Closed Bug 853576 Opened 11 years ago Closed 11 years ago

Assertion failure: idx < arrobj->getDenseInitializedLength(), at vm/SelfHosting.cpp:373 or Crash [@ js::intrinsic_UnsafeSetElement] with ParallelArray

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla22
Tracking Flags:
Tracking Status
firefox19 --- unaffected
firefox20 --- unaffected
firefox21 --- unaffected
firefox22 --- fixed
firefox-esr17 --- unaffected
b2g18 --- unaffected
b2g18-v1.0.0 --- unaffected
b2g18-v1.0.1 --- unaffected

People

(Reporter: decoder, Assigned: nmatsakis)

Details

(5 keywords, Whiteboard: [jsbugmon:update][adv-main22-])

Crash Data

Attachments

(1 file)

Remember that indices can be *negative*
674 bytes, patch
shu
: review+
Details | Diff | Splinter Review 
The following testcase asserts on mozilla-central revision 1d6fe70c79c5 (no options required):


var len = 2;
function add1(x) { return x+1; }
var p = new ParallelArray(len, add1);
var idx = [0,0].concat(build(len-4, add1)).concat([len-3,len-3]);
var revidx = idx.reverse();
var r = p.scatter(revidx, 0, function (x,y) { return x+y; }, len-2, {});
Crash trace:

==13859== Invalid read of size 8
==13859==    at 0x5EA9A8: js::intrinsic_UnsafeSetElement(JSContext*, unsigned int, JS::Value*) (jsobjinlines.h:449)
==13859==    by 0x4B8260: js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) (jscntxtinlines.h:338)
==13859==    by 0x4AC763: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (jsinterp.cpp:2396)
==13859==    by 0x4B80FA: js::RunScript(JSContext*, js::StackFrame*) (jsinterp.cpp:341)
==13859==    by 0x4B84AC: js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) (jsinterp.cpp:398)
==13859==    by 0x4AC763: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (jsinterp.cpp:2396)
==13859==    by 0x4B80FA: js::RunScript(JSContext*, js::StackFrame*) (jsinterp.cpp:341)
==13859==    by 0x4B84AC: js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) (jsinterp.cpp:398)
==13859==    by 0x4AC763: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (jsinterp.cpp:2396)
==13859==    by 0x4B80FA: js::RunScript(JSContext*, js::StackFrame*) (jsinterp.cpp:341)
==13859==    by 0x4BDE52: js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) (jsinterp.cpp:531)
==13859==    by 0x424700: JS_ExecuteScript(JSContext*, JSObject*, JSScript*, JS::Value*) (jsapi.cpp:5525)
==13859==  Address 0x80704e068 is not stack'd, malloc'd or (recently) free'd


S-s due to invalid read on bad address.
Crash Signature: [@ js::intrinsic_UnsafeSetElement]
Keywords: crash
Whiteboard: [jsbugmon:update,bisect]
Assignee: general → nmatsakis
Attachment #730461 - Flags: review?(shu) → review+
(No branches are affected)
Backed out for SM rootanalysis orange.
https://hg.mozilla.org/integration/mozilla-inbound/rev/bc6dfc2e65f0

https://tbpl.mozilla.org/php/getParsedLog.php?id=21184667&tree=Mozilla-Inbound

FAIL - /builds/slave/m-in_l64-d_sm-rootanalysis-000/src/js/src/jit-test/tests/parallelarray/bug853576.js
TEST-UNEXPECTED-FAIL | /builds/slave/m-in_l64-d_sm-rootanalysis-000/src/js/src/jit-test/tests/parallelarray/bug853576.js | --no-jm: /builds/slave/m-in_l64-d_sm-rootanalysis-000/src/js/src/jit-test/tests/parallelarray/bug853576.js:6:0 Error: index in scatter vector out of bounds
FAIL - /builds/slave/m-in_l64-d_sm-rootanalysis-000/src/js/src/jit-test/tests/parallelarray/bug853576.js
TEST-UNEXPECTED-FAIL | /builds/slave/m-in_l64-d_sm-rootanalysis-000/src/js/src/jit-test/tests/parallelarray/bug853576.js | --ion-eager: /builds/slave/m-in_l64-d_sm-rootanalysis-000/src/js/src/jit-test/tests/parallelarray/bug853576.js:6:0 Error: index in scatter vector out of bounds
FAIL - /builds/slave/m-in_l64-d_sm-rootanalysis-000/src/js/src/jit-test/tests/parallelarray/bug853576.js
TEST-UNEXPECTED-FAIL | /builds/slave/m-in_l64-d_sm-rootanalysis-000/src/js/src/jit-test/tests/parallelarray/bug853576.js | --no-ion --no-jm --no-ti: /builds/slave/m-in_l64-d_sm-rootanalysis-000/src/js/src/jit-test/tests/parallelarray/bug853576.js:6:0 Error: index in scatter vector out of bounds
FAIL - /builds/slave/m-in_l64-d_sm-rootanalysis-000/src/js/src/jit-test/tests/parallelarray/bug853576.js
TEST-UNEXPECTED-FAIL | /builds/slave/m-in_l64-d_sm-rootanalysis-000/src/js/src/jit-test/tests/parallelarray/bug853576.js | --no-ion --no-ti: /builds/slave/m-in_l64-d_sm-rootanalysis-000/src/js/src/jit-test/tests/parallelarray/bug853576.js:6:0 Error: index in scatter vector out of bounds
FAIL - /builds/slave/m-in_l64-d_sm-rootanalysis-000/src/js/src/jit-test/tests/parallelarray/bug853576.js
TEST-UNEXPECTED-FAIL | /builds/slave/m-in_l64-d_sm-rootanalysis-000/src/js/src/jit-test/tests/parallelarray/bug853576.js | --no-ion --no-ti --always-mjit --debugjit: /builds/slave/m-in_l64-d_sm-rootanalysis-000/src/js/src/jit-test/tests/parallelarray/bug853576.js:6:0 Error: index in scatter vector out of bounds
FAIL - /builds/slave/m-in_l64-d_sm-rootanalysis-000/src/js/src/jit-test/tests/parallelarray/bug853576.js
TEST-UNEXPECTED-FAIL | /builds/slave/m-in_l64-d_sm-rootanalysis-000/src/js/src/jit-test/tests/parallelarray/bug853576.js | --no-ion --no-jm: /builds/slave/m-in_l64-d_sm-rootanalysis-000/src/js/src/jit-test/tests/parallelarray/bug853576.js:6:0 Error: index in scatter vector out of bounds
FAIL - /builds/slave/m-in_l64-d_sm-rootanalysis-000/src/js/src/jit-test/tests/parallelarray/bug853576.js
TEST-UNEXPECTED-FAIL | /builds/slave/m-in_l64-d_sm-rootanalysis-000/src/js/src/jit-test/tests/parallelarray/bug853576.js | --no-ion: /builds/slave/m-in_l64-d_sm-rootanalysis-000/src/js/src/jit-test/tests/parallelarray/bug853576.js:6:0 Error: index in scatter vector out of bounds
FAIL - /builds/slave/m-in_l64-d_sm-rootanalysis-000/src/js/src/jit-test/tests/parallelarray/bug853576.js
TEST-UNEXPECTED-FAIL | /builds/slave/m-in_l64-d_sm-rootanalysis-000/src/js/src/jit-test/tests/parallelarray/bug853576.js | --no-ion --always-mjit: /builds/slave/m-in_l64-d_sm-rootanalysis-000/src/js/src/jit-test/tests/parallelarray/bug853576.js:6:0 Error: index in scatter vector out of bounds
TEST-PASS | /builds/slave/m-in_l64-d_sm-rootanalysis-000/src/js/src/jit-test/tests/parallelarray/bug853573.js | --no-ion --no-jm
FAIL - /builds/slave/m-in_l64-d_sm-rootanalysis-000/src/js/src/jit-test/tests/parallelarray/bug853576.js
TEST-UNEXPECTED-FAIL | /builds/slave/m-in_l64-d_sm-rootanalysis-000/src/js/src/jit-test/tests/parallelarray/bug853576.js | --no-ion --always-mjit --debugjit: /builds/slave/m-in_l64-d_sm-rootanalysis-000/src/js/src/jit-test/tests/parallelarray/bug853576.js:6:0 Error: index in scatter vector out of bounds
FAIL - /builds/slave/m-in_l64-d_sm-rootanalysis-000/src/js/src/jit-test/tests/parallelarray/bug853576.js
TEST-UNEXPECTED-FAIL | /builds/slave/m-in_l64-d_sm-rootanalysis-000/src/js/src/jit-test/tests/parallelarray/bug853576.js | --no-ion --debugjit: /builds/slave/m-in_l64-d_sm-rootanalysis-000/src/js/src/jit-test/tests/parallelarray/bug853576.js:6:0 Error: index in scatter vector out of bounds
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, failed due to error (try manually).
https://hg.mozilla.org/mozilla-central/rev/8f1f83f4f183
Status: NEW → RESOLVED
Closed: 11 years ago
status-firefox22: affectedfixed
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla22
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
Whiteboard: [jsbugmon:update] → [jsbugmon:update][adv-main22-]
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: