Crash [@ TryAttachCallStub] with setObjectMetadataCallback

RESOLVED FIXED in mozilla25

Status

()

defect
--
critical
RESOLVED FIXED
6 years ago
6 years ago

People

(Reporter: decoder, Assigned: bhackett)

Tracking

(Blocks 1 bug, {crash, testcase})

Trunk
mozilla25
x86_64
Linux
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [jsbugmon:update], crash signature)

Attachments

(2 attachments)

Reporter

Description

6 years ago
The following testcase crashes on mozilla-central revision 18467a85acf6 (run with --ion-eager):


function test() {
    try {
        writeTestCaseResult();
    } catch(e) {}
}
function writeTestCaseResult( ) {
   return undefined.match(/foo/);
}
setObjectMetadataCallback(function(obj) { test(); });
x();
Reporter

Updated

6 years ago
Whiteboard: [jsbugmon:update]

Updated

6 years ago
Crash Signature: [@ TryAttachCallStub] → [@ TryAttachCallStub] [@ js::ion::TryAttachCallStub]
Reporter

Comment 2

6 years ago
Needinfo from Brian because setObjectMetadataCallback is involved.
Flags: needinfo?(bhackett1024)
Assignee

Updated

6 years ago
Duplicate of this bug: 888896
Assignee

Updated

6 years ago
Duplicate of this bug: 888901
Assignee

Comment 5

6 years ago
Posted patch patch.txtSplinter Review
Bad things happen when we reenter JS while parsing/emitting scripts.
Assignee: general → bhackett1024
Attachment #781836 - Flags: review?(luke)
Flags: needinfo?(bhackett1024)

Updated

6 years ago
Attachment #781836 - Flags: review?(luke) → review+
https://hg.mozilla.org/mozilla-central/rev/fb48c7d58b8b
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla25

Updated

6 years ago
Crash Signature: [@ TryAttachCallStub] [@ js::ion::TryAttachCallStub] → [@ TryAttachCallStub] [@ js::ion::TryAttachCallStub] [@ js::FunctionToString(JSContext*, JS::Handle<JSFunction*>, bool, bool)]
It's #2 top crasher in 24.0a2 on Mac OS X.
Keywords: topcrash
Assignee

Comment 9

6 years ago
setObjectMetadataCallback is a debugging hook which is not yet exposed to the browser at all.
Reporter

Comment 10

6 years ago
(In reply to Brian Hackett (:bhackett) from comment #9)
> setObjectMetadataCallback is a debugging hook which is not yet exposed to
> the browser at all.

Isn't it still possible that this bug is triggered also without setObjectMetadataCallback, just that the fuzzer hasn't found this case? (because it might be more complex).
Assignee

Comment 11

6 years ago
(In reply to Christian Holler (:decoder) from comment #10)
> (In reply to Brian Hackett (:bhackett) from comment #9)
> > setObjectMetadataCallback is a debugging hook which is not yet exposed to
> > the browser at all.
> 
> Isn't it still possible that this bug is triggered also without
> setObjectMetadataCallback, just that the fuzzer hasn't found this case?
> (because it might be more complex).

Well, this bug is about crashes that can happen when reentering JS in the parser/emitter.  This shouldn't be possible but could in principle happen.  It could be prevented entirely (we already do something similar when doing analysis/compilation) but it would be good to know if that is actually the culprit with these OS X (OS X only?) crashes.  Scoobidiver, can you point to some crash reports?  If the stack information is good enough it should be easy to see what's going on from them.
Assignee

Comment 13

6 years ago
(In reply to Scoobidiver from comment #12)
> (In reply to Brian Hackett (:bhackett) from comment #11)
> > Scoobidiver, can you point to some crash reports? 
> Here they are:
> https://crash-stats.mozilla.com/report/
> list?product=Firefox&signature=js%3A%3AFunctionToString%28JSContext*%2C+JS%3A
> %3AHandle%3CJSFunction*%3E%2C+bool%2C+bool%29

This looks like a different issue, none of the crashes I see have parsing stuff on the stack.  All of them are NULL derefs under jsdScript::GetFunctionSource but it's not really obvious from the stacks which pointer is NULL.
You need to log in before you can comment on or make changes to this bug.