Closed Bug 1117100 Opened 9 years ago Closed 9 years ago

Crash [@ js::jit::TypedObjectPrediction::addDescr]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1113744
Tracking Flags:
Tracking Status
firefox37 --- affected

People

(Reporter: decoder, Unassigned)

References

Details

(5 keywords, Whiteboard: [jsbugmon:update,ignore])

Crash Data

The following testcase crashes on mozilla-central revision 13fe5ad0364d (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-debug, run with --fuzzing-safe --ion-offthread-compile=off):

gczeal(2,10);
var { uint8, uint32 } = TypedObject;
function test(serialize) {
  var L = 1024;
  var Uints = uint32.array(L);
  var Uint8s = uint8.array(L);
  var uint32s = new Uints();
  (function( uint8 = "tsu" ) Uint8s.fromPar(uint32s, function(e) e + 1))();
}
for (var i = 0; i < 10; i++) {
  test();
}



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
js::jit::TypedObjectPrediction::addDescr (this=0x7fffffff9d40, descr=...) at js/src/jit/TypedObjectPrediction.cpp:73
73	        if (descr.kind() != data_.descr->kind())
#0  js::jit::TypedObjectPrediction::addDescr (this=0x7fffffff9d40, descr=...) at js/src/jit/TypedObjectPrediction.cpp:73
#1  0x000000000063258b in js::jit::IonBuilder::typedObjectPrediction (this=<optimized out>, types=0x1810400) at js/src/jit/IonBuilder.cpp:11477
#2  0x0000000000668915 in typedObjectPrediction (typedObj=0x1824268, this=0x180fb38) at js/src/jit/IonBuilder.cpp:11454
#3  js::jit::IonBuilder::getElemTryTypedObject (this=0x180fb38, emitted=0x7fffffff9e5f, obj=<optimized out>, index=0x1820cd0) at js/src/jit/IonBuilder.cpp:7381
#4  0x0000000000668b99 in js::jit::IonBuilder::jsop_getelem (this=0x180fb38) at js/src/jit/IonBuilder.cpp:7336
#5  0x000000000066b5ea in js::jit::IonBuilder::inspectOpcode (this=0x180fb38, op=<optimized out>) at js/src/jit/IonBuilder.cpp:1754
#6  0x000000000066c064 in js::jit::IonBuilder::traverseBytecode (this=0x180fb38) at js/src/jit/IonBuilder.cpp:1345
#7  0x000000000066c988 in build (this=0x180fb38) at js/src/jit/IonBuilder.cpp:762
#8  js::jit::IonBuilder::build (this=0x180fb38) at js/src/jit/IonBuilder.cpp:660
#9  0x0000000000678b7a in IonCompile (optimizationLevel=js::jit::Optimization_Normal, recompile=false, executionMode=<optimized out>, constructing=<optimized out>, osrPc=<optimized out>, baselineFrame=<optimized out>, script=<optimized out>, cx=0x1728e30) at js/src/jit/Ion.cpp:1975
#10 js::jit::Compile (cx=0x1728e30, script=..., osrFrame=<optimized out>, osrPc=<optimized out>, constructing=<optimized out>, executionMode=<optimized out>, forceRecompile=false) at js/src/jit/Ion.cpp:2173
#11 0x0000000000679085 in js::jit::CanEnterInParallel (cx=0x1728e30, script=...) at js/src/jit/Ion.cpp:2384
#12 0x00000000008b8ca5 in js::ForkJoinOperation::compileForParallelExecution (this=0x7fffffffa3f0, status=0x7fffffffa340) at js/src/vm/ForkJoin.cpp:685
#13 0x00000000008b9146 in js::ForkJoinOperation::apply (this=0x7fffffffa3f0) at js/src/vm/ForkJoin.cpp:551
#14 0x00000000008b93f1 in js::ForkJoin (cx=0x1728e30, args=...) at js/src/vm/ForkJoin.cpp:406
#15 0x00000000008d680b in intrinsic_ForkJoin (cx=<optimized out>, argc=<optimized out>, vp=0x7fffffffa638) at js/src/vm/SelfHosting.cpp:368
#16 0x00007ffff46f2374 in ?? ()
#17 0x0000000001728e80 in ?? ()
#18 0x00007fffffffa610 in ?? ()
#19 0x0000000000000000 in ?? ()
rax	0xc	12
rbx	0x7ffff47a9040	140737295061056
rcx	0x4b4b4b4b4b4b4b4b	5425512962855750475
rdx	0x7ffff477d480	140737294881920
rsi	0x7ffff477d580	140737294882176
rdi	0x7fffffff9d40	140737488330048
rbp	0x2	2
rsp	0x7fffffff9d20	140737488330016
r8	0x4	4
r9	0x1c	28
r10	0x1810240	25231936
r11	0x1c	28
r12	0x7fffffff9dd0	140737488330192
r13	0x1810400	25232384
r14	0x167c0a0	23576736
r15	0x167c3a0	23577504
rip	0x70af82 <js::jit::TypedObjectPrediction::addDescr(js::TypeDescr const&)+98>
=> 0x70af82 <js::jit::TypedObjectPrediction::addDescr(js::TypeDescr const&)+98>:	cmp    (%rcx),%r8d
   0x70af85 <js::jit::TypedObjectPrediction::addDescr(js::TypeDescr const&)+101>:	je     0x70b000 <js::jit::TypedObjectPrediction::addDescr(js::TypeDescr const&)+224>


I was actually pretty sure that we had a bug with this signature on file but I was not able to find it (neither in Bugzilla nor in FuzzManager). Filing now and marking s-s and sec-critical because this looks like a use-after-free to me.
(In reply to Christian Holler (:decoder) from comment #0)
> I was actually pretty sure that we had a bug with this signature on file but
> I was not able to find it (neither in Bugzilla nor in FuzzManager).

Maybe bug 1113744 or bug 1113150 that got duped to it?
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/46ae5134ab00
user:        Brian Hackett
date:        Fri Dec 12 13:36:56 2014 -0700
summary:     Bug 1107226 - Share prototype objects for typed object arrays with the same element type, r=nmatsakis.

This iteration took 344.279 seconds to run.
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 206205dd8bd1).
It looks like some combination of PJS and typed object here, so I'm going to mark this as depending on the removal of PJS.
Depends on: removepjs
Brian, does this look like something you've fixed somewhere so we can close this?
Flags: needinfo?(bhackett1024)
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(bhackett1024)
Resolution: --- → DUPLICATE
Thanks for cleaning up these bugs!
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.