Closed Bug 833163 Opened 11 years ago Closed 11 years ago

Crash [@ js::gc::ArenaLists::allocateFromArena]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Windows 7
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla21

People

(Reporter: mayhemer, Assigned: billm)

Details

(Keywords: assertion, crash)

Attachments

(2 files)

patch to test with, run /tests/dom/tests/mochitest series of tests to try to trigger the crash
411.49 KB, patch
Details | Diff | Splinter Review
remove assertion
877 bytes, patch
luke
: review+
Details | Diff | Splinter Review 
This happens for me on try with my patch for bug 600307.  I have created a test with the following function, used few times, that I suspect is causing the crash:


function localStorageFlush(cb)  // <<----
{
  var ob = {
    observe : function(sub, top, dat)
    {
      os().removeObserver(ob, "domstorage-flushed"); // < probably the bad line?
      cb();
    }
  };
  os().addObserver(ob, "domstorage-flushed", false);
  notify("domstorage-flush-force");
}

function os()
{
  return SpecialPowers.Cc["@mozilla.org/observer-service;1"]
                      .getService(SpecialPowers.Ci.nsIObserverService);
}

function notify(top)
{
  os().notifyObservers(null, top, null);
}


The function triggers an immediate flush of DOM storage data on a background thread that after it is done posts to the main thread notification of "domstorage-flushed".  This notification is triggered regardless some observer has been registered on nsIObserverService (obviously).

Few seconds after the last localStorage test runs (I believe 5 seconds what is the DB flushing interval invoking "domstorage-flushed" topic) in test_pointerlock-api.html I experience the following crash:

Crash reason:  EXCEPTION_BREAKPOINT
Crash address: 0x6a4cdf41

Thread 0 (crashed)
 0  mozjs.dll!js::gc::ArenaLists::allocateFromArena(JSCompartment *,js::gc::AllocKind) [jsgc.cpp:c6de83fed9ba : 1181 + 0x60]
    eip = 0x6a4cdf41   esp = 0x001ccb30   ebp = 0x001ccb5c   ebx = 0x7667509b
    esi = 0x70171440   edi = 0x1ababa10   eax = 0x00000000   ecx = 0x04c5c447
    edx = 0x7026e4d8   efl = 0x00200216
    Found by: given as instruction pointer in context
 1  mozjs.dll!js::gc::ArenaLists::refillFreeList(JSContext *,js::gc::AllocKind) [jsgc.cpp:c6de83fed9ba : 1488 + 0xe]
    eip = 0x6a4ddadf   esp = 0x001ccb64   ebp = 0x001ccb90
    Found by: call frame info
 2  mozjs.dll!js::gc::NewGCThing<JSObject>(JSContext *,js::gc::AllocKind,unsigned int) [jsgcinlines.h:c6de83fed9ba : 505 + 0xc]
    eip = 0x6a43dc9d   esp = 0x001ccb98   ebp = 0x001ccbb0
    Found by: call frame info
 3  mozjs.dll!js_NewGCObject(JSContext *,js::gc::AllocKind) [jsgcinlines.h:c6de83fed9ba : 584 + 0x11]
    eip = 0x6a43f7d3   esp = 0x001ccbb8   ebp = 0x001ccbc8
    Found by: call frame info
 4  mozjs.dll!JSObject::create(JSContext *,js::gc::AllocKind,JS::Handle<js::Shape *>,JS::Handle<js::types::TypeObject *>,js::HeapSlot *) [jsobjinlines.h:c6de83fed9ba : 972 + 0xc]
    eip = 0x6a52e889   esp = 0x001ccbd0   ebp = 0x001ccbe8
    Found by: call frame info
 5  mozjs.dll!NewObject [jsobj.cpp:c6de83fed9ba : 1174 + 0x1d]
    eip = 0x6a54ea03   esp = 0x001ccbf0   ebp = 0x001ccc28
    Found by: call frame info
 6  mozjs.dll!js::NewObjectWithGivenProto(JSContext *,js::Class *,js::TaggedProto,JSObject *,js::gc::AllocKind) [jsobj.cpp:c6de83fed9ba : 1227 + 0xf]
    eip = 0x6a55184a   esp = 0x001ccc30   ebp = 0x001ccc64
    Found by: call frame info
 7  mozjs.dll!NewProxyObject [jsproxy.cpp:c6de83fed9ba : 3108 + 0x19]
    eip = 0x6a59c5c2   esp = 0x001ccc6c   ebp = 0x001ccd00
    Found by: call frame info
 8  mozjs.dll!js::NewProxyObject(JSContext *,js::BaseProxyHandler *,JS::Value const &,JSObject *,JSObject *,JSObject *,JSObject *) [jsproxy.cpp:c6de83fed9ba : 3134 + 0x1f]
    eip = 0x6a59c873   esp = 0x001ccd08   ebp = 0x001ccd20
    Found by: call frame info
 9  mozjs.dll!js::Wrapper::New(JSContext *,JSObject *,JSObject *,JSObject *,js::Wrapper *) [jswrapper.cpp:c6de83fed9ba : 56 + 0x5a]
    eip = 0x6a663dfa   esp = 0x001ccd28   ebp = 0x001ccd58
    Found by: call frame info
10  xul.dll!xpc::WrapperFactory::Rewrap(JSContext *,JSObject *,JSObject *,JSObject *,JSObject *,unsigned int) [WrapperFactory.cpp:c6de83fed9ba : 464 + 0x10]
    eip = 0x6baaa278   esp = 0x001ccd60   ebp = 0x001ccda4
    Found by: call frame info
11  mozjs.dll!JSCompartment::wrap(JSContext *,JS::Value *,JSObject *) [jscompartment.cpp:c6de83fed9ba : 407 + 0x34]
    eip = 0x6a478fff   esp = 0x001ccdac   ebp = 0x001cceb8
    Found by: call frame info
12  mozjs.dll!JSCompartment::wrap(JSContext *,JSObject * *,JSObject *) [jscompartment.cpp:c6de83fed9ba : 449 + 0x19]
    eip = 0x6a479456   esp = 0x001ccec0   ebp = 0x001ccee8
    Found by: call frame info
13  mozjs.dll!JS_WrapObject(JSContext *,JSObject * *) [jsapi.cpp:c6de83fed9ba : 1524 + 0xe]
    eip = 0x6a3fd896   esp = 0x001ccef0   ebp = 0x001ccf00
    Found by: call frame info
14  xul.dll!XPCConvert::NativeInterface2JSObject(XPCLazyCallContext &,JS::Value *,nsIXPConnectJSObjectHolder * *,xpcObjectHelper &,nsID const *,XPCNativeInterface * *,bool,tag_nsresult *) [XPCConvert.cpp:c6de83fed9ba : 976 + 0x16]
    eip = 0x6ba0b71e   esp = 0x001ccf08   ebp = 0x001ccf50
    Found by: call frame info
15  xul.dll!XPCConvert::NativeData2JS(XPCLazyCallContext &,JS::Value *,void const *,nsXPTType const &,nsID const *,tag_nsresult *) [XPCConvert.cpp:c6de83fed9ba : 319 + 0x16]
    eip = 0x6ba0d10c   esp = 0x001ccf58   ebp = 0x001ccfb0
    Found by: call frame info
16  xul.dll!XPCConvert::NativeData2JS(XPCCallContext &,JS::Value *,void const *,nsXPTType const &,nsID const *,tag_nsresult *) [xpcprivate.h:c6de83fed9ba : 3304 + 0x3f]
    eip = 0x6ba0da4a   esp = 0x001ccfb8   ebp = 0x001cd06c
    Found by: call frame info
17  xul.dll!nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS *,unsigned short,XPTMethodDescriptor const *,nsXPTCMiniVariant *) [XPCWrappedJSClass.cpp:c6de83fed9ba : 1341 + 0x21]
    eip = 0x6ba30325   esp = 0x001cd074   ebp = 0x001cd2dc
    Found by: call frame info
18  xul.dll!nsXPCWrappedJS::CallMethod(unsigned short,XPTMethodDescriptor const *,nsXPTCMiniVariant *) [XPCWrappedJS.cpp:c6de83fed9ba : 578 + 0x12]
    eip = 0x6ba27dd2   esp = 0x001cd2e4   ebp = 0x001cd308
    Found by: call frame info
19  xul.dll!PrepareAndDispatch [xptcstubs.cpp:c6de83fed9ba : 85 + 0x22]
    eip = 0x6c21ae65   esp = 0x001cd310   ebp = 0x001cd3cc
    Found by: call frame info
20  xul.dll!SharedStub [xptcstubs.cpp:c6de83fed9ba : 112 + 0x4]
    eip = 0x6c21af66   esp = 0x001cd3d4   ebp = 0x001cd3e8
    Found by: call frame info
21  xul.dll!nsObserverList::NotifyObservers(nsISupports *,char const *,wchar_t const *) [nsObserverList.cpp:c6de83fed9ba : 99 + 0x19]
    eip = 0x6c1c3c1a   esp = 0x001cd3f0   ebp = 0x001cd3e8
    Found by: call frame info


This happened for me occasionally with exactly the same stack only on Win Debug machine (not on WinXP Debug).  Probably a tight timing issue.  Locally unreproducible on my win7 box.

Here is one of the try runs: https://tbpl.mozilla.org/?tree=Try&rev=c6de83fed9ba

I have more runs, on different m-c changesets, to check this has not been just broken changeset.

I'm not sure whether I remove the observer incorrectly or this is some JS related bug, so reporting for those interested in investigation.  I believe we shouldn't crash the browser that simply, anyway.

I will rework the observer to cross this issue, leaving the original test code for investigation.

I don't believe this would be some memory corruption caused by the DOM storage changes, but it might be of course.

Rather reporting as hidden bug, it is probably use after free.
Severity: normal → critical
Group: core-security
Attached patch remove assertionSplinter Review 
The scheduledForDestruction assertion is firing here during an allocation. I forgot to remove this one in bug 811587.
Assignee: general → wmccloskey
Status: NEW → ASSIGNED
Attachment #705044 - Flags: review?(luke)
Attachment #705044 - Flags: review?(luke) → review+
This is an assertion. It wouldn't happen in release builds.
Crash Signature: [@ js::gc::ArenaLists::allocateFromArena(JSCompartment*, js::gc::AllocKind) ]
thanks. I should have read more closely.
Keywords: assertion
Thanks!  I will apply the patch locally and to my try series.
https://hg.mozilla.org/mozilla-central/rev/78cc4b7f372a
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla21
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: