Closed
Bug 1409701
Opened 8 years ago
Closed 2 years ago
AddressSanitizer: SEGV /builds/worker/workspace/build/src/js/src/gc/Heap.h:951:13 in markIfUnmarked
Categories
(Core :: JavaScript: GC, defect, P5)
Core
JavaScript: GC
Tracking
()
RESOLVED
INCOMPLETE
People
(Reporter: arny, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: csectype-uaf, sec-other)
2264 04:33:01 ERROR - GECKO(1036) | ==1036==ERROR: AddressSanitizer: SEGV on unknown address 0x7fdc078fc0b8 (pc 0x7fdc7da963eb bp 0x7ffd42f4f830 sp 0x7ffd42f4f7d0 T0)
2325 04:33:07 INFO - GECKO(1036) | SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/js/src/gc/Heap.h:951:13 in markIfUnmarked
2329 04:33:08 ERROR - GECKO(1036) | ==1153==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f61a47507a7 bp 0x7f61a08be380 sp 0x7f61a08be360 T2)
2335 04:33:08 ERROR - GECKO(1036) | ==1185==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f423b9507a7 bp 0x7f4237abe380 sp 0x7f4237abe360 T2)
2340 04:33:08 ERROR - GECKO(1036) | ==1111==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f5b60c507a7 bp 0x7f5b5cdbe380 sp 0x7f5b5cdbe360 T2)
2345 04:33:08 ERROR - GECKO(1036) | ==1080==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f38ce2507a7 bp 0x7f38ca3be380 sp 0x7f38ca3be360 T2)
2406 04:33:14 INFO - GECKO(1036) | SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2543:13 in mozilla::ipc::MessageChannel::OnChannelErrorFromLink()
2412 04:33:14 INFO - GECKO(1036) | SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2543:13 in mozilla::ipc::MessageChannel::OnChannelErrorFromLink()
2414 04:33:14 INFO - GECKO(1036) | SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2543:13 in mozilla::ipc::MessageChannel::OnChannelErrorFromLink()
2418 04:33:14 INFO - GECKO(1036) | SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2543:13 in mozilla::ipc::MessageChannel::OnChannelErrorFromLink()
2789 04:37:05 ERROR - # TBPL FAILURE #
2791 04:37:05 ERROR - The mochitest suite: mochitest-devtools-chrome-chunked ran with return status: FAILURE
|
Reporter | |
Comment 1•8 years ago
|
||
|
||
Comment 2•8 years ago
|
||
[task 2017-10-18T04:33:01.129Z] 04:33:01 INFO - TEST-START | devtools/client/netmonitor/test/browser_net_header-docs.js
[task 2017-10-18T04:33:01.956Z] 04:33:01 INFO - GECKO(1036) | ASAN:DEADLYSIGNAL
[task 2017-10-18T04:33:01.974Z] 04:33:01 INFO - GECKO(1036) | =================================================================
[task 2017-10-18T04:33:01.977Z] 04:33:01 ERROR - GECKO(1036) | ==1036==ERROR: AddressSanitizer: SEGV on unknown address 0x7fdc078fc0b8 (pc 0x7fdc7da963eb bp 0x7ffd42f4f830 sp 0x7ffd42f4f7d0 T0)
[task 2017-10-18T04:33:01.980Z] 04:33:01 INFO - GECKO(1036) | ==1036==The signal is caused by a READ memory access.
[task 2017-10-18T04:33:06.839Z] 04:33:06 INFO - GECKO(1036) | #0 0x7fdc7da963ea in markIfUnmarked /builds/worker/workspace/build/src/js/src/gc/Heap.h:951:13
[task 2017-10-18T04:33:06.842Z] 04:33:06 INFO - GECKO(1036) | #1 0x7fdc7da963ea in markIfUnmarked /builds/worker/workspace/build/src/js/src/gc/Heap.h:1305
[task 2017-10-18T04:33:06.844Z] 04:33:06 INFO - GECKO(1036) | #2 0x7fdc7da963ea in mark<js::ObjectGroup> /builds/worker/workspace/build/src/js/src/gc/Marking.cpp:991
[task 2017-10-18T04:33:06.845Z] 04:33:06 INFO - GECKO(1036) | #3 0x7fdc7da963ea in markAndPush<js::ObjectGroup> /builds/worker/workspace/build/src/js/src/gc/Marking.cpp:916
[task 2017-10-18T04:33:06.849Z] 04:33:06 INFO - GECKO(1036) | #4 0x7fdc7da963ea in void js::GCMarker::traverse<js::ObjectGroup*>(js::ObjectGroup*) /builds/worker/workspace/build/src/js/src/gc/Marking.cpp:923
[task 2017-10-18T04:33:06.851Z] 04:33:06 INFO - GECKO(1036) | #5 0x7fdc7da9bdcd in traverseEdge<JSObject *, js::ObjectGroup> /builds/worker/workspace/build/src/js/src/gc/Marking.cpp:968:5
[task 2017-10-18T04:33:06.854Z] 04:33:06 INFO - GECKO(1036) | #6 0x7fdc7da9bdcd in js::GCMarker::processMarkStackTop(js::SliceBudget&) /builds/worker/workspace/build/src/js/src/gc/Marking.cpp:1775
[task 2017-10-18T04:33:06.857Z] 04:33:06 INFO - GECKO(1036) | #7 0x7fdc7da9b533 in js::GCMarker::drainMarkStack(js::SliceBudget&) /builds/worker/workspace/build/src/js/src/gc/Marking.cpp:1607:13
[task 2017-10-18T04:33:06.882Z] 04:33:06 INFO - GECKO(1036) | #8 0x7fdc7d0393a8 in void js::gc::GCRuntime::markGrayReferences<js::gc::GCSweepGroupIter, js::CompartmentsIterT<js::gc::GCSweepGroupIter> >(js::gcstats::PhaseKind) /builds/worker/workspace/build/src/js/src/jsgc.cpp:4415:5
[task 2017-10-18T04:33:06.884Z] 04:33:06 INFO - GECKO(1036) | #9 0x7fdc7d03dbb4 in markGrayReferencesInCurrentGroup /builds/worker/workspace/build/src/js/src/jsgc.cpp:4421:5
[task 2017-10-18T04:33:06.886Z] 04:33:06 INFO - GECKO(1036) | #10 0x7fdc7d03dbb4 in js::gc::GCRuntime::endMarkingSweepGroup() /builds/worker/workspace/build/src/js/src/jsgc.cpp:5198
[task 2017-10-18T04:33:06.891Z] 04:33:06 INFO - GECKO(1036) | #11 0x7fdc7d046c3d in js::gc::GCRuntime::beginSweepPhase(JS::gcreason::Reason, js::AutoLockForExclusiveAccess&) /builds/worker/workspace/build/src/js/src/jsgc.cpp:5662:5
[task 2017-10-18T04:33:06.901Z] 04:33:06 INFO - GECKO(1036) | #12 0x7fdc7d052734 in js::gc::GCRuntime::incrementalCollectSlice(js::SliceBudget&, JS::gcreason::Reason, js::AutoLockForExclusiveAccess&) /builds/worker/workspace/build/src/js/src/jsgc.cpp:6873:9
[task 2017-10-18T04:33:06.903Z] 04:33:06 INFO - GECKO(1036) | #13 0x7fdc7d055757 in js::gc::GCRuntime::gcCycle(bool, js::SliceBudget&, JS::gcreason::Reason) /builds/worker/workspace/build/src/js/src/jsgc.cpp:7228:5
[task 2017-10-18T04:33:06.909Z] 04:33:06 INFO - GECKO(1036) | #14 0x7fdc7d058f4f in js::gc::GCRuntime::collect(bool, js::SliceBudget, JS::gcreason::Reason) /builds/worker/workspace/build/src/js/src/jsgc.cpp:7371:25
[task 2017-10-18T04:33:06.917Z] 04:33:06 INFO - GECKO(1036) | #15 0x7fdc7d060753 in gc /builds/worker/workspace/build/src/js/src/jsgc.cpp:7438:5
[task 2017-10-18T04:33:06.919Z] 04:33:06 INFO - GECKO(1036) | #16 0x7fdc7d060753 in JS::GCForReason(JSContext*, JSGCInvocationKind, JS::gcreason::Reason) /builds/worker/workspace/build/src/js/src/jsgc.cpp:8356
[task 2017-10-18T04:33:06.979Z] 04:33:06 INFO - GECKO(1036) | #17 0x7fdc74623528 in nsJSContext::GarbageCollectNow(JS::gcreason::Reason, nsJSContext::IsIncremental, nsJSContext::IsShrinking, long) /builds/worker/workspace/build/src/dom/base/nsJSEnvironment.cpp:1218:5
[task 2017-10-18T04:33:07.041Z] 04:33:07 INFO - GECKO(1036) | #18 0x7fdc7416a9c7 in nsDOMWindowUtils::GarbageCollect(nsICycleCollectorListener*) /builds/worker/workspace/build/src/dom/base/nsDOMWindowUtils.cpp:1425:3
[task 2017-10-18T04:33:07.054Z] 04:33:07 INFO - GECKO(1036) | #19 0x7fdc717904d1 in NS_InvokeByIndex /builds/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:129
[task 2017-10-18T04:33:07.135Z] 04:33:07 INFO - GECKO(1036) | #20 0x7fdc72f7aa50 in Invoke /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1996:12
[task 2017-10-18T04:33:07.138Z] 04:33:07 INFO - GECKO(1036) | #21 0x7fdc72f7aa50 in Call /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1315
[task 2017-10-18T04:33:07.141Z] 04:33:07 INFO - GECKO(1036) | #22 0x7fdc72f7aa50 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1282
[task 2017-10-18T04:33:07.143Z] 04:33:07 INFO - GECKO(1036) | #23 0x7fdc72f817df in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:929:12
[task 2017-10-18T04:33:07.171Z] 04:33:07 INFO - GECKO(1036) | #24 0x7fdc7c513a64 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
[task 2017-10-18T04:33:07.173Z] 04:33:07 INFO - GECKO(1036) | #25 0x7fdc7c513a64 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:473
[task 2017-10-18T04:33:07.190Z] 04:33:07 INFO - GECKO(1036) | #26 0x7fdc7c4fe0cc in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:528:12
[task 2017-10-18T04:33:07.193Z] 04:33:07 INFO - GECKO(1036) | #27 0x7fdc7c4fe0cc in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3067
[task 2017-10-18T04:33:07.196Z] 04:33:07 INFO - GECKO(1036) | #28 0x7fdc7c4e4cca in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:423:12
[task 2017-10-18T04:33:07.198Z] 04:33:07 INFO - GECKO(1036) | #29 0x7fdc7c513b63 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:495:15
[task 2017-10-18T04:33:07.200Z] 04:33:07 INFO - GECKO(1036) | #30 0x7fdc7c514a52 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:541:10
[task 2017-10-18T04:33:07.251Z] 04:33:07 INFO - GECKO(1036) | #31 0x7fdc7c6d88cb in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/src/builtin/Promise.cpp:1238:14
[task 2017-10-18T04:33:07.258Z] 04:33:07 INFO - GECKO(1036) | #32 0x7fdc7c513a64 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
[task 2017-10-18T04:33:07.263Z] 04:33:07 INFO - GECKO(1036) | #33 0x7fdc7c513a64 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:473
[task 2017-10-18T04:33:07.269Z] 04:33:07 INFO - GECKO(1036) | #34 0x7fdc7c514a52 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:541:10
[task 2017-10-18T04:33:07.312Z] 04:33:07 INFO - GECKO(1036) | #35 0x7fdc7cf53bcb in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:3021:12
[task 2017-10-18T04:33:07.369Z] 04:33:07 INFO - GECKO(1036) | #36 0x7fdc74e54cca in mozilla::dom::PromiseJobCallback::Call(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/PromiseBinding.cpp:21:8
[task 2017-10-18T04:33:07.431Z] 04:33:07 INFO - GECKO(1036) | #37 0x7fdc715eae58 in Call /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/PromiseBinding.h:89:12
[task 2017-10-18T04:33:07.433Z] 04:33:07 INFO - GECKO(1036) | #38 0x7fdc715eae58 in Call /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/PromiseBinding.h:104
[task 2017-10-18T04:33:07.434Z] 04:33:07 INFO - GECKO(1036) | #39 0x7fdc715eae58 in mozilla::PromiseJobRunnable::Run() /builds/worker/workspace/build/src/xpcom/base/CycleCollectedJSContext.cpp:212
[task 2017-10-18T04:33:07.468Z] 04:33:07 INFO - GECKO(1036) | #40 0x7fdc77926edf in mozilla::dom::Promise::PerformMicroTaskCheckpoint() /builds/worker/workspace/build/src/dom/promise/Promise.cpp:531:29
[task 2017-10-18T04:33:07.470Z] 04:33:07 INFO - GECKO(1036) | #41 0x7fdc715d2820 in mozilla::CycleCollectedJSContext::AfterProcessTask(unsigned int) /builds/worker/workspace/build/src/xpcom/base/CycleCollectedJSContext.cpp:365:7
[task 2017-10-18T04:33:07.489Z] 04:33:07 INFO - GECKO(1036) | #42 0x7fdc72efb49d in XPCJSContext::AfterProcessTask(unsigned int) /builds/worker/workspace/build/src/js/xpconnect/src/XPCJSContext.cpp:1207:30
[task 2017-10-18T04:33:07.497Z] 04:33:07 INFO - GECKO(1036) | #43 0x7fdc7176640f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1053:24
[task 2017-10-18T04:33:07.502Z] 04:33:07 INFO - GECKO(1036) | #44 0x7fdc71780298 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:512:10
[task 2017-10-18T04:33:07.524Z] 04:33:07 INFO - GECKO(1036) | #45 0x7fdc72555af1 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
[task 2017-10-18T04:33:07.546Z] 04:33:07 INFO - GECKO(1036) | #46 0x7fdc724b4fbb in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
[task 2017-10-18T04:33:07.548Z] 04:33:07 INFO - GECKO(1036) | #47 0x7fdc724b4fbb in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
[task 2017-10-18T04:33:07.549Z] 04:33:07 INFO - GECKO(1036) | #48 0x7fdc724b4fbb in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
[task 2017-10-18T04:33:07.566Z] 04:33:07 INFO - GECKO(1036) | #49 0x7fdc77ec317f in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27
[task 2017-10-18T04:33:07.571Z] 04:33:07 INFO - GECKO(1036) | #50 0x7fdc7c06bd11 in nsAppStartup::Run() /builds/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:288:30
[task 2017-10-18T04:33:07.588Z] 04:33:07 INFO - GECKO(1036) | #51 0x7fdc7c25e61b in XREMain::XRE_mainRun() /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4694:22
[task 2017-10-18T04:33:07.591Z] 04:33:07 INFO - GECKO(1036) | #52 0x7fdc7c2601e5 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4856:8
[task 2017-10-18T04:33:07.593Z] 04:33:07 INFO - GECKO(1036) | #53 0x7fdc7c261596 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4951:21
[task 2017-10-18T04:33:07.632Z] 04:33:07 INFO - GECKO(1036) | #54 0x4ec4ec in do_main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:231:22
[task 2017-10-18T04:33:07.634Z] 04:33:07 INFO - GECKO(1036) | #55 0x4ec4ec in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:304
[task 2017-10-18T04:33:07.832Z] 04:33:07 INFO - GECKO(1036) | #56 0x7fdc8fc0882f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
[task 2017-10-18T04:33:07.836Z] 04:33:07 INFO - GECKO(1036) | #57 0x41dbc8 in _start (/builds/worker/workspace/build/application/firefox/firefox+0x41dbc8)
[task 2017-10-18T04:33:07.838Z] 04:33:07 INFO - GECKO(1036) | AddressSanitizer can not provide additional info.
[task 2017-10-18T04:33:07.841Z] 04:33:07 INFO - GECKO(1036) | SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/js/src/gc/Heap.h:951:13 in markIfUnmarked
[task 2017-10-18T04:33:07.844Z] 04:33:07 INFO - GECKO(1036) | ==1036==ABORTING
[task 2017-10-18T04:33:08.033Z] 04:33:08 INFO - GECKO(1036) | ASAN:DEADLYSIGNAL
[task 2017-10-18T04:33:08.036Z] 04:33:08 INFO - GECKO(1036) | =================================================================
[task 2017-10-18T04:33:08.039Z] 04:33:08 ERROR - GECKO(1036) | ==1153==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f61a47507a7 bp 0x7f61a08be380 sp 0x7f61a08be360 T2)
[task 2017-10-18T04:33:08.047Z] 04:33:08 INFO - GECKO(1036) | ==1153==The signal is caused by a WRITE memory access.
[task 2017-10-18T04:33:08.050Z] 04:33:08 INFO - GECKO(1036) | ==1153==Hint: address points to the zero page.
[task 2017-10-18T04:33:08.073Z] 04:33:08 INFO - GECKO(1036) | [Child 1185, Chrome_ChildThread] WARNING: pipe error (3): Connection reset by peer: file /builds/worker/workspace/build/src/ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 353
[task 2017-10-18T04:33:08.087Z] 04:33:08 INFO - GECKO(1036) | ASAN:DEADLYSIGNAL
|
||
Updated•8 years ago
|
Group: core-security → javascript-core-security
|
||
Updated•8 years ago
|
Flags: needinfo?(jcoppeard)
|
||
Updated•8 years ago
|
status-firefox58:
--- → affected
Priority: -- → P1
|
||
Updated•8 years ago
|
status-firefox57:
--- → wontfix
|
|
||
Comment 3•8 years ago
|
||
This looks like yet another unactionable GC crash so I'm going to mark it sec-other.
Keywords: csectype-uaf,
sec-other
|
||
Updated•5 years ago
|
Priority: P1 → P5
|
||
Updated•3 years ago
|
Severity: normal → S3
|
||
Updated•2 years ago
|
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → INCOMPLETE
|
||
Comment 5•2 years ago
|
||
Since the bug is closed, the stalled keyword is now meaningless.
For more information, please visit BugBot documentation.
Keywords: stalled
|
|
||
Updated•2 years ago
|
Group: javascript-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•