Crash [@ FromExecutable] or Crash with glibc-abort with TypedObject

RESOLVED DUPLICATE of bug 1102608

Status

()

--
critical
RESOLVED DUPLICATE of bug 1102608
4 years ago
3 years ago

People

(Reporter: decoder, Unassigned)

Tracking

(Blocks: 1 bug, {crash, sec-critical, testcase})

Trunk
x86_64
Linux
crash, sec-critical, testcase
Points:
---

Firefox Tracking Flags

(firefox36 affected)

Details

(Whiteboard: [jsbugmon:update,ignore], crash signature)

(Reporter)

Description

4 years ago
The following testcase crashes on mozilla-central revision 134d1cfc5c9c (build with --disable-debug --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal, run with --fuzzing-safe --thread-count=2 --ion-eager):

var { uint8, uint32 } = TypedObject;
function test() {
    var Uints = uint32.array(2000, 0, 1, 0, 0, 0, 0);
    var Uint8s = uint8.array(1024);
    var uint32s = new Uints();
    (function(m) Uint8s.fromPar(uint32s, function(e) e + 1))();
}
test();


Backtrace:

Program terminated with signal SIGSEGV, Segmentation fault.
#0  FromExecutable (buffer=<optimized out>)
    at js/src/jit/IonCode.h:130
130	        JitCode *code = *(JitCode **)(buffer - sizeof(JitCode *));
#0  FromExecutable (buffer=<optimized out>) at js/src/jit/IonCode.h:130
#1  jitCode (this=<optimized out>) at js/src/jit/BaselineIC.h:756
#2  markCode (name=0xae1d6b "baseline-stub-jitcode", trc=0x2c8ead0, this=this@entry=0x3361d68) at js/src/jit/BaselineIC.cpp:151
#3  js::jit::ICStub::trace (this=this@entry=0x3361d68, trc=trc@entry=0x2c8ead0) at js/src/jit/BaselineIC.cpp:168
#4  0x00000000005737db in js::jit::BaselineScript::trace (this=0x3362040, trc=0x2c8ead0) at js/src/jit/BaselineJIT.cpp:409
#5  0x000000000057382e in js::jit::BaselineScript::Trace (trc=<optimized out>, script=<optimized out>) at js/src/jit/BaselineJIT.cpp:426
#6  0x00000000005e49d6 in js::jit::TraceIonScripts (trc=<optimized out>, script=<optimized out>) at js/src/jit/Ion.cpp:3179
#7  0x00000000007578df in JSScript::markChildren (this=<optimized out>, trc=<optimized out>) at js/src/jsscript.cpp:3457


This test also crashes with glibc aborts (double-free/memory corruption), so assuming s-s and sec-critical.
(Reporter)

Updated

4 years ago
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,ignore]
(Reporter)

Comment 1

4 years ago
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 6309710dd71d).
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/cdfa7492569f
user:        Tim Taubert
date:        Fri Nov 07 14:56:30 2014 +0100
summary:     Bug 1077652 - Simplify about:newtab page update mechanism and correct behavior to work better with preloading r=gijs

This iteration took 286.226 seconds to run.
(Reporter)

Comment 2

4 years ago
Bisection is probably broken because this test is intermittent. Needinfo from bhackett because it might be related to one of the other failures we've been seeing with TypedObject.
Flags: needinfo?(bhackett1024)
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Flags: needinfo?(bhackett1024)
Resolution: --- → DUPLICATE
Duplicate of bug: 1102608
Group: core-security
You need to log in before you can comment on or make changes to this bug.