1062612 - Crash [@ mozilla::VectorBase] or [@ js::jit::RangeAnalysis::truncate]

Status: VERIFIED FIXED

(Core :: JavaScript Engine: JIT, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

x = [0]
for (var j = 0; j < 1; ++j) {
    (x[j] ? 0 : ~undefined >>> 0) >>> 0
}

crashes js debug shell on m-c changeset acbdce59da2f with --no-threads --ion-eager at mozilla::VectorBase and crashes js opt shell at js::jit::RangeAnalysis::truncate.

Debug configure flags:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

Opt configure flags:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --disable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/61f05ae95aa4
user:        Dan Gohman
date:        Tue Sep 02 13:01:31 2014 -0700
summary:     Bug 1054972 - IonMonkey: Truncation for phis r=nbp

Setting s-s to be safe (though seems to be a null-deref), and needinfo? from :sunfish.

This has blown up the fuzzers.

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: debug and opt stacks

Comment 2

[Dan Gohman [:sunfish]]

Attachment: block.patch

Here's the fix.  I'll try to craft a reasonable testcase for this before submitting for review.

Comment 3

[Dan Gohman [:sunfish]]

Attachment: block.patch

This patch fixes an obvious thinko in my earlier patch. It's surprising that no tests caught this. I added a simple testcase to the patch.

Comment 4

[Dan Gohman [:sunfish]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/36461117c5aa

Comment 5

[Wes Kocher (:KWierso) (Not reading bugmail; email directly if needed)]

https://hg.mozilla.org/mozilla-central/rev/36461117c5aa

Comment 6

[Christian Holler (:decoder)]

JSBugMon: This bug has been automatically verified fixed.

Comment 8

[Robert Kaiser]

Given this is fixed in current nightlies and has never existed outside nightlies, I think this doesn't need to be marked security-sensitive.

Comment 13

[Dan Gohman [:sunfish]]

Comment on attachment 8483879 [details] [diff] [review]
block.patch

Approval Request Comment
[Feature/regressing bug #]:

bug 1054972

[User impact if declined]:

Null-pointer dereferences

[Describe test coverage new/current, TBPL]:

TBPL, on mozilla-central

[Risks and why]:

This patch is an extremely simple and obvious fix for a mistake in the patch for bug 1054972

[String/UUID change made/needed]:

None

Comment 14

[Lawrence Mandel [:lmandel] (use needinfo)]

Comment on attachment 8483879 [details] [diff] [review]
block.patch

Beta+
Aurora+

Comment 15

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/releases/mozilla-aurora/rev/6aa082239a61
https://hg.mozilla.org/releases/mozilla-beta/rev/c5ee54bc44f8