1127091 - Crash with testcase involving SIMD at a weird memory address

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

// Randomly chosen test: js/src/tests/ecma_7/SIMD/int32x4reify.js
var Array = SIMD.int32x4.array(2);
array = new Array([SIMD.int32x4(0, 0), SIMD.int32x4(0, 0)])
array[1];
array[1];

asserts js debug shell on m-c changeset 1daa622bbe42 with --fuzzing-safe --no-threads --ion-eager --no-sse4 at a weird memory address.

Debug configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

Due to skipped revisions, the first bad revision could be any of:
changeset:   https://hg.mozilla.org/mozilla-central/rev/7c25be97325d
user:        Nicolas B. Pierron
date:        Mon Jan 19 14:30:13 2015 +0100
summary:     Bug 1112159 part 1 - Add a testing function to check the stack alignment. r=bbouvier

changeset:   https://hg.mozilla.org/mozilla-central/rev/a6472e110b2f
user:        Nicolas B. Pierron
date:        Mon Jan 19 14:30:13 2015 +0100
summary:     Bug 1112159 part 2 - MacroAssembler::assertStackAlignment accepts an additional offset argument. r=bbouvier

changeset:   https://hg.mozilla.org/mozilla-central/rev/d426154dd31d
user:        Nicolas B. Pierron
date:        Mon Jan 19 14:30:13 2015 +0100
summary:     Bug 1112159 part 3 - Align x86/x64 entry frame. r=bbouvier

Setting s-s to be safe in case this is not just a null deref. Setting [fuzzblocker] because this has no crash signature to ignore.

Nicolas, is bug 1112159 a likely regressor?

Comment 1

[Christian Holler (:decoder)]

JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Process 88973 stopped
* thread #1: tid = 0x25c8f, 0x000000010408717b, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=EXC_I386_GPFLT)
    frame #0: 0x000000010408717b
-> 0x10408717b:  movdqa (%rsp), %xmm0
   0x104087180:  addq   $0x10, %rsp
   0x104087184:  movabsq $0x102027be4, %r11
   0x10408718e:  cmpl   $0x0, (%r11)
(lldb) bt
* thread #1: tid = 0x25c8f, 0x000000010408717b, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=EXC_I386_GPFLT)
  * frame #0: 0x000000010408717b
(lldb) dis -p
-> 0x10408717b:  movdqa (%rsp), %xmm0
   0x104087180:  addq   $0x10, %rsp
   0x104087184:  movabsq $0x102027be4, %r11
   0x10408718e:  cmpl   $0x0, (%r11)
(lldb) register read $rsp
     rsp = 0x00007fff5fbfd9e8
(lldb) register read $xmm0
    xmm0 = {0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00}
(lldb)

Comment 3

[Benjamin Bouvier [:bbouvier] (inactive)]

Unaligned memory access (sp is 8 bytes off -- last byte should be 0), this will safely crash in all builds (SIGBUS).  Bug 1112159 is very probably the cause.  I'll work on it after the asm.js alignment issue, unless Nicolas fixes it before I do.

Comment 4

[Nicolas B. Pierron [:nbp]]

I cannot reproduce this issue with a debug shell compiled on top of Bug 11112159 with Bug 1112163 and Bug 1112161 patches.

Comment 5

[Benjamin Bouvier [:bbouvier] (inactive)]

Fixed by bug 1112163.

The first good revision is:
changeset:   227699:729f09bc8d13
user:        Nicolas B. Pierron <nicolas.b.pierron@mozilla.com>
date:        Thu Feb 05 21:41:50 2015 +0100
summary:     Bug 1112163 - Make Ion frame size a multiple of the JitStackAlignment. r=bbouvier