Closed Bug 1041079 Opened 6 years ago Closed 6 years ago

Crash [@ js::jit::AutoFlushICache::flush] or [@ js::jit::PatchJump]

Categories

(Core :: JavaScript Engine: JIT, defect)

x86
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla34
Tracking Status
firefox32 --- affected
firefox33 --- affected
firefox34 --- affected
firefox-esr31 --- affected

People

(Reporter: gkw, Assigned: dougc)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:])

Crash Data

Attachments

(3 files, 1 obsolete file)

Attached file stack
(function() {
    for (var i = 0; i < 1; i++) {}
})()
timeout(8)

crashes js debug shell on m-c changeset f77a9f825427 with --ion-eager --ion-offthread-compile=off at js::jit::AutoFlushICache::flush with js::jit::PatchJump on the stack.

My configure flags are:

LD=ld CROSS_COMPILE=1 CC="clang -Qunused-arguments -msse2 -mfpmath=sse -arch i386" RANLIB=ranlib CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse -arch i386" AS=$CC AR=ar STRIP="strip -x -S" HOST_CC="clang -Qunused-arguments -msse2 -mfpmath=sse" HOST_CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse" sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=i386-apple-darwin9.2.0 --enable-macos-target=10.5 --enable-arm-simulator --enable-debug --enable-optimize --enable-gczeal --enable-debug-symbols --disable-tests --enable-more-deterministic --with-ccache --enable-threadsafe

Marty / Douglas, this may be related to the ARM simulator as ARM stuff are on the stack, so setting needinfo? and s-s in case the crash is dangerous.
Flags: needinfo?(mrosenberg)
Flags: needinfo?
Crash Signature: [@ js::jit::AutoFlushICache::flush] [@ js::jit::PatchJump] → [@ js::jit::AutoFlushICache::flush] [@ js::jit::PatchJump]
Whiteboard: [jsbugmon:update] → [jsbugmon:]
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/8ecc1aa20f39
user:        Douglas Crosher
date:        Sat Jul 12 10:04:29 2014 +1000
summary:     Bug 964258 - IonMonkey: Use mprotect for interrupt check on ARM. r=bhackett

Douglas, is bug 964258 a likely regressor?
Blocks: 964258
Crash Signature: [@ js::jit::AutoFlushICache::flush] [@ js::jit::PatchJump] → [@ js::jit::AutoFlushICache::flush] [@ js::jit::PatchJump]
Flags: needinfo? → needinfo?(dtc-moz)
Can not reproduce this on Linux. It might be MacOS specific, and since this code is only used for ARM and MIPS code generation it might be specific to the simulators.

The bug report gives some useful information, thanks, and points to a likely causes. If this patch corrects the issue then this bug would have been introduced in bug 988789 and exposed by 964258.

gkw: Could you please test this patch and report if it helps? I don't have access to a MacOS computer.
Assignee: nobody → dtc-moz
Attachment #8459157 - Flags: feedback?(gary)
Flags: needinfo?(dtc-moz)
Sounds bad...
Keywords: sec-high
Rebase.
Attachment #8459157 - Attachment is obsolete: true
Attachment #8459157 - Flags: feedback?(gary)
Attachment #8471280 - Flags: feedback?(gary)
Comment on attachment 8471280 [details] [diff] [review]
Guard against there being no TLS PerThreadData when flushing the icache.

Yes, this seems to fix the issue.
Attachment #8471280 - Flags: feedback?(gary) → feedback+
Flags: needinfo?(mrosenberg) → needinfo?(dtc-moz)
Attachment #8471280 - Flags: review?(luke)
Flags: needinfo?(dtc-moz)
Attachment #8471280 - Flags: review?(luke) → review+
If bug 988789 and bug 964258 are related to causing / exposing this issue, does this mean branches are also affected?

sec-approval should also be requested if this is indeed a sec-high, but I'm not sure if this issue is specific to the ARM simulator on Mac (then it wouldn't be a sec-high).
Keywords: checkin-needed
Flags: needinfo?(dtc-moz)
Backport for ESR31, Beta 32, Aurora 33. Probably also any earlier release that bug 988789 was uplifted to.

This is specific to the ARM simulator on Mac.

This issue was introduced in bug 988789, which was uplifted as far back as b2g30_v1_4. It could be usefully uplifted to any of these releases that will be tested using the ARM simulator on the Mac.

ESR31: https://tbpl.mozilla.org/?tree=Try&rev=de6750b1847f
Flags: needinfo?(dtc-moz)
(In reply to Douglas Crosher [:dougc] from comment #9)
> This is specific to the ARM simulator on Mac.

Not an s-s bug, so opening up.
Blocks: 988789
No longer blocks: 964258
Group: core-security, javascript-core-security
Keywords: sec-high
You need to log in before you can comment on or make changes to this bug.