981289 - GenerationalGC: Crash [@ GetGCThingRuntime] with poisoned pointer and arguments

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central built with --enable-exact-rooting --enable-gcgenerational, revision d01bf8596d3b (run with --fuzzing-safe):


gcPreserveCode();
function test() {
  for (var i=0; i<20; i++) {
      arguments.x = {};
      gc();
  }
}
test();

Comment 1

[Christian Holler (:decoder)]

Crash trace:


Program received signal SIGSEGV, Segmentation fault.
GetGCThingRuntime (thing=0x2b2b2b2b) at ../../dist/include/js/HeapAPI.h:133
133         return *reinterpret_cast<JS::shadow::Runtime **>(addr);
(gdb) bt 32
#0  GetGCThingRuntime (thing=0x2b2b2b2b) at ../../dist/include/js/HeapAPI.h:133
#1  isTenured (this=0x2b2b2b2b) at  js/src/gc/Heap.h:1055
#2  js::gc::Cell::arenaHeader (this=0x2b2b2b2b) at  js/src/gc/Heap.h:964
#3  0x080b2e17 in tenuredZone (this=0x2b2b2b2b) at  js/src/gc/Heap.h:1024
#4  zone (this=0x2b2b2b2b) at  js/src/gc/Barrier.h:185
#5  js::gc::BarrieredCell<js::ObjectImpl>::zone (this=0xf6900000) at  js/src/vm/ObjectImpl.h:954
#6  0x0819692e in js::GCMarker::processMarkStackTop (this=0x948f278, budget=...) at  js/src/gc/Marking.cpp:1492
#7  0x0815a694 in js::GCMarker::drainMarkStack (this=0x948f278, budget=...) at  js/src/gc/Marking.cpp:1578
#8  0x084b887e in DrainMarkStack (phase=js::gcstats::PHASE_MARK, sliceBudget=..., rt=0x948eff8) at  js/src/jsgc.cpp:4067
#9  IncrementalCollectSlice (rt=0x948eff8, budget=156389440, reason=JS::gcreason::API, gckind=js::GC_NORMAL) at  js/src/jsgc.cpp:4627
#10 0x084baa10 in GCCycle (rt=0x948eff8, incremental=<optimized out>, budget=0, gckind=js::GC_NORMAL, reason=JS::gcreason::API) at  js/src/jsgc.cpp:4791
#11 0x084bb0ef in Collect (rt=0x948eff8, incremental=<optimized out>, budget=0, gckind=js::GC_NORMAL, reason=JS::gcreason::API) at  js/src/jsgc.cpp:4929
#12 0x084bb4bd in Collect (reason=JS::gcreason::API, gckind=js::GC_NORMAL, budget=0, incremental=false, rt=0x948eff8) at  js/src/jsgc.cpp:4859
#13 js::GC (rt=0x948eff8, gckind=js::GC_NORMAL, reason=JS::gcreason::API) at  js/src/jsgc.cpp:4960
#14 0x08408ab0 in JS::GCForReason (rt=0x948eff8, reason=JS::gcreason::API) at  js/src/jsfriendapi.cpp:200
#15 0x080c6d72 in GC (cx=0x949b5d0, argc=0, vp=0xffffc24c) at  js/src/builtin/TestingFunctions.cpp:232
#16 0xf66ef871 in ?? ()
#17 0x094a48f0 in ?? ()
#18 0xf668882c in ?? ()
#19 0x081a7ee4 in EnterBaseline (cx=0x94a48f0, data=...) at  js/src/jit/BaselineJIT.cpp:122
(gdb) x /i $pc
=> 0x80b260b <js::gc::Cell::arenaHeader() const+43>:    mov    (%edx),%edx
(gdb) info reg edx
edx            0x2b2ffffc       724566012

Comment 2

[Terrence Cole [:terrence]]

Attachment: handle_nonargument_properties_on_arguments-v0.diff

Great find, Christian! We do special marking for ArgumentsObject. We still need to do the normal object marking, however, because the arguments object is still just an object and can get regular properties as well as its special properties. The fix is to just call MarkChildren unconditionally.

Comment 3

[Steve Fink [:sfink] [:s:]]

Comment on attachment 8388777 [details] [diff] [review]
handle_nonargument_properties_on_arguments-v0.diff

Review of attachment 8388777 [details] [diff] [review]:
-----------------------------------------------------------------

fun one

Comment 4

[Terrence Cole [:terrence]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/753b8af2f2c0

Comment 5

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/mozilla-central/rev/753b8af2f2c0