Closed Bug 1109907 Opened 10 years ago Closed 10 years ago

Crash [@ __memset_sse2] with TypedObject

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla37
Tracking Flags:
Tracking Status
firefox37 --- affected

People

(Reporter: decoder, Assigned: bhackett1024)

Details

(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:])

Crash Data

Attachments

(1 file)

patch
893 bytes, patch
nmatsakis
: review+
Details | Diff | Splinter Review 
The following testcase crashes on mozilla-central revision d7c76fe69e9a (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --enable-debug, run with --fuzzing-safe --thread-count=2 --ion-eager):

gcparam("maxBytes", gcparam("gcBytes") + 4*1024);
var Vec3u16Type = TypedObject.uint16.array(3);
function foo_u16(n) {
    var i = 0;
    var vec = new Vec3u16Type([i, i+1, i+2]);
    foo_u16(n - 1);
}
foo_u16(100);



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
__memset_sse2 () at ../sysdeps/x86_64/multiarch/../memset.S:467
#0  __memset_sse2 () at ../sysdeps/x86_64/multiarch/../memset.S:467
#1  0x00000000004e3e34 in size (this=(const js::TypeDescr * const) 0x7ffff597a680 [object ArrayType]) at /usr/include/x86_64-linux-gnu/bits/string3.h:85
#2  js::TypeDescr::initInstances (this=<optimized out>, rt=<optimized out>, mem=0x10 <Address 0x10 out of bounds>, length=1) at js/src/builtin/TypedObject.cpp:3157
#3  0x00000000004e407f in js::TypedObject::createZeroed (cx=0x1a0d320, descr=(js::TypeDescr * const) 0x7ffff597a680 [object ArrayType], length=<optimized out>, heap=js::gc::DefaultHeap) at js/src/builtin/TypedObject.cpp:1658
#4  0x00000000004e5ffc in js::TypedObject::construct (cx=0x1a0d320, argc=1, vp=0x7fffffff66c0) at js/src/builtin/TypedObject.cpp:2607
#5  0x00007ffff58e0dd4 in ?? ()
#6  0x00007ffff595b120 in ?? ()
#7  0x00007fffffff6698 in ?? ()
#8  0x00007fffffffcb10 in ?? ()
#9  0x0000000000000000 in ?? ()
rax	0x10	16
rbx	0x7ffff597a680	140737313744512
rcx	0x24e	590
rdx	0x0	0
rsi	0x0	0
rdi	0x16	22
rbp	0x7fffffff64e0	140737488315616
rsp	0x7fffffff64b8	140737488315576
r8	0x6	6
r9	0x101010101010101	72340172838076673
r10	0x1	1
r11	0x7ffff6c58c2a	140737333529642
r12	0x10	16
r13	0x7fffffff66c0	140737488316096
r14	0x7fffffff65b0	140737488315824
r15	0x0	0
rip	0x7ffff6c58c2a <__memset_sse2+666>
=> 0x7ffff6c58c2a <__memset_sse2+666>:	mov    %edx,-0x6(%rdi)
   0x7ffff6c58c2d <__memset_sse2+669>:	mov    %dx,-0x2(%rdi)


I'm not exactly sure if we had this one file somewhere already, but I wasn't able to find it for now.
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
Whiteboard: [jsbugmon:bisect] → [jsbugmon:]
Needinfo from Brian, since it's TypedObject. This is one of the topcrashers in fuzzing.
Flags: needinfo?(bhackett1024)
Attached patch patchSplinter Review 
Missing check for OOM.
Assignee: nobody → bhackett1024
Flags: needinfo?(bhackett1024)
Attachment #8536515 - Flags: review?(nmatsakis)
Attachment #8536515 - Flags: review?(nmatsakis) → review+
https://hg.mozilla.org/mozilla-central/rev/752e55372986
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla37
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: