Assertion failure: addr % CellSize == 0, at ../../gc/Heap.h:819 or Crash [@ js::gc::MarkKind]

RESOLVED FIXED in mozilla21

Status

()

defect
--
critical
RESOLVED FIXED
7 years ago
7 years ago

People

(Reporter: decoder, Unassigned)

Tracking

(Blocks 1 bug, {assertion, crash, testcase})

Trunk
mozilla21
x86
Linux
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [jsbugmon:update], crash signature)

Attachments

(1 attachment)

The following testcase asserts on mozilla-central revision 8cc32d6fa707 (run with --ion-eager):


gczeal(4);
eval("(function() { " + "\
for ( var CHARCODE = 1024; CHARCODE < 65536; CHARCODE+= 1234 ) {\
	unescape( '%u'+(ToUnicodeString(CHARCODE)).substring(0,3) )\
}\
function ToUnicodeString( n ) {\
  var string = ToHexString(n);\
  return string;\
}\
function ToHexString( n ) {\
  var hex = new Array();\
  for ( var mag = 1; Math.pow(16,mag) <= n ; mag++ ) {}\
  for ( index = 0, mag -= 1; mag > 0; index++, mag-- ) {\
    hex[index] = Math.floor( n / Math.pow(16,mag) );\
  var string ='';\
      string <<=  'A';\
      string += hex[index];\
  }\
  if ( 'var MYVAR=Number.NEGATIVE_INFINITY;MYVAR++;MYVAR' )\
    string = '0' + string;\
  return string;\
}\
" + " })();");
Debug backtrace for assertion:


Program received signal SIGSEGV, Segmentation fault.
0x0804d91b in js::gc::Cell::address (this=0x996) at ../../gc/Heap.h:819
819         JS_ASSERT(addr % CellSize == 0);
(gdb) bt
#0  0x0804d91b in js::gc::Cell::address (this=0x996) at ../../gc/Heap.h:819
#1  0x0804d9f7 in js::gc::Cell::arenaHeader (this=0x996) at ../../gc/Heap.h:935
#2  0x080715b9 in js::gc::Cell::getAllocKind (this=0x996) at ../gc/Heap.h:952
#3  0x08114f8b in js::gc::GetGCThingTraceKind (thing=0x996) at ../jsgcinlines.h:61
#4  0x083e4592 in js::gc::MarkKind (trc=0x89adbf0, thingp=0xffffa4fc, kind=JSTRACE_STRING) at /srv/repos/mozilla-central/js/src/gc/Marking.cpp:365
#5  0x083e4cb2 in MarkValueInternalMaybeNullPayload (trc=0x89adbf0, v=0xf76971a0) at /srv/repos/mozilla-central/js/src/gc/Marking.cpp:508
#6  0x083e5103 in js::gc::MarkValueRootRangeMaybeNullPayload (trc=0x89adbf0, len=3, vec=0xf7697190, name=0x86e247d "vm_stack") at /srv/repos/mozilla-central/js/src/gc/Marking.cpp:575
#7  0x0833b18b in js::StackSpace::markFrame (this=0x8959d84, trc=0x89adbf0, fp=0xf7697150, slotsEnd=0xf76971a8) at /srv/repos/mozilla-central/js/src/vm/Stack.cpp:652
#8  0x0833b1f8 in js::StackSpace::mark (this=0x8959d84, trc=0x89adbf0) at /srv/repos/mozilla-central/js/src/vm/Stack.cpp:674
#9  0x083e02d6 in js::gc::MarkRuntime (trc=0x89adbf0, useSavedRoots=false) at /srv/repos/mozilla-central/js/src/gc/RootMarking.cpp:766
#10 0x083fc221 in js::gc::StartVerifyPreBarriers (rt=0x8959d30) at /srv/repos/mozilla-central/js/src/gc/Verifier.cpp:483
#11 0x083fc9b0 in MaybeVerifyPreBarriers (rt=0x8959d30, always=true) at /srv/repos/mozilla-central/js/src/gc/Verifier.cpp:815
#12 0x083fca67 in js::gc::MaybeVerifyBarriers (cx=0x8980e68, always=true) at /srv/repos/mozilla-central/js/src/gc/Verifier.cpp:836
#13 0x08189af5 in js::Interpret (cx=0x8980e68, entryFrame=0xf7697150, interpMode=js::JSINTERP_BAILOUT) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:3701
#14 0x084d1275 in js::ion::ThunkToInterpreter (vp=0xffffb274) at /srv/repos/mozilla-central/js/src/ion/Bailouts.cpp:662
#15 0xf7fc726e in ?? ()


Crash doesn't look harmful but involves GC, marking s-s.
Crash Signature: [@ js::gc::MarkKind]
Keywords: crash
Whiteboard: [jsbugmon:update,bisect]
Let's assume that if the value is unaligned it's completely bogus and bad things may happen.
Keywords: sec-high
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   111162:9a5191dfae8d
user:        Brian Hackett
date:        Tue Oct 23 09:20:56 2012 -0700
summary:     Keep the interpreter stack synced for GC scanning, bug 781657. r=billm

This iteration took 94.194 seconds to run.
Brian, can you take a look based on comment 3? Thanks!
Flags: needinfo?(bhackett1024)
Posted patch patchSplinter Review
JM is leaving a torn value on the stack here, but only when returning from the script (JM ensures the stack is synced before making a call, but not when finishing up a frame).  There isn't a way for a GC to happen afterwards in the epilogue which could observe the torn value, so this is fine.  (Debugger hooks can get invoked but will force all stack variables to be treated as closed and thus always fully synced.)  The problem is that Interpret() calls MaybeVerifyBarriers at the end, and this call observes the torn value.

This patch moves the MaybeVerifyBarriers to a point where it will not be called when doing a final unwind of a JM executed frame.
Attachment #709479 - Flags: review?(wmccloskey)
Flags: needinfo?(bhackett1024)
Crash in debugging code, not s-s.
Group: core-security
Keywords: sec-high
Attachment #709479 - Flags: review?(wmccloskey) → review+
https://hg.mozilla.org/mozilla-central/rev/b757198a3ba3
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla21
You need to log in before you can comment on or make changes to this bug.