Closed Bug 1646257 Opened 5 years ago Closed 4 years ago

Crash in [@ js::ReportMagicWordFailure]

Categories

(Core :: JavaScript: GC, defect, P3)

Product:
Core
Component:
JavaScript: GC
Platform:
Unspecified
All
Type:
defect

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: RyanVM, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, sec-high)

Crash Data

This bug is for crash report bp-22770f42-3894-41d3-9c17-766090200616.

Looks like this started spiking in the 20200601214228 Nightly build. Pushlog range:
https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=702ad0fa1586&tochange=bc973d369db58faf254ddcef201089dc28e6d3be

Top 10 frames of crashing thread:

0 xul.dll js::ReportMagicWordFailure js/src/vm/TypeInference.cpp:2699
1 xul.dll js::GCMarker::processMarkStackTop js/src/gc/Marking.cpp:1915
2 xul.dll js::GCMarker::markUntilBudgetExhausted js/src/gc/Marking.cpp:1780
3 xul.dll js::gc::GCRuntime::incrementalSlice js/src/gc/GC.cpp:6629
4 xul.dll js::gc::GCRuntime::gcCycle js/src/gc/GC.cpp:7086
5 xul.dll js::gc::GCRuntime::collect js/src/gc/GC.cpp:7296
6 xul.dll js::gc::GCRuntime::gcSlice js/src/gc/GC.cpp:7388
7 xul.dll static nsJSContext::GarbageCollectNow dom/base/nsJSEnvironment.cpp:1173
8 xul.dll InterSliceGCRunnerFired dom/base/nsJSEnvironment.cpp:1743
9 xul.dll std::_Func_impl_no_alloc<`lambda at /builds/worker/checkouts/gecko/dom/base/nsJSEnvironment.cpp:1791:7', bool, mozilla::TimeStamp>::_Do_call

"Got 0xa1a2b3b4c546d7da expected magic word 0xa1a2b3b4c5c6d7da flags 0x20002 objectSet 0x0"

Group: javascript-core-security

Hiding because I assume a crash in this function means some kind of memory corruption.

Looks like corruption of TI data. Most of these are single bit flips.

Component: JavaScript: GC → JavaScript Engine
See Also: → 1567020

I don't really see much of a "spike" -- seems noisy but fairly constant over the last 6 months. End of May looks a little quiet. Some of the crashes are null but most are bit flips -- do we have that many nightly users running crappy machines?

A small percentage of the crashes have Multi-bit ECC (see Memory Error Correction field on the "Metadata" tab or add a column).

I tried to look at the caller js::GCMarker::processMarkStackTop, if the same issue appeared in release versions of Firefox.

However, filtering by crash addresses does not yields similar crash addresses as this bug, which hint that this bug might only exists on Nightly.
Thus setting a lower severity.

Severity: -- → S4
Component: JavaScript Engine → JavaScript: GC
Priority: -- → P3

Do we only run this check in Nightly? If so we were worried about this case and might not be "low".

Flags: needinfo?(nicolas.b.pierron)

(In reply to Daniel Veditz [:dveditz] from comment #7)

Do we only run this check in Nightly? If so we were worried about this case and might not be "low".

I will forward the question to Jon.

One of the thing I noted, is that the above signature seems to only report nightly issues, so I expected it to have been inlined in the caller. Which is why I looked for js::GCMarker::processMarkStackTop.

Flags: needinfo?(nicolas.b.pierron) → needinfo?(jcoppeard)

ReportMagicWordFailure #ifdeffed on JS_CRASH_DIAGNOSTICS, so this signature only affects nightly.

In release builds this kind of problem causes the crashes tracked in bug 1112741.

Flags: needinfo?(jcoppeard)
Blocks: GCCrashes
Keywords: sec-high, stalled

TI was removed and this code is gone.

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED

Since the bug is closed, the stalled keyword is now meaningless.
For more information, please visit auto_nag documentation.

Keywords: stalled
Group: javascript-core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.