Closed Bug 1102547 Opened 10 years ago Closed 9 years ago

CompactingGC: Crash [@ ??] (Instruction testl $0x3f,...)

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1101576

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: crash, testcase, Whiteboard: [jsbugmon:ignore])

Crash Data

The following testcase crashes on mozilla-central revision aa72ddfe9f93 (build with --enable-gccompacting --disable-debug --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal, run with --fuzzing-safe --thread-count=2 --ion-regalloc=backtracking --ion-eager --ion-offthread-compile=off):

function strings()
{
  var a = [], b = -1;
  var s = "abcdefghij", s2 = "a";
  for (var i = 0; i < 10; i++) {
    a[i] = (s.substring(i, i+1) + s[i] + String.fromCharCode(s2.charCodeAt(0) + i)).concat(i) + i;
  }
}
assertEq(strings(), "aaa00,bbb11,ccc22,ddd33,eee44,fff55,ggg66,hhh77,iii88,jjj991019100");



Backtrace:

Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007f849e43b078 in ?? ()
To enable execution of this file add
	add-auto-load-safe-path js/src/shell/js-gdb.gdb
line to your configuration file "/home/decoder/.gdbinit".
To completely disable this security protection add
	set auto-load safe-path /
line to your configuration file "/home/decoder/.gdbinit".
For more information about this security protection see the
"Auto-loading safe path" section in the GDB manual.  E.g., run from the shell:
	info "(gdb)Auto-loading safe path"
#0  0x00007f849e43b078 in ?? ()
[...]
#28 0x0000000000000000 in ?? ()
rax	0x9e30f140	140207566418240
rbx	0x9e30e033	140207566413875
rcx	0x3	3
rdx	0x2	2
rsi	0x9e30f149	140207566418249
rdi	0x63	99
rbp	0x0	0
rsp	0x8d613d08	140735565348104
r8	0x1	1
r9	0x2	2
r10	0x0	0
r11	0x1fff1	131057
r12	0x2	2
r13	0x0	-2111062325329920
r14	0x2	-2111062325329918
r15	0x1	-2111062325329919
rip	0x9e43b078	140207567646840
=> 0x7f849e43b078:	testl  $0x3f,(%rdi)
   0x7f849e43b07e:	je     0x7f849e43b7d4


Not s-s because compacting GC is not enabled yet in any builds.
Not sure if this still reproduces, but since this is compacting GC, moving on to :jonco.
Flags: needinfo?(jcoppeard)
This testcase doesn't trigger compacting GC, so I don't think this is related (also we don't compact strings).

Dan, could this be related to use of the backtracking allocator?
Flags: needinfo?(jcoppeard) → needinfo?(sunfish)
It looks related to LSubstr codegen, and it looks like it may have been fixed by bug 1101576, though I don't currently have access to that bug. Specifically, patch 43aceb996c3b appears to have either the fix or something closely related.
Group: core-security
Flags: needinfo?(sunfish)
I've verified that this crash was fixed by changeset 43aceb996c3b.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.