Closed
Bug 1127091
Opened 9 years ago
Closed 9 years ago
Crash with testcase involving SIMD at a weird memory address
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
firefox38 | --- | affected |
People
(Reporter: gkw, Unassigned)
References
Details
(4 keywords, Whiteboard: [fuzzblocker] [jsbugmon:])
// Randomly chosen test: js/src/tests/ecma_7/SIMD/int32x4reify.js var Array = SIMD.int32x4.array(2); array = new Array([SIMD.int32x4(0, 0), SIMD.int32x4(0, 0)]) array[1]; array[1]; asserts js debug shell on m-c changeset 1daa622bbe42 with --fuzzing-safe --no-threads --ion-eager --no-sse4 at a weird memory address. Debug configure options: CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests Due to skipped revisions, the first bad revision could be any of: changeset: https://hg.mozilla.org/mozilla-central/rev/7c25be97325d user: Nicolas B. Pierron date: Mon Jan 19 14:30:13 2015 +0100 summary: Bug 1112159 part 1 - Add a testing function to check the stack alignment. r=bbouvier changeset: https://hg.mozilla.org/mozilla-central/rev/a6472e110b2f user: Nicolas B. Pierron date: Mon Jan 19 14:30:13 2015 +0100 summary: Bug 1112159 part 2 - MacroAssembler::assertStackAlignment accepts an additional offset argument. r=bbouvier changeset: https://hg.mozilla.org/mozilla-central/rev/d426154dd31d user: Nicolas B. Pierron date: Mon Jan 19 14:30:13 2015 +0100 summary: Bug 1112159 part 3 - Align x86/x64 entry frame. r=bbouvier Setting s-s to be safe in case this is not just a null deref. Setting [fuzzblocker] because this has no crash signature to ignore. Nicolas, is bug 1112159 a likely regressor?
Flags: needinfo?(nicolas.b.pierron)
Reporter | ||
Updated•9 years ago
|
Updated•9 years ago
|
Whiteboard: [fuzzblocker] [jsbugmon:update] → [fuzzblocker] [jsbugmon:]
Comment 1•9 years ago
|
||
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
Reporter | ||
Comment 2•9 years ago
|
||
Process 88973 stopped * thread #1: tid = 0x25c8f, 0x000000010408717b, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=EXC_I386_GPFLT) frame #0: 0x000000010408717b -> 0x10408717b: movdqa (%rsp), %xmm0 0x104087180: addq $0x10, %rsp 0x104087184: movabsq $0x102027be4, %r11 0x10408718e: cmpl $0x0, (%r11) (lldb) bt * thread #1: tid = 0x25c8f, 0x000000010408717b, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=EXC_I386_GPFLT) * frame #0: 0x000000010408717b (lldb) dis -p -> 0x10408717b: movdqa (%rsp), %xmm0 0x104087180: addq $0x10, %rsp 0x104087184: movabsq $0x102027be4, %r11 0x10408718e: cmpl $0x0, (%r11) (lldb) register read $rsp rsp = 0x00007fff5fbfd9e8 (lldb) register read $xmm0 xmm0 = {0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00} (lldb)
Comment 3•9 years ago
|
||
Unaligned memory access (sp is 8 bytes off -- last byte should be 0), this will safely crash in all builds (SIGBUS). Bug 1112159 is very probably the cause. I'll work on it after the asm.js alignment issue, unless Nicolas fixes it before I do.
Comment 4•9 years ago
|
||
I cannot reproduce this issue with a debug shell compiled on top of Bug 11112159 with Bug 1112163 and Bug 1112161 patches.
Flags: needinfo?(nicolas.b.pierron)
Updated•9 years ago
|
Group: core-security
Keywords: csectype-dos
Comment 5•9 years ago
|
||
Fixed by bug 1112163. The first good revision is: changeset: 227699:729f09bc8d13 user: Nicolas B. Pierron <nicolas.b.pierron@mozilla.com> date: Thu Feb 05 21:41:50 2015 +0100 summary: Bug 1112163 - Make Ion frame size a multiple of the JitStackAlignment. r=bbouvier
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•