Closed Bug 854807 Opened 12 years ago Closed 12 years ago

Crash [@ js::gc::Cell::tenuredZone] with [@ js::CloneFunctionAtCallsite] on the stack

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla22
Tracking Flags:
Tracking Status
firefox19 --- unaffected
firefox20 --- unaffected
firefox21 --- unaffected
firefox22 + fixed
firefox-esr17 --- unaffected
b2g18 --- unaffected
b2g18-v1.0.0 --- unaffected
b2g18-v1.0.1 --- unaffected

People

(Reporter: gkw, Assigned: n.nethercote)

References

Details

(4 keywords, Whiteboard: [jsbugmon:testComment=3,origRev=456cb08f8509][adv-main22-])

Crash Data

Attachments

(3 files)

Opt stack
7.64 KB, text/plain
Details
same testcase as comment 0
2.65 KB, text/plain
Details
patch
971 bytes, patch
smaug
: review+
Details | Diff | Splinter Review
try { with({ z: /x/ }); } catch (e) {} try { function y() {} } catch (e) {} try { (c <<= x)() } catch (e) {} try {} catch (e) {} try { a(function() {}) } catch (e) {} try { e(function() {}) } catch (e) {} try {} catch (e) {} try { h(function() {}) } catch (e) {} try { (function() { function x() {} })() } catch (e) {} try { c.delete = ParallelArray.prototype.scatter } catch (e) {} try { (function() { for (let d in [String()]) {} })() } catch (e) {} try { (function() { function z(d = (function() {}))(0) })() } catch (e) {} try { var c, x } catch (e) {} try { for (let b;;) { z } } catch (e) {} try { (function() { ArrayBuffer()() })() } catch (e) {} try { (function() { for (let a in [0]) { a(function() {}) } })() } catch (e) {} try { let d } catch (e) {} try { e1.delete() function x() {} } catch (e) {} try { (function() {})() } catch (e) {} try { (function() { 2(function() {}) })() } catch (e) {} try { (function() {})() } catch (e) {} try { x |= x } catch (e) {} try { (function() { ("" (function() {})) })() } catch (e) {} try { (function() {})() } catch (e) {} try { (function() { function p() { eval() } })() } catch (e) {} try { 0(function() {}) } catch (e) {} try { (function() {})() } catch (e) {} try { e1 = x } catch (e) {} try { gc() } catch (e) {} try { (function() { s() })() } catch (e) {} try { with(verifyprebarriers()) z } catch (e) {} try {} catch (e) {} try {} catch (e) {} try { (function() { (g(function() { (a(function() { if (j) { (a(function() { return function() { (function()'') + '' o = {} } })) } })) })) })() } catch (e) {} try {} catch (e) {} try { g[""] } catch (e) {} try { gc() } catch (e) {} try { gc() } catch (e) {} try { for (melsky = 0; melsky < 2; e) { let y } } catch (e) {} try {} catch (e) {} try { (function() { l })() } catch (e) {} try {} catch (e) {} try { gc() } catch (e) {} try {} catch (e) {} try { [1] } catch (e) {} try { for (b in ((function() / x / ))) {} } catch (e) {} try { (h) } catch (e) {} try { for (e in [(0), , (1)]) {} } catch (e) {} try { (function() { for (let x;;) { t(function() {}) } })() } catch (e) {} try {} catch (e) {} crashes js opt shell on m-c changeset 456cb08f8509 with --no-ion -a -d at js::gc::Cell::tenuredZone Locking s-s because gc seems to be involved. autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 126082:683bb0caab3a user: Nicholas Nethercote date: Sun Mar 24 15:28:38 2013 -0700 summary: Bug 854212 - Fix link errors in jsfuninlines.h caused by bug 851421. r=smaug.
Attached file Opt stack
njn, is bug 854212 a probable cause?
Flags: needinfo?(n.nethercote)
Crash Signature: [@ js::gc::Cell::tenuredZone] [@ js::CloneFunctionAtCallsite]
Summary: Crash [@ js::gc::Cell::tenuredZone] → Crash [@ js::gc::Cell::tenuredZone] with [@ js::CloneFunctionAtCallsite] on the stack
Crash Signature: [@ js::gc::Cell::tenuredZone] [@ js::CloneFunctionAtCallsite] → [@ js::gc::Cell::tenuredZone] [@ js::CloneFunctionAtCallsite]
Whiteboard: [jsbugmon:update] → [jsbugmon:]
JSBugMon: Cannot process bug: Error: Failed to isolate test from comment
Retrying this so hopefully JSBugMon can pick it up.
Crash Signature: [@ js::gc::Cell::tenuredZone] [@ js::CloneFunctionAtCallsite] → [@ js::gc::Cell::tenuredZone] [@ js::CloneFunctionAtCallsite]
Whiteboard: [jsbugmon:] → [jsbugmon:update,testComment=3,origRev=456cb08f8509]
Crash Signature: [@ js::gc::Cell::tenuredZone] [@ js::CloneFunctionAtCallsite] → [@ js::gc::Cell::tenuredZone] [@ js::CloneFunctionAtCallsite]
Whiteboard: [jsbugmon:update,testComment=3,origRev=456cb08f8509] → [jsbugmon:testComment=3,origRev=456cb08f8509]
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
Attached patch patchSplinter Review
Oh god, bug 854212 was totally trivial but I managed to botch it anyway.
Assignee: general → n.nethercote
Attachment #729451 - Flags: review?(luke)
Flags: needinfo?(n.nethercote)
Attachment #729451 - Attachment is patch: true
Comment on attachment 729451 [details] [diff] [review] patch Uh, sorry.
Attachment #729451 - Flags: review?(luke) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/4b4f4b9192d9
Crash Signature: [@ js::gc::Cell::tenuredZone] [@ js::CloneFunctionAtCallsite] → [@ js::gc::Cell::tenuredZone] [@ js::CloneFunctionAtCallsite]
https://hg.mozilla.org/mozilla-central/rev/4b4f4b9192d9 Can we land this test please?
Status: NEW → RESOLVED
Closed: 12 years ago
status-firefox22: affectedfixed
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla22
Keywords: sec-high
(In reply to Ryan VanderMeulen [:RyanVM] from comment #8) > Can we land this test please? We can land a test for this, sure.
The test didn't reproduce the problem for me, BTW.
(In reply to Nicholas Nethercote [:njn] from comment #10) > The test didn't reproduce the problem for me, BTW. I could easily reproduce this bug - but the testcases might have been platform-specific or something. Nonetheless, it probably wouldn't hurt to have one more test in the tree.
No longer depends on: 855536
Whiteboard: [jsbugmon:testComment=3,origRev=456cb08f8509] → [jsbugmon:testComment=3,origRev=456cb08f8509][adv-main22-]
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: