Closed
Bug 1124651
Opened 11 years ago
Closed 11 years ago
Crash [@ IsInsideNursery] or Opt-Crash [@ markIfUnmarked]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla38
| Tracking | Status | |
|---|---|---|
| firefox36 | --- | unaffected |
| firefox37 | --- | unaffected |
| firefox38 | --- | verified |
| firefox-esr31 | --- | unaffected |
People
(Reporter: decoder, Assigned: bhackett1024)
References
Details
(4 keywords, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(1 file)
|
2.51 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 34e2d2bd7ec4 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --enable-arm-simulator --enable-debug, run with --fuzzing-safe --thread-count=2 --ion-eager --ion-offthread-compile=off):
gczeal(2,1);
loadFile("var x=0; x++; x = Iterator([]); x.__proto__ = Function.toLocaleString;");
loadFile("var x1 = (x ^= 1);");
loadFile("");
function loadFile(lfVarx) {
evaluate(lfVarx, { noScriptRval : true, compileAndGo : true });
}
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
IsInsideNursery (cell=0x10f5dbb0) at ../../dist/include/js/HeapAPI.h:308
308 uint32_t location = *reinterpret_cast<uint32_t *>(addr);
#0 IsInsideNursery (cell=0x10f5dbb0) at ../../dist/include/js/HeapAPI.h:308
#1 isTenured (this=0x10f5dbb0) at js/src/gc/Heap.h:155
#2 js::gc::TenuredCell::arenaHeader (this=0x10f5dbb0) at js/src/gc/Heap.h:1309
#3 0x081e4d93 in zone (this=<optimized out>) at js/src/gc/Heap.h:1330
#4 zone (this=(const JSObject * const) 0xf5db9021 Cannot access memory at address 0xf5dc00) at js/src/jsobj.h:298
#5 js::GCMarker::markObject (this=0x963abb8, source=(JSObject *) 0xf5d45040 [object global] delegate, obj=(JSObject *) 0xf5db9021 Cannot access memory at address 0xf5dc00) at js/src/gc/Marking.cpp:1685
#6 0x081e739c in js::GCMarker::processMarkStackTop (this=this@entry=0x963abb8, budget=...) at js/src/gc/Marking.cpp:1735
#7 0x0819aec4 in js::GCMarker::drainMarkStack (this=0x963abb8, budget=...) at js/src/gc/Marking.cpp:1872
#8 0x0850bb3d in js::gc::GCRuntime::drainMarkStack (this=this@entry=0x9632ed4, sliceBudget=..., phase=phase@entry=js::gcstats::PHASE_MARK) at js/src/jsgc.cpp:5202
#9 0x0854e0db in js::gc::GCRuntime::incrementalCollectSlice (this=this@entry=0x9632ed4, budget=..., reason=reason@entry=JS::gcreason::DEBUG_GC) at js/src/jsgc.cpp:5863
#10 0x0854ed0d in js::gc::GCRuntime::gcCycle (this=this@entry=0x9632ed4, incremental=incremental@entry=false, budget=..., reason=reason@entry=JS::gcreason::DEBUG_GC) at js/src/jsgc.cpp:6083
#11 0x0854f035 in js::gc::GCRuntime::collect (this=this@entry=0x9632ed4, incremental=incremental@entry=false, budget=..., reason=reason@entry=JS::gcreason::DEBUG_GC) at js/src/jsgc.cpp:6208
#12 0x085503aa in js::gc::GCRuntime::gc (this=0x9632ed4, gckind=GC_NORMAL, reason=JS::gcreason::DEBUG_GC) at js/src/jsgc.cpp:6269
#13 0x08551311 in js::gc::GCRuntime::runDebugGC (this=0x9632ed4) at js/src/jsgc.cpp:6659
#14 0x080c7e70 in CheckAllocatorState<(js::AllowGC)1> (kind=js::gc::FINALIZE_OBJECT2_BACKGROUND, cx=0x964ea58) at js/src/jsgcinlines.h:447
#15 js::gc::AllocateObject<(js::AllowGC)1> (cx=0x964ea58, kind=js::gc::FINALIZE_OBJECT2_BACKGROUND, nDynamicSlots=0, heap=js::gc::DefaultHeap, clasp=0x95dee20) at js/src/jsgcinlines.h:493
#16 0x08469d59 in NewGCObject<(js::AllowGC)1> (clasp=0x95dee20, heap=js::gc::DefaultHeap, nDynamicSlots=<optimized out>, kind=js::gc::FINALIZE_OBJECT2_BACKGROUND, cx=0x964ea58) at js/src/jsgcinlines.h:606
#17 JSObject::create (cx=0x964ea58, kind=js::gc::FINALIZE_OBJECT2_BACKGROUND, heap=js::gc::DefaultHeap, shape=0xf5d558c8, type=0xf5d42100) at js/src/jsobjinlines.h:282
#18 0x085bbe2b in NewObject (cx=0x964ea58, type_=<optimized out>, parent=(JSObject *) 0xf5d45040 [object global] delegate, kind=js::gc::FINALIZE_OBJECT2_BACKGROUND, newKind=js::GenericObject) at js/src/jsobj.cpp:1224
#19 0x085bcd05 in js::NewObjectWithClassProtoCommon (cxArg=0x964ea58, clasp=0x95dee20, protoArg=<optimized out>, parentArg=(JSObject *) 0xf5d45040 [object global] delegate, allocKind=js::gc::FINALIZE_OBJECT2_BACKGROUND, newKind=js::GenericObject) at js/src/jsobj.cpp:1396
#20 0x0848c7ff in NewObjectWithClassProto (parent=0x0, newKind=<optimized out>, allocKind=js::gc::FINALIZE_OBJECT2_BACKGROUND, proto=0x0, clasp=<optimized out>, cx=<optimized out>) at js/src/jsobjinlines.h:590
#21 NewBuiltinClassInstance (newKind=<optimized out>, allocKind=js::gc::FINALIZE_OBJECT2_BACKGROUND, clasp=<optimized out>, cx=<optimized out>) at js/src/jsobjinlines.h:627
#22 NewBuiltinClassInstance<js::PlainObject> (newKind=<optimized out>, allocKind=js::gc::FINALIZE_OBJECT2_BACKGROUND, cx=<optimized out>) at js/src/jsobjinlines.h:649
#23 CopyInitializerObject (newKind=<optimized out>, baseobj=(js::PlainObject * const) 0xf5d53de0 [object Object], cx=<optimized out>) at js/src/vm/NativeObject-inl.h:348
#24 js::jit::NewInitObject (cx=cx@entry=0x964ea58, templateObject=(js::PlainObject * const) 0xf5d53de0 [object Object]) at js/src/jit/VMFunctions.cpp:291
#25 0x084bdd68 in js::jit::Simulator::softwareInterrupt (this=0x964dfe0, instr=0x96be66c) at js/src/jit/arm/Simulator-arm.cpp:2154
#26 0x084ba70d in js::jit::Simulator::instructionDecode (this=this@entry=0x964dfe0, instr=instr@entry=0x96be66c) at js/src/jit/arm/Simulator-arm.cpp:4167
#27 0x084e86d4 in js::jit::Simulator::execute<false> (this=0x964dfe0) at js/src/jit/arm/Simulator-arm.cpp:4222
#28 0x084be455 in js::jit::Simulator::callInternal (this=this@entry=0x964dfe0, entry=entry@entry=0xf62ac8b0 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345t\240\235", <incomplete sequence \345>) at js/src/jit/arm/Simulator-arm.cpp:4310
#29 0x084be77c in js::jit::Simulator::call (this=0x964dfe0, entry=0xf62ac8b0 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345t\240\235", <incomplete sequence \345>, argument_count=8) at js/src/jit/arm/Simulator-arm.cpp:4393
#30 0x082b98ce in EnterIon (data=..., cx=0x964ea58) at js/src/jit/Ion.cpp:2236
#31 js::jit::IonCannon (cx=0x964ea58, state=...) at js/src/jit/Ion.cpp:2318
#32 0x086ba60c in js::RunScript (cx=cx@entry=0x964ea58, state=...) at js/src/vm/Interpreter.cpp:428
#33 0x086bae37 in js::Invoke (cx=cx@entry=0x964ea58, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:517
#34 0x086bbeb8 in js::Invoke (cx=0x964ea58, thisv=..., fval=..., argc=1, argv=0xf60feed0, rval=$jsval(-nan(0xfff8200000000))) at js/src/vm/Interpreter.cpp:554
#35 0x082df6f7 in js::jit::DoCallFallback (cx=cx@entry=0x964ea58, frame=frame@entry=0xf60fef00, stub_=stub_@entry=0x96f59e8, argc=argc@entry=1, vp=vp@entry=0xf60feec0, res=res@entry=$jsval(-nan(0xfff8200000000))) at js/src/jit/BaselineIC.cpp:9294
#36 0x084bdc36 in js::jit::Simulator::softwareInterrupt (this=0x964dfe0, instr=0x96bdee4) at js/src/jit/arm/Simulator-arm.cpp:2187
#37 0x084ba70d in js::jit::Simulator::instructionDecode (this=this@entry=0x964dfe0, instr=instr@entry=0x96bdee4) at js/src/jit/arm/Simulator-arm.cpp:4167
#38 0x084e86d4 in js::jit::Simulator::execute<false> (this=0x964dfe0) at js/src/jit/arm/Simulator-arm.cpp:4222
#39 0x084be455 in js::jit::Simulator::callInternal (this=this@entry=0x964dfe0, entry=entry@entry=0xf62ac8b0 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345t\240\235", <incomplete sequence \345>) at js/src/jit/arm/Simulator-arm.cpp:4310
#40 0x084be77c in js::jit::Simulator::call (this=0x964dfe0, entry=0xf62ac8b0 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345t\240\235", <incomplete sequence \345>, argument_count=8) at js/src/jit/arm/Simulator-arm.cpp:4393
#41 0x082b98ce in EnterIon (data=..., cx=0x964ea58) at js/src/jit/Ion.cpp:2236
#42 js::jit::IonCannon (cx=0x964ea58, state=...) at js/src/jit/Ion.cpp:2318
#43 0x086ba60c in js::RunScript (cx=cx@entry=0x964ea58, state=...) at js/src/vm/Interpreter.cpp:428
#44 0x086ba6e0 in js::ExecuteKernel (cx=cx@entry=0x964ea58, script=0xf5d49128, scopeChainArg=(JSObject &) @0xf5d45040 [object global] delegate, thisv=..., type=type@entry=js::EXECUTE_GLOBAL, evalInFrame=..., result=result@entry=0x0) at js/src/vm/Interpreter.cpp:657
#45 0x086bab59 in js::Execute (cx=0x964ea58, script=0xf5d49128, scopeChainArg=(JSObject &) @0xf5d45040 [object global] delegate, rval=0x0) at js/src/vm/Interpreter.cpp:694
#46 0x08549834 in ExecuteScript (cx=0x964ea58, obj=(JSObject * const) 0xf5d45040 [object global] delegate, scriptArg=0xf5d49128, rval=0x0) at js/src/jsapi.cpp:4352
#47 0x0805fc89 in RunFile (compileOnly=false, file=0x96f49b8, filename=0xffffd08d "min.js", obj=..., cx=0x964ea58) at js/src/shell/js.cpp:453
#48 Process (cx=cx@entry=0x964ea58, obj_=<optimized out>, filename=0xffffd08d "min.js", forceTTY=forceTTY@entry=false) at js/src/shell/js.cpp:586
#49 0x0806c9ee in ProcessArgs (op=0xffffccb0, obj_=<optimized out>, cx=0x964ea58) at js/src/shell/js.cpp:5500
#50 Shell (op=0xffffccb0, cx=0x964ea58, envp=<optimized out>) at js/src/shell/js.cpp:5739
#51 main (argc=6, argv=0xffffce64, envp=0xffffce80) at js/src/shell/js.cpp:6079
eax 0x10f5dbb0 284548016
ebx 0x9607ff4 157319156
ecx 0x10fffff0 285212656
edx 0x10f5dbb0 284548016
esi 0xf5db9021 -170160095
edi 0x96e76f0 158234352
ebp 0xffffb0b8 4294947000
esp 0xffffb0a0 4294946976
eip 0x8080599 <js::gc::TenuredCell::arenaHeader() const+41>
=> 0x8080599 <js::gc::TenuredCell::arenaHeader() const+41>: mov (%ecx),%ecx
0x808059b <js::gc::TenuredCell::arenaHeader() const+43>: test %ecx,%ecx
Marking sec-critical because this looks like a GC crash with a dangerous address (opt-crash is similar).
|
Reporter | |
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
Reporter | |
Comment 1•11 years ago
|
||
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/5cec093aeadc
user: Brian Hackett
date: Wed Jan 14 08:00:28 2015 -0700
summary: Bug 1116017 - Don't scan all type sets in compartments on type mutations, r=jandem.
This iteration took 571.642 seconds to run.
|
||
Comment 2•11 years ago
|
||
Brian, is bug 1116017 a likely regressor?
Blocks: 1116017
Flags: needinfo?(bhackett1024)
|
Assignee | |
Comment 3•11 years ago
|
||
Allowing type sets containing objects with unknown properties to actually contain other objects with unknown properties has a GC issue --- if the object in the type set is collected then the type set will no longer appear to have objects with unknown properties at all. This patch fixes this by marking type sets as ANYOBJECT when they contain such a collected object during GC.
Assignee: nobody → bhackett1024
Flags: needinfo?(bhackett1024)
Attachment #8553928 -
Flags: review?(jdemooij)
|
||
Updated•11 years ago
|
Attachment #8553928 -
Flags: review?(jdemooij) → review+
|
|
Assignee | |
Comment 4•11 years ago
|
||
|
||
Comment 5•11 years ago
|
||
Status: NEW → RESOLVED
Closed: 11 years ago
status-firefox36:
--- → unaffected
status-firefox37:
--- → unaffected
status-firefox-esr31:
--- → unaffected
Resolution: --- → FIXED
Target Milestone: --- → mozilla38
|
|
Reporter | |
Updated•11 years ago
|
Status: RESOLVED → VERIFIED
|
|
Reporter | |
Comment 6•11 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
|
||
Updated•11 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•