Closed Bug 803803 Opened 12 years ago Closed 12 years ago

IonMonkey: Opt-only Crash [@ compartment]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: decoder, Assigned: dvander)

Details

(Keywords: crash, sec-critical, testcase, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(1 file)

Testcase for shell
11.16 KB, application/zip
Details
Attached file Testcase for shell 
The attached testcase crashes on mozilla-central revision cb573b9307e5 (run with --ion-eager).
dvander asked me to report this although it does not repro on tip anymore (likely because the test is too fragile). This is the second time I saw a GC related crash/assert that is very fragile within a short time, so it might be the same issue. The repro requires a 32-bit optimized build (--disable-debug --enable-optimize --enable-valgrind --enable-gczeal) and here is a crash trace:


Program received signal SIGSEGV, Segmentation fault.
compartment (this=0x0) at ../gc/Heap.h:1017
warning: Source file is more recent than executable.
1017        return arenaHeader()->compartment;
(gdb) bt
#0  compartment (this=0x0) at ../gc/Heap.h:1017
#1  MarkInternal<js::ion::IonCode> (thingp=0x8577b64, trc=0x8543d90) at js/src/gc/Marking.cpp:117
#2  MarkRoot<js::ion::IonCode> (name=0x84731b9 "enterJIT", thingp=0x8577b64, trc=0x8543d90) at js/src/gc/Marking.cpp:156
#3  js::gc::MarkIonCodeRoot (trc=0x8543d90, thingp=0x8577b64, name=0x84731b9 "enterJIT") at js/src/gc/Marking.cpp:236
#4  0x08342afd in js::ion::IonCompartment::mark (this=0x8577b60, trc=0x8543d90, compartment=0x856c0a8) at js/src/ion/Ion.cpp:197
#5  0x080977b5 in JSCompartment::mark (this=0x856c0a8, trc=0x8543d90) at js/src/jscompartment.cpp:445
#6  0x080c6281 in js::MarkRuntime (trc=0x8543d90, useSavedRoots=<optimized out>) at js/src/jsgc.cpp:2614
#7  0x080d0677 in BeginMarkPhase (rt=0x8543c98) at js/src/jsgc.cpp:3446
#8  IncrementalCollectSlice (rt=0x8543c98, budget=0, reason=js::gcreason::DEBUG_GC, gckind=js::GC_NORMAL) at js/src/jsgc.cpp:4328
#9  0x080d0f82 in GCCycle (rt=0x8543c98, incremental=<optimized out>, budget=0, gckind=js::GC_NORMAL, reason=js::gcreason::DEBUG_GC) at js/src/jsgc.cpp:4549
#10 0x080d1369 in Collect (rt=0x8543c98, incremental=false, budget=0, gckind=js::GC_NORMAL, reason=js::gcreason::DEBUG_GC) at js/src/jsgc.cpp:4663
#11 0x080d1edf in Collect (reason=js::gcreason::DEBUG_GC, gckind=js::GC_NORMAL, budget=0, incremental=false, rt=0x8543c98) at js/src/jsgc.cpp:4586
#12 js::gc::RunDebugGC (cx=0x8568a88) at js/src/jsgc.cpp:4951
#13 0x081816ee in NewGCThing<JSString> (thingSize=16, kind=js::gc::FINALIZE_STRING, cx=0x8568a88) at ../jsgcinlines.h:449
#14 js_NewGCString (cx=0x8568a88) at ../jsgcinlines.h:521
#15 new_ (length=29, chars=0x85b2d60, cx=0x8568a88) at ../vm/String-inl.h:235
#16 js_NewString (cx=0x8568a88, chars=0x85b2d60, length=29) at js/src/jsstr.cpp:3284
#17 0x080699fc in JS_NewStringCopyZ (cx=0x8568a88, s=0x85b2d38 "Function is not a constructor") at js/src/jsapi.cpp:6020
#18 0x080b9e27 in js_ErrorToException (cx=0x8568a88, message=0x85b2d38 "Function is not a constructor", reportp=0xffffbe20, callback=0x80907c0 <js_GetErrorMessage(void*, char const*, unsigned int)>, userRef=0x0)
    at js/src/jsexn.cpp:973
#19 0x08093064 in ReportError (cx=0x8568a88, message=<optimized out>, reportp=0xffffbe20, callback=0x80907c0 <js_GetErrorMessage(void*, char const*, unsigned int)>, userRef=0x0)
    at js/src/jscntxt.cpp:586
#20 0x080948f9 in js_ReportErrorNumberVA (cx=0x8568a88, flags=0, callback=0x80907c0 <js_GetErrorMessage(void*, char const*, unsigned int)>, userRef=0x0, errorNumber=23, charArgs=1, ap=0xffffbee4 "X\236W\b")
    at js/src/jscntxt.cpp:1054
#21 0x0806c3af in JS_ReportErrorFlagsAndNumber (cx=0x8568a88, flags=0, errorCallback=0x80907c0 <js_GetErrorMessage(void*, char const*, unsigned int)>, userRef=0x0, errorNumber=23)
    at js/src/jsapi.cpp:6741
#22 0x08093530 in js_ReportValueErrorFlags (cx=0x8568a88, flags=0, errorNumber=23, spindex=-3, v=..., fallback=..., arg1=0x0, arg2=0x0) at js/src/jscntxt.cpp:1176
#23 0x080fd27e in ReportIsNotFunction (construct=<optimized out>, vp=<optimized out>, cx=<optimized out>) at js/src/jsinterp.cpp:247
#24 js::InvokeConstructorKernel (cx=0x8568a88, args=...) at js/src/jsinterp.cpp:452
#25 0x080f07b4 in js::Interpret (cx=0x8568a88, entryFrame=0xf76970f0, interpMode=js::JSINTERP_BAILOUT) at js/src/jsinterp.cpp:2369
#26 0x083419f8 in js::ion::ThunkToInterpreter (vp=0xffffc540) at js/src/ion/Bailouts.cpp:653
#27 0xf7646446 in ?? ()
Backtrace stopped: previous frame inner to this frame (corrupt stack?)
(gdb)
Whiteboard: [jsbugmon:ignore]
Bug 801831 may be related, but only some parts of the stack are similar. :-/
Assuming sec-critical due to GC-related crash.
Keywords: sec-critical
Assignee: general → nihsanullah
Naveed, at CritSmash we were thinking you might be able to find an assignee for this.
Flags: needinfo?(nihsanullah)
Dear jsbugmon, please see if bug 801831 fixed this.
Assignee: nihsanullah → dvander
Status: NEW → ASSIGNED
Whiteboard: [jsbugmon:ignore] → [jsbugmon:update]
Flags: needinfo?(nihsanullah)
Bugmon won't be able to handle this, because the crash is opt-only and currently it only supports debug builds. I'll check this later :)
setting needinfo? as a reminder for comment 6.
status-firefox18: affected → ---
status-firefox19: affected → ---
Flags: needinfo?(choller)
Since comment 0 already says that this test is highly unstable, I guess there is no way to see if a certain revision fixed it (reliably). The crash hasn't popped up anymore since it was reported, so I'm going to assume it was fixed and mark as WFM.
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Flags: needinfo?(choller)
Resolution: --- → WORKSFORME
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: