Closed Bug 1117100 Opened 10 years ago Closed 10 years ago

Crash [@ js::jit::TypedObjectPrediction::addDescr]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1113744
Tracking Flags:
Tracking Status
firefox37 --- affected

People

(Reporter: decoder, Unassigned)

References

Details

(5 keywords, Whiteboard: [jsbugmon:update,ignore])

Crash Data

The following testcase crashes on mozilla-central revision 13fe5ad0364d (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-debug, run with --fuzzing-safe --ion-offthread-compile=off): gczeal(2,10); var { uint8, uint32 } = TypedObject; function test(serialize) { var L = 1024; var Uints = uint32.array(L); var Uint8s = uint8.array(L); var uint32s = new Uints(); (function( uint8 = "tsu" ) Uint8s.fromPar(uint32s, function(e) e + 1))(); } for (var i = 0; i < 10; i++) { test(); } Backtrace: Program received signal SIGSEGV, Segmentation fault. js::jit::TypedObjectPrediction::addDescr (this=0x7fffffff9d40, descr=...) at js/src/jit/TypedObjectPrediction.cpp:73 73 if (descr.kind() != data_.descr->kind()) #0 js::jit::TypedObjectPrediction::addDescr (this=0x7fffffff9d40, descr=...) at js/src/jit/TypedObjectPrediction.cpp:73 #1 0x000000000063258b in js::jit::IonBuilder::typedObjectPrediction (this=<optimized out>, types=0x1810400) at js/src/jit/IonBuilder.cpp:11477 #2 0x0000000000668915 in typedObjectPrediction (typedObj=0x1824268, this=0x180fb38) at js/src/jit/IonBuilder.cpp:11454 #3 js::jit::IonBuilder::getElemTryTypedObject (this=0x180fb38, emitted=0x7fffffff9e5f, obj=<optimized out>, index=0x1820cd0) at js/src/jit/IonBuilder.cpp:7381 #4 0x0000000000668b99 in js::jit::IonBuilder::jsop_getelem (this=0x180fb38) at js/src/jit/IonBuilder.cpp:7336 #5 0x000000000066b5ea in js::jit::IonBuilder::inspectOpcode (this=0x180fb38, op=<optimized out>) at js/src/jit/IonBuilder.cpp:1754 #6 0x000000000066c064 in js::jit::IonBuilder::traverseBytecode (this=0x180fb38) at js/src/jit/IonBuilder.cpp:1345 #7 0x000000000066c988 in build (this=0x180fb38) at js/src/jit/IonBuilder.cpp:762 #8 js::jit::IonBuilder::build (this=0x180fb38) at js/src/jit/IonBuilder.cpp:660 #9 0x0000000000678b7a in IonCompile (optimizationLevel=js::jit::Optimization_Normal, recompile=false, executionMode=<optimized out>, constructing=<optimized out>, osrPc=<optimized out>, baselineFrame=<optimized out>, script=<optimized out>, cx=0x1728e30) at js/src/jit/Ion.cpp:1975 #10 js::jit::Compile (cx=0x1728e30, script=..., osrFrame=<optimized out>, osrPc=<optimized out>, constructing=<optimized out>, executionMode=<optimized out>, forceRecompile=false) at js/src/jit/Ion.cpp:2173 #11 0x0000000000679085 in js::jit::CanEnterInParallel (cx=0x1728e30, script=...) at js/src/jit/Ion.cpp:2384 #12 0x00000000008b8ca5 in js::ForkJoinOperation::compileForParallelExecution (this=0x7fffffffa3f0, status=0x7fffffffa340) at js/src/vm/ForkJoin.cpp:685 #13 0x00000000008b9146 in js::ForkJoinOperation::apply (this=0x7fffffffa3f0) at js/src/vm/ForkJoin.cpp:551 #14 0x00000000008b93f1 in js::ForkJoin (cx=0x1728e30, args=...) at js/src/vm/ForkJoin.cpp:406 #15 0x00000000008d680b in intrinsic_ForkJoin (cx=<optimized out>, argc=<optimized out>, vp=0x7fffffffa638) at js/src/vm/SelfHosting.cpp:368 #16 0x00007ffff46f2374 in ?? () #17 0x0000000001728e80 in ?? () #18 0x00007fffffffa610 in ?? () #19 0x0000000000000000 in ?? () rax 0xc 12 rbx 0x7ffff47a9040 140737295061056 rcx 0x4b4b4b4b4b4b4b4b 5425512962855750475 rdx 0x7ffff477d480 140737294881920 rsi 0x7ffff477d580 140737294882176 rdi 0x7fffffff9d40 140737488330048 rbp 0x2 2 rsp 0x7fffffff9d20 140737488330016 r8 0x4 4 r9 0x1c 28 r10 0x1810240 25231936 r11 0x1c 28 r12 0x7fffffff9dd0 140737488330192 r13 0x1810400 25232384 r14 0x167c0a0 23576736 r15 0x167c3a0 23577504 rip 0x70af82 <js::jit::TypedObjectPrediction::addDescr(js::TypeDescr const&)+98> => 0x70af82 <js::jit::TypedObjectPrediction::addDescr(js::TypeDescr const&)+98>: cmp (%rcx),%r8d 0x70af85 <js::jit::TypedObjectPrediction::addDescr(js::TypeDescr const&)+101>: je 0x70b000 <js::jit::TypedObjectPrediction::addDescr(js::TypeDescr const&)+224> I was actually pretty sure that we had a bug with this signature on file but I was not able to find it (neither in Bugzilla nor in FuzzManager). Filing now and marking s-s and sec-critical because this looks like a use-after-free to me.
(In reply to Christian Holler (:decoder) from comment #0) > I was actually pretty sure that we had a bug with this signature on file but > I was not able to find it (neither in Bugzilla nor in FuzzManager). Maybe bug 1113744 or bug 1113150 that got duped to it?
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/46ae5134ab00 user: Brian Hackett date: Fri Dec 12 13:36:56 2014 -0700 summary: Bug 1107226 - Share prototype objects for typed object arrays with the same element type, r=nmatsakis. This iteration took 344.279 seconds to run.
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 206205dd8bd1).
It looks like some combination of PJS and typed object here, so I'm going to mark this as depending on the removal of PJS.
Depends on: removepjs
Blocks: 1107226
Brian, does this look like something you've fixed somewhere so we can close this?
Flags: needinfo?(bhackett1024)
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(bhackett1024)
Resolution: --- → DUPLICATE
Thanks for cleaning up these bugs!
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.