Closed Bug 1054241 Opened 9 years ago Closed 9 years ago

Crash [@ js::jit::JitFrameIterator::operator++] with setObjectMetadataCallback

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla34
Tracking Flags:
Tracking Status
firefox33 --- unaffected
firefox34 --- verified
firefox-esr31 --- unaffected
b2g-v1.4 --- unaffected
b2g-v2.0 --- unaffected

People

(Reporter: decoder, Assigned: nbp)

References

Details

(Keywords: crash, sec-moderate, testcase, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(2 files)

[crash-signature] Machine-readable crash signature
431 bytes, text/plain
Details
Use AutoEnterAnalysis to avoid iterating the stack under RNewArray allocations.
1.51 KB, patch
bhackett1024
: review+
Details | Diff | Splinter Review 
The following testcase crashes on mozilla-central revision c9f8cc9ce89c (run with --no-threads --fuzzing-safe --ion-eager):


setObjectMetadataCallback(true);
(function(){
for(;;) {
  try{
    var a = new Array(5);
    throw 1;
  } catch(e) {}	
}
})();
Opt-crash trace:

Program received signal SIGSEGV, Segmentation fault.
js::jit::JitFrameIterator::operator++ (this=0x7fffffffb238) at js/src/jit/IonFrames.cpp:313
313         frameSize_ = prevFrameLocalSize();
#0  js::jit::JitFrameIterator::operator++ (this=0x7fffffffb238) at js/src/jit/IonFrames.cpp:313
#1  0x00000000008b2be0 in js::FrameIter::settleOnActivation (this=0x7fffffffb1e0) at js/src/vm/Stack.cpp:573
#2  0x000000000044ecf2 in ScriptFrameIter (this=0x7fffffffb1e0, savedOption=js::FrameIter::STOP_AT_SAVED, cx=0x1670a40) at js/src/vm/Stack.h:1688
#3  NonBuiltinScriptFrameIter (opt=js::FrameIter::STOP_AT_SAVED, cx=0x1670a40, this=0x7fffffffb1e0) at js/src/vm/Stack.h:1780
#4  ShellObjectMetadataCallback (cx=0x1670a40, pmetadata=0x7fffffffb730) at js/src/builtin/TestingFunctions.cpp:1174
#5  0x0000000000985c57 in callObjectMetadataCallback (obj=0x7fffffffb730, cx=0x1670a40, this=<optimized out>) at js/src/jscompartment.h:355
#6  NewObjectMetadata (pmetadata=0x7fffffffb730, cxArg=0x1670a40) at js/src/jsobjinlines.h:1064
#7  NewArray<true> (protoArg=<optimized out>, newKind=js::GenericObject, length=5, cxArg=0x1670a40) at js/src/jsarray.cpp:3209
r12     0xba1   2977
=> 0x617db9 <js::jit::JitFrameIterator::operator++()+25>:       mov    0x8(%r12),%rbp



Crash doesn't look like a null-deref, marking s-s based on that until triaged.
Whiteboard: [jsbugmon:update,bisect]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/9bdc7649cc78
user:        Nicolas B. Pierron
date:        Mon Aug 04 07:18:40 2014 -0700
summary:     Bug 1040027 part 2 - IonMonkey: Recover MNewArray. r=jandem

This iteration took 648.176 seconds to run.
Needinfo from nbp based on comment 3 :)
Flags: needinfo?(nicolas.b.pierron)
This is the same issue as Bug 1006899, apparently I forgot to add it back in this patch when I fixed it in the tree.
Assignee: nobody → nicolas.b.pierron
Status: NEW → ASSIGNED
Flags: needinfo?(nicolas.b.pierron)
Attachment #8474736 - Flags: review?(bhackett1024) → review+
This issue is caused by Bug 1040027 which is adding this code as part of changeset 9bdc7649cc78.
status-firefox33: --- → unaffected
Blocks: 1040027
https://hg.mozilla.org/mozilla-central/rev/fb294a66c8ac
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
status-firefox34: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla34
Status: RESOLVED → VERIFIED
status-firefox34: fixedverified
JSBugMon: This bug has been automatically verified fixed.
You need to log in before you can comment on or make changes to this bug.