocateArena (this=0x7ffff0a00420, comp=<value optimized out>, thingKind=js::gc::FINALIZE_TYPE_OBJECT) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/jsgc.cpp:756
#1 0x000000000046cb94 in allocateFromArena (cx=0x97d850, thingKind=js::gc::FINALIZE_TYPE_OBJECT) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/jsgc.cpp:1474
#2 js::gc::ArenaLists::refillFreeList (cx=0x97d850, thingKind=js::gc::FINALIZE_TYPE_OBJECT) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/jsgc.cpp:1693
#3 0x0000000000488ffd in NewGCThing<js::types::TypeObject> (this=<value optimized out>, cx=0x97d850, script=<value optimized out>, key=JSProto_Object, proto=0x7ffff0905060, unknown=true) at ../jsgcinlines.h:455
#4 js::types::TypeCompartment::newTypeObject (this=<value optimized out>, cx=0x97d850, script=<value optimized out>, key=JSProto_Object, proto=0x7ffff0905060, unknown=true)
at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/jsinfer.cpp:1917
#5 0x000000000048c95e in JSObject::getNewType (this=0x7ffff0905060, cx=0x97d850, fun=0x0) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/jsinfer.cpp:5654
#6 0x000000000043404b in NewArray<true> (cx=0x97d850, length=0, proto=<value optimized out>) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/jsarray.cpp:3834
#7 js::NewDenseAllocatedArray (cx=0x97d850, length=0, proto=<value optimized out>) at /home/ownhero/homes/mozilla/repos/mozilla-central/js/src/jsarray.cpp:3871
(More stack frames follow...)
(gdb) x /i $pc
=> 0x464779 <js::gc::Chunk::allocateArena(JSCompartment*, js::gc::AllocKind)+41>: mov 0xffff8(%rdi),%r8d
(gdb) info reg rdi
rdi 0x7ffff0a00420 140737230406688
I will also attach a Valgrind log, it contains lots of errors and shows the crash differently. S-s due to gc-related memory corruption, also assuming sg:critical based on that.
Luke also had a brief look on this issue and might be able to provide more information.
|
Reporter | |
Comment 1•13 years ago
|
||
|
||
Comment 2•13 years ago
|
||
What I noticed is that, at the crash, rt->gcChunkSet was all zeroed out.
However the valgrind log shows weird touching-after-GC happening well before that.
|
|
||
Updated•13 years ago
|
Keywords: sec-critical
|
Assignee | |
Comment 3•13 years ago
|
||
I'm attaching a patch that makes this test crash at the first valgrind warning. I also found that I can compile with --disable-debug --disable-optimize --enable-gczeal --enable-valgrind --enable-debug-symbols and it crashes, and I get debug info.
Christian, is there any chance you could reduce this test case further using the attached patch?
|
||
Comment 4•13 years ago
|
||
Assigning to Christian to answer comment 2
Assignee: general → choller
status-firefox14:
--- → affected
status-firefox15:
--- → affected
Keywords: testcase-wanted
Whiteboard: [sg:critical] js-triage-needed → [sg:critical] js-triage-needed [needs test reduction]
|
|
Reporter | |
Comment 5•13 years ago
|
||
I talked to billm on IRC and he has access to the reduced test, but the reducing didn't help much so far.
@billm: If there's anything else I should try to make the test more stable, let me know and I'll try to reduce further.
Assignee: choller → wmccloskey
Whiteboard: [sg:critical] js-triage-needed [needs test reduction] → [sg:critical] js-triage-needed
|
||
Updated•13 years ago
|
Whiteboard: [sg:critical] js-triage-needed → [sg:critical] [js:p1:fx16]
|
|
||
Updated•12 years ago
|
status-firefox16:
--- → affected
tracking-firefox14:
--- → -
tracking-firefox15:
--- → -
tracking-firefox16:
--- → +
|
|
Assignee | |
Updated•12 years ago
|
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
|
||
Updated•12 years ago
|
|
||
Updated•12 years ago
|
Whiteboard: [sg:critical] [js:p1:fx16] → [sg:critical][js:p1:fx16][advisory-tracking-]
|
||
Comment 7•12 years ago
|
||
marking esr10 unaffected, same as bug 754242
status-firefox-esr10:
--- → unaffected
|
|
||
Updated•12 years ago
|
Group: core-security
Keywords: sec-critical → sec-other
Whiteboard: [sg:critical][js:p1:fx16][advisory-tracking-] → [sg:dupe 754242][js:p1:fx16][advisory-tracking-]
|
|
Reporter | |
Comment 8•12 years ago
|
||
A testcase for this bug was already added in the original bug (bug 754242).
Flags: in-testsuite-
|
||
Updated•9 years ago
|
Keywords: testcase-wanted
You need to log in
before you can comment on or make changes to this bug.
Description
•