Crash in [@ js::GlobalHelperThreadState::finishParseTaskCommon]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr78 | --- | unaffected |
| firefox81 | --- | unaffected |
| firefox82 | --- | unaffected |
| firefox83 | --- | unaffected |
| firefox84 | + | fixed |
People
(Reporter: aryx, Assigned: jonco)
References
(Regression)
Details
(4 keywords, Whiteboard: [sec-survey][post-critsmash-triage])
Crash Data
Attachments
(1 file)
|
(deleted),
text/x-phabricator-request
|
Details |
Failure observed on several machines, first build it has been reported for is Nightly 84.0a1 20201021213007
Pushlog between previous build and that one: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=d8861d51b01e9489672f998648d67662a60a8b3a&tochange=7d6d66062e843a75b7aafb4ec0ae2dff355755e7
Crash report: https://crash-stats.mozilla.org/report/index/63e6e42c-4666-4c82-b306-678d10201022
Reason: EXCEPTION_ACCESS_VIOLATION_WRITE
Top 10 frames of crashing thread:
0 xul.dll js::GlobalHelperThreadState::finishParseTaskCommon js/src/vm/HelperThreads.cpp:1918
1 xul.dll js::GlobalHelperThreadState::finishSingleParseTask js/src/vm/HelperThreads.cpp:2039
2 xul.dll nsJSUtils::ExecutionContext::JoinDecode dom/base/nsJSUtils.cpp:299
3 xul.dll mozilla::dom::ScriptLoader::EvaluateScript dom/script/ScriptLoader.cpp:2937
4 xul.dll mozilla::dom::ScriptLoader::ProcessRequest dom/script/ScriptLoader.cpp:2535
5 xul.dll mozilla::dom::`anonymous namespace'::NotifyOffThreadScriptLoadCompletedRunnable::Run dom/script/ScriptLoader.cpp:2235
6 xul.dll mozilla::SchedulerGroup::Runnable::Run xpcom/threads/SchedulerGroup.cpp:146
7 xul.dll mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal xpcom/threads/TaskController.cpp:515
8 xul.dll mozilla::detail::RunnableFunction<`lambda at /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:85:7'>::Run xpcom/threads/nsThreadUtils.h:577
9 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:1197
|
||
Comment 1•4 years ago
|
||
The signature itself seems to go back quite a ways -- I see ESR 68 and 78 crashes in there -- but the reported crash addresses do seem to have changed in character. Other than one 0xe5e5.... crash in 82-beta these didn't really start showing up until 84. But there was clearly something wrong here before, too.
|
||
Comment 2•4 years ago
|
||
Ted and Jon, any ideas? Bug 1672172 and bug 1657025 are in the regression range in comment 0, and look like the only parser-related patches I can see in there. Thanks.
|
||
Updated•4 years ago
|
|
Assignee | |
Updated•4 years ago
|
|
||
Updated•4 years ago
|
|
|
Assignee | |
Updated•4 years ago
|
|
|
Assignee | |
Comment 3•4 years ago
|
||
The problem here was cancelling parse tasks without the browser's knowledge (I
didn't realise that the cancel method did anything beyond waiting).
|
Reporter | |
Comment 4•4 years ago
|
||
https://hg.mozilla.org/integration/autoland/rev/68e6b05b17b7e32496b5519f0b0fd9e99e10b3a0
https://hg.mozilla.org/mozilla-central/rev/68e6b05b17b7
|
||
Comment 5•4 years ago
|
||
As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.
Please visit this google form to reply.
|
|
Assignee | |
Comment 6•4 years ago
|
||
(In reply to Release mgmt bot [:sylvestre / :calixte / :marco for bugbug] from comment #5)
Done.
|
||
Updated•4 years ago
|
|
||
Updated•4 years ago
|
|
|
||
Updated•4 years ago
|
Description
•