GenerationalGC: Crash [@ js::Nursery::forwardBufferPointer] with partly-poisoned pointer or Opt-Crash on Heap

RESOLVED FIXED in mozilla29

Status

()

--
major
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: decoder, Assigned: jonco)

Tracking

(Blocks: 1 bug, {crash, testcase})

Trunk
mozilla29
x86_64
Linux
crash, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [jsbugmon:ignore], crash signature)

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
The following testcase crashes on mozilla-central built with --enable-exact-rooting --enable-gcgenerational, revision 4e671e3183c4 (run with --fuzzing-safe --ion-eager):


g = Function("", "for (var i = 0; i < 0; ++i) { eval('this.arg'+0 +'=arg'+0); }");
Math.abs(undefined);
gczeal(7);
evaluate("\
var toFloat32 = (function() {\
    var f32 = new Float32Array(1);\
    function f(x) f32[0] = x;\
    return f;\
})();\
for (var i = 0; i < 64; ++i) {\
    var p = Math.pow(2, i) + 1;\
    g(toFloat32(p));\
    toFloat32(-p);\
}\
");
(Reporter)

Comment 1

5 years ago
Crash trace:

Program received signal SIGSEGV, Segmentation fault.
js::Nursery::forwardBufferPointer (this=0x167fcc0, pSlotsElems=0x7fffffffb920) at js/src/gc/Nursery.cpp:381
381         JS_ASSERT(IsWriteableAddress(*pSlotsElems));
(gdb) bt
#0  js::Nursery::forwardBufferPointer (this=0x167fcc0, pSlotsElems=0x7fffffffb920) at js/src/gc/Nursery.cpp:381
#1  0x0000000000634780 in UpdateIonJSFrameForMinorGC (frame=..., trc=<optimized out>) at js/src/jit/IonFrames.cpp:934
#2  js::jit::UpdateJitActivationsForMinorGC (rt=<optimized out>, trc=0x7fffffffb410) at js/src/jit/IonFrames.cpp:1203
#3  0x0000000000533387 in js::Nursery::collect (this=0x0, rt=0x167ef50, reason=JS::gcreason::DEBUG_GC, pretenureTypes=0x0) at js/src/gc/Nursery.cpp:664
#4  0x0000000000471372 in js::gc::NewGCThing<JSObject, (js::AllowGC)1> (cx=0x16a5450, kind=js::gc::FINALIZE_OBJECT4_BACKGROUND, thingSize=64, heap=<optimized out>) at js/src/jsgcinlines.h:438
#5  0x00000000008212f8 in js_NewGCObject<(js::AllowGC)1> (heap=js::gc::DefaultHeap, kind=js::gc::FINALIZE_OBJECT4_BACKGROUND, cx=0x16a5450) at js/src/jsgcinlines.h:476
#6  JSObject::create (cx=0x16a5450, kind=js::gc::FINALIZE_OBJECT4_BACKGROUND, heap=js::gc::DefaultHeap, shape=0x7ffff5450d30, type=0x7ffff543a8c8, extantSlots=<optimized out>)
    at js/src/jsobjinlines.h:492
#7  0x0000000000985576 in js::CallObject::create (cx=0x16a5450, script=0x7ffff54421f0, shape=0x7ffff5450d30, type=0x7ffff543a8c8, slots=0x0) at js/src/vm/ScopeObject.cpp:151
#8  0x0000000000713261 in js::jit::NewCallObject (cx=0x16a5450, script=..., shape=..., type=..., slots=<optimized out>) at js/src/jit/VMFunctions.cpp:495
#9  0x00007ffff7fd0dbb in ?? ()
warning: (Internal error: pc 0x0 in read in psymtab, but not in symtab.)

#10 0x0000000000000000 in ?? ()
(gdb) x /i $pc
=> 0x4f4748 <js::Nursery::forwardBufferPointer(js::HeapSlot**)+88>:     mov    (%rax),%rdx
(gdb) info reg rax
rax            0x2c2c2c2c53000000       3182967605526790144


Opt-Crash:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7fd004f in ?? ()
(gdb) bt
#0  0x00007ffff7fd004f in ?? ()
[...]
#9  0x0000000000000000 in ?? ()
(gdb) x /i $pc
=> 0x7ffff7fd004f:      movss  %xmm1,(%rdx)
(gdb) info reg rdx
rdx            0x53000000       1392508928
(Assignee)

Comment 2

5 years ago
I can reproduce this up to changeset 3743ea445b81, but since 8b21c9d16999 it works.  However I can't see anything in that change that would fix the issue, so I assuming the underlying problem is still there.

It looks like the array buffer is not marked as its slots have not been tenured but left in the nursery.  When the GC tries to update Ion's slots pointer it interprets the previous contents of the slots as the forwarding pointer, which triggers the assertion.
Assignee: nobody → jcoppeard
(Assignee)

Comment 3

5 years ago
Created attachment 8366681 [details] [diff] [review]
typed-array-elements-fuzzbug

So that isn't the problem after all.  The problem is that the typed array is using inline slots to store the elements in the nursery, and the size of the array is too small to store the forwarding pointer.  There actually is enough space in the object though, so we just need to use the size of the object's slots rather than the size of the array in the calculation.
Attachment #8366681 - Flags: review?(terrence)
Comment on attachment 8366681 [details] [diff] [review]
typed-array-elements-fuzzbug

Review of attachment 8366681 [details] [diff] [review]:
-----------------------------------------------------------------

Wow, that's pretty nasty. r=me
Attachment #8366681 - Flags: review?(terrence) → review+
https://hg.mozilla.org/mozilla-central/rev/a246608780f2
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla29
You need to log in before you can comment on or make changes to this bug.