Crash [@ mozilla::VectorBase] or [@ js::jit::RangeAnalysis::truncate]

VERIFIED FIXED in Firefox 33

Status

()

Product:
Core
Component:
JavaScript Engine: JIT
Type:
defect
Importance:
--
critical
Status:
VERIFIED FIXED
Opened:
5 years ago
Updated:
5 years ago

People

(Reporter: gkw, Assigned: sunfish)

Tracking

(Blocks 1 bug, {crash, regression, testcase})

Version:
Trunk
Target:
mozilla35
Platform:
x86_64
macOS
Points:
---
Dependency tree / graph
Duplicates:
1063064, 1063259, 1063297, 1063379, 1064076

Firefox Tracking Flags

(firefox32 wontfix, firefox33+ fixed, firefox34+ fixed, firefox35 verified)

Details

(Whiteboard: [fuzzblocker][jsbugmon:update], crash signature)

Attachments

(2 attachments, 1 obsolete attachment)

debug and opt stacks
9.79 KB, text/plain
Details
block.patch
1.38 KB, patch
nbp
: review+
lmandel
: approval-mozilla-aurora+
lmandel
: approval-mozilla-beta+
Details | Diff | Splinter Review
Reporter

Description

5 years ago 
x = [0]
for (var j = 0; j < 1; ++j) {
    (x[j] ? 0 : ~undefined >>> 0) >>> 0
}

crashes js debug shell on m-c changeset acbdce59da2f with --no-threads --ion-eager at mozilla::VectorBase and crashes js opt shell at js::jit::RangeAnalysis::truncate.

Debug configure flags:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

Opt configure flags:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --disable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/61f05ae95aa4
user:        Dan Gohman
date:        Tue Sep 02 13:01:31 2014 -0700
summary:     Bug 1054972 - IonMonkey: Truncation for phis r=nbp

Setting s-s to be safe (though seems to be a null-deref), and needinfo? from :sunfish.

This has blown up the fuzzers.
Flags: needinfo?(sunfish)
Reporter

Comment 1

5 years ago
Assignee

Comment 2

5 years ago
Posted patch block.patch (obsolete) — Splinter Review 
Here's the fix.  I'll try to craft a reasonable testcase for this before submitting for review.
Assignee: nobody → sunfish
Flags: needinfo?(sunfish)
Assignee

Comment 3

5 years ago
Posted patch block.patchSplinter Review 
This patch fixes an obvious thinko in my earlier patch. It's surprising that no tests caught this. I added a simple testcase to the patch.
Attachment #8483849 - Attachment is obsolete: true
Attachment #8483879 - Flags: review?(nicolas.b.pierron)
Attachment #8483879 - Flags: review?(nicolas.b.pierron) → review+
 Assignee

Comment 4

5 years ago 
https://hg.mozilla.org/integration/mozilla-inbound/rev/36461117c5aa
Crash Signature: [@ js::jit::RangeAnalysis::truncate] [@ mozilla::VectorBase] → [@ js::jit::RangeAnalysis::truncate] [@ mozilla::VectorBase]
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
Crash Signature: [@ js::jit::RangeAnalysis::truncate] [@ mozilla::VectorBase] → [@ js::jit::RangeAnalysis::truncate] [@ mozilla::VectorBase]
status-firefox35: fixedverified

Comment 6

5 years ago 
JSBugMon: This bug has been automatically verified fixed.
Duplicate of this bug: 1063259

Comment 8

5 years ago 
Given this is fixed in current nightlies and has never existed outside nightlies, I think this doesn't need to be marked security-sensitive.
Crash Signature: [@ js::jit::RangeAnalysis::truncate] [@ mozilla::VectorBase] → [@ js::jit::RangeAnalysis::truncate] [@ mozilla::VectorBase]

Updated

5 years ago
Duplicate of this bug: 1063379
 Reporter

Updated

5 years ago
Group: core-security

Updated

5 years ago
Crash Signature: [@ js::jit::RangeAnalysis::truncate] [@ mozilla::VectorBase] → [@ js::jit::RangeAnalysis::truncate] [@ mozilla::VectorBase] [@ AdjustTruncatedInputs]

Updated

5 years ago
Duplicate of this bug: 1064076
Crash Signature: [@ js::jit::RangeAnalysis::truncate] [@ mozilla::VectorBase] [@ AdjustTruncatedInputs] → [@ js::jit::RangeAnalysis::truncate] [@ mozilla::VectorBase] [@ AdjustTruncatedInputs] [@ js::jit::RangeAnalysis::truncate() ]

Updated

5 years ago
Duplicate of this bug: 1063297

Updated

5 years ago
Duplicate of this bug: 1063064
 Assignee

Comment 13

5 years ago 
Comment on attachment 8483879 [details] [diff] [review]
block.patch

Approval Request Comment
[Feature/regressing bug #]:

bug 1054972

[User impact if declined]:

Null-pointer dereferences

[Describe test coverage new/current, TBPL]:

TBPL, on mozilla-central

[Risks and why]:

This patch is an extremely simple and obvious fix for a mistake in the patch for bug 1054972

[String/UUID change made/needed]:

None
Attachment #8483879 - Flags: approval-mozilla-beta?
Attachment #8483879 - Flags: approval-mozilla-aurora?

Comment 14

5 years ago 
Comment on attachment 8483879 [details] [diff] [review]
block.patch

Beta+
Aurora+
Attachment #8483879 - Flags: approval-mozilla-beta?
Attachment #8483879 - Flags: approval-mozilla-beta+
Attachment #8483879 - Flags: approval-mozilla-aurora?
Attachment #8483879 - Flags: approval-mozilla-aurora+
You need to log in before you can comment on or make changes to this bug.