Crash [@ TryAttachCallStub] with setObjectMetadataCallback

RESOLVED FIXED in mozilla25

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: decoder, Assigned: bhackett)

Tracking

(Blocks: 1 bug, {crash, testcase})

Trunk
mozilla25
x86_64
Linux
crash, testcase
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [jsbugmon:update], crash signature)

Attachments

(2 attachments)

(Reporter)

Description

5 years ago
The following testcase crashes on mozilla-central revision 18467a85acf6 (run with --ion-eager):


function test() {
    try {
        writeTestCaseResult();
    } catch(e) {}
}
function writeTestCaseResult( ) {
   return undefined.match(/foo/);
}
setObjectMetadataCallback(function(obj) { test(); });
x();
(Reporter)

Comment 1

5 years ago
Created attachment 775746 [details]
[crash-signature] Machine-readable crash signature
(Reporter)

Updated

5 years ago
Whiteboard: [jsbugmon:update]

Updated

5 years ago
Crash Signature: [@ TryAttachCallStub] → [@ TryAttachCallStub] [@ js::ion::TryAttachCallStub]
(Reporter)

Comment 2

5 years ago
Needinfo from Brian because setObjectMetadataCallback is involved.
Flags: needinfo?(bhackett1024)
(Assignee)

Updated

5 years ago
Duplicate of this bug: 888896
(Assignee)

Updated

5 years ago
Duplicate of this bug: 888901
(Assignee)

Comment 5

5 years ago
Created attachment 781836 [details] [diff] [review]
patch.txt

Bad things happen when we reenter JS while parsing/emitting scripts.
Assignee: general → bhackett1024
Attachment #781836 - Flags: review?(luke)
Flags: needinfo?(bhackett1024)
Attachment #781836 - Flags: review?(luke) → review+
https://hg.mozilla.org/mozilla-central/rev/fb48c7d58b8b
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla25

Updated

5 years ago
status-firefox24: --- → affected

Updated

5 years ago
Crash Signature: [@ TryAttachCallStub] [@ js::ion::TryAttachCallStub] → [@ TryAttachCallStub] [@ js::ion::TryAttachCallStub] [@ js::FunctionToString(JSContext*, JS::Handle<JSFunction*>, bool, bool)]

Comment 8

5 years ago
It's #2 top crasher in 24.0a2 on Mac OS X.
tracking-firefox24: --- → ?
Keywords: topcrash
(Assignee)

Comment 9

5 years ago
setObjectMetadataCallback is a debugging hook which is not yet exposed to the browser at all.
(Reporter)

Comment 10

5 years ago
(In reply to Brian Hackett (:bhackett) from comment #9)
> setObjectMetadataCallback is a debugging hook which is not yet exposed to
> the browser at all.

Isn't it still possible that this bug is triggered also without setObjectMetadataCallback, just that the fuzzer hasn't found this case? (because it might be more complex).
(Assignee)

Comment 11

5 years ago
(In reply to Christian Holler (:decoder) from comment #10)
> (In reply to Brian Hackett (:bhackett) from comment #9)
> > setObjectMetadataCallback is a debugging hook which is not yet exposed to
> > the browser at all.
> 
> Isn't it still possible that this bug is triggered also without
> setObjectMetadataCallback, just that the fuzzer hasn't found this case?
> (because it might be more complex).

Well, this bug is about crashes that can happen when reentering JS in the parser/emitter.  This shouldn't be possible but could in principle happen.  It could be prevented entirely (we already do something similar when doing analysis/compilation) but it would be good to know if that is actually the culprit with these OS X (OS X only?) crashes.  Scoobidiver, can you point to some crash reports?  If the stack information is good enough it should be easy to see what's going on from them.
(Assignee)

Comment 13

5 years ago
(In reply to Scoobidiver from comment #12)
> (In reply to Brian Hackett (:bhackett) from comment #11)
> > Scoobidiver, can you point to some crash reports? 
> Here they are:
> https://crash-stats.mozilla.com/report/
> list?product=Firefox&signature=js%3A%3AFunctionToString%28JSContext*%2C+JS%3A
> %3AHandle%3CJSFunction*%3E%2C+bool%2C+bool%29

This looks like a different issue, none of the crashes I see have parsing stuff on the stack.  All of them are NULL derefs under jsdScript::GetFunctionSource but it's not really obvious from the stacks which pointer is NULL.

Updated

5 years ago
status-firefox24: affected → ---
tracking-firefox24: ? → ---
Keywords: topcrash
You need to log in before you can comment on or make changes to this bug.