Closed
Bug 1096016
Opened 10 years ago
Closed 10 years ago
Crash [@ compartment] or Crash [@ ObjectType] with poisoned crash pattern and TypedObject
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla36
Tracking | Status | |
---|---|---|
firefox34 | --- | unaffected |
firefox35 | --- | unaffected |
firefox36 | --- | verified |
firefox-esr31 | --- | unaffected |
b2g-v1.4 | --- | unaffected |
b2g-v2.0 | --- | unaffected |
b2g-v2.0M | --- | unaffected |
b2g-v2.1 | --- | unaffected |
b2g-v2.2 | --- | fixed |
People
(Reporter: decoder, Assigned: bhackett1024)
References
Details
(4 keywords, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(2 files)
763 bytes,
text/plain
|
Details | |
12.56 KB,
patch
|
nmatsakis
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision d380166816dd (run with --no-threads --fuzzing-safe --ion-eager): var T = TypedObject; var ObjectStruct = new T.StructType({f: T.Object}); var o = new ObjectStruct(); function testGC(o, p) { for (var i = 0; i < 5; i++) { minorgc(); o.f >>= p; } } testGC(o, {});
Reporter | ||
Comment 1•10 years ago
|
||
Reporter | ||
Comment 2•10 years ago
|
||
Crash trace for the optimized build: Program received signal SIGSEGV, Segmentation fault. 0x00000000007acb42 in ObjectType (obj=<optimized out>) at js/src/jsinferinlines.h:129 129 return Type(uintptr_t(obj) | 1); #0 0x00000000007acb42 in ObjectType (obj=<optimized out>) at js/src/jsinferinlines.h:129 #1 GetValueType (val=...) at js/src/jsinferinlines.h:153 #2 GetValueType (val=...) at js/src/jsinfer.cpp:3608 #3 js::types::TypeMonitorResult (cx=0x16bf6d0, script=0x7ffff7e604a0, pc=0x1781ff5 ":", rval=...) at js/src/jsinfer.cpp:3619 #4 0x00000000005c8c93 in Monitor (rval=..., pc=<optimized out>, script=0x7ffff7e604a0, cx=0x16bf6d0) at js/src/jsinferinlines.h:753 #5 js::jit::DoTypeMonitorFallback (cx=0x16bf6d0, frame=<optimized out>, stub=0x16eff68, value=..., res=...) at js/src/jit/BaselineIC.cpp:1311 #6 0x00007ffff7ff250e in ?? () rcx 0x2b2b2b2b 3110627432037296939 => 0x7acb42 <js::types::TypeMonitorResult(JSContext*, JSScript*, unsigned char*, JS::Value const&)+242>: cmpq $0x0,0x10(%rcx) Marked s-s based on crash pattern. Needinfo from :nmatsakis as this seems to be a problem with TypedObject.
Crash Signature: [@ compartment] or Crash [@ ObjectType] → [@ compartment]
[@ ObjectType]
status-firefox36:
--- → affected
Flags: needinfo?(nmatsakis)
Whiteboard: [jsbugmon:update,bisect]
Reporter | ||
Updated•10 years ago
|
Crash Signature: [@ compartment]
[@ ObjectType] → [@ compartment]
[@ ObjectType]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Reporter | ||
Comment 3•10 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/4bdc3391644e user: Brian Hackett date: Tue Nov 04 18:21:47 2014 -0700 summary: Bug 1091329 - Optimize writes to reference members of TypedObjects, r=nmatsakis,jandem. This iteration took 356.618 seconds to run.
Comment 4•10 years ago
|
||
(In reply to Christian Holler (:decoder) from comment #3) > JSBugMon: Bisection requested, result: > autoBisect shows this is probably related to the following changeset: > > The first bad revision is: > changeset: https://hg.mozilla.org/mozilla-central/rev/4bdc3391644e > user: Brian Hackett > date: Tue Nov 04 18:21:47 2014 -0700 > summary: Bug 1091329 - Optimize writes to reference members of > TypedObjects, r=nmatsakis,jandem. > > This iteration took 356.618 seconds to run. Could the above changeset have caused this?
Crash Signature: [@ compartment]
[@ ObjectType] → [@ compartment]
[@ ObjectType]
Flags: needinfo?(bhackett1024)
Assignee | ||
Comment 5•10 years ago
|
||
The code adding post barriers for writes to typed objects is wrong, as the logic looks at the input value before any ToObjectOrNull instruction is inserted, and if the ToObjectOrNull produces a nursery object we don't end up with a post barrier.
Assignee: nobody → bhackett1024
Flags: needinfo?(nmatsakis)
Flags: needinfo?(bhackett1024)
Attachment #8520213 -
Flags: review?(nmatsakis)
Updated•10 years ago
|
status-firefox35:
--- → unaffected
status-firefox-esr31:
--- → unaffected
Updated•10 years ago
|
Blocks: 1091329
Keywords: regression
Updated•10 years ago
|
Attachment #8520213 -
Flags: review?(nmatsakis) → review+
Comment 6•10 years ago
|
||
Comment on attachment 8520213 [details] [diff] [review] patch Review of attachment 8520213 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/jit/IonBuilder.cpp @@ +11332,5 @@ > break; > case ReferenceTypeDescr::TYPE_OBJECT: > + // Note: post barriers for object writes are added by the instruction's > + // type policy, which may insert ToObjectOrNull instructions that > + // affect whether a post barrier is needed. I think this comment could be clarified. Something like: // Note: We cannot necessarily tell at this point whether a post barrier is needed, because the type policy may insert ToObjectOrNull instructions later, and those may require a post barrier. Therefore, defer the insertion of post barriers to the type policy.
Assignee | ||
Comment 7•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/746283622967
Updated•10 years ago
|
status-b2g-v1.4:
--- → unaffected
status-b2g-v2.0:
--- → unaffected
status-b2g-v2.0M:
--- → unaffected
status-b2g-v2.1:
--- → unaffected
status-b2g-v2.2:
--- → affected
status-firefox34:
--- → unaffected
Comment 8•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/746283622967
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla36
Reporter | ||
Updated•10 years ago
|
Status: RESOLVED → VERIFIED
Crash Signature: [@ compartment]
[@ ObjectType] → [@ compartment]
[@ ObjectType]
Reporter | ||
Comment 9•10 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Updated•9 years ago
|
Crash Signature: [@ compartment]
[@ ObjectType] → [@ compartment]
[@ ObjectType]
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•