Closed Bug 1135794 Opened 9 years ago Closed 9 years ago

Crash [@ js::jit::SetPropertyIC::update]

Categories

(Core :: JavaScript Engine, defect)

ARM
Linux
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 1135707
Tracking Status
firefox38 --- affected

People

(Reporter: decoder, Unassigned)

References

Details

(4 keywords, Whiteboard: [jsbugmon:])

Crash Data

The following testcase crashes on mozilla-central revision ed70d2025bee (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --enable-arm-simulator --disable-debug, run with --no-threads --ion-eager --arm-asm-nop-fill=1):

var y = -1;
this.__defineGetter__("x", gc);
function f() {}
loadFile("gczeal(14); for (var j = 0; j < 99; ++j) x += f();");
function loadFile(lfVarx) {
   switch (y) {
	default: 
            evaluate(lfVarx, { noScriptRval : true, compileAndGo : true }); 
   }
}



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
js::jit::SetPropertyIC::update(JSContext*, unsigned int, JS::Handle<JSObject*>, JS::Handle<JS::Value>) () at js/src/jit/IonCode.h:322
#0  js::jit::SetPropertyIC::update(JSContext*, unsigned int, JS::Handle<JSObject*>, JS::Handle<JS::Value>) () at js/src/jit/IonCode.h:322
#1  0x08432cc9 in js::jit::Simulator::softwareInterrupt(js::jit::SimInstruction*) () at js/src/jit/arm/Simulator-arm.cpp:2158
#2  0x0843310c in js::jit::Simulator::instructionDecode(js::jit::SimInstruction*) () at js/src/jit/arm/Simulator-arm.cpp:4177
#3  0x084357f4 in js::jit::Simulator::callInternal(unsigned char*) () at js/src/jit/arm/Simulator-arm.cpp:4232
#4  0x08435a06 in js::jit::Simulator::call(unsigned char*, int, ...) () at js/src/jit/arm/Simulator-arm.cpp:4403
#5  0x0839baa9 in js::jit::IonCannon(JSContext*, js::RunState&) () at js/src/jit/Ion.cpp:2336
#6  0x08198703 in js::RunScript(JSContext*, js::RunState&) () at js/src/vm/Interpreter.cpp:428
#7  0x0819ef22 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::AbstractFramePtr, JS::Value*) () at js/src/vm/Interpreter.cpp:654
#8  0x0819f227 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) () at js/src/vm/Interpreter.cpp:691
#9  0x084d59a0 in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::Value*) () at js/src/jsapi.cpp:3994
#10 0x0806a0d0 in Evaluate(JSContext*, unsigned int, JS::Value*) () at js/src/shell/js.cpp:1320
#11 0x0819889a in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) () at js/src/jscntxtinlines.h:226
#12 0x08198dec in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) () at js/src/vm/Interpreter.cpp:554
#13 0x08300f86 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) () at js/src/jit/BaselineIC.cpp:9561
#14 0x08432c09 in js::jit::Simulator::softwareInterrupt(js::jit::SimInstruction*) () at js/src/jit/arm/Simulator-arm.cpp:2172
#15 0x0843310c in js::jit::Simulator::instructionDecode(js::jit::SimInstruction*) () at js/src/jit/arm/Simulator-arm.cpp:4177
#16 0x084357f4 in js::jit::Simulator::callInternal(unsigned char*) () at js/src/jit/arm/Simulator-arm.cpp:4232
#17 0x08435a06 in js::jit::Simulator::call(unsigned char*, int, ...) () at js/src/jit/arm/Simulator-arm.cpp:4403
#18 0x0839baa9 in js::jit::IonCannon(JSContext*, js::RunState&) () at js/src/jit/Ion.cpp:2336
#19 0x08198703 in js::RunScript(JSContext*, js::RunState&) () at js/src/vm/Interpreter.cpp:428
#20 0x08198817 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) () at js/src/vm/Interpreter.cpp:517
#21 0x08198dec in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) () at js/src/vm/Interpreter.cpp:554
#22 0x08300f86 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) () at js/src/jit/BaselineIC.cpp:9561
#23 0x08432c09 in js::jit::Simulator::softwareInterrupt(js::jit::SimInstruction*) () at js/src/jit/arm/Simulator-arm.cpp:2172
#24 0x0843310c in js::jit::Simulator::instructionDecode(js::jit::SimInstruction*) () at js/src/jit/arm/Simulator-arm.cpp:4177
#25 0x084357f4 in js::jit::Simulator::callInternal(unsigned char*) () at js/src/jit/arm/Simulator-arm.cpp:4232
#26 0x08435a06 in js::jit::Simulator::call(unsigned char*, int, ...) () at js/src/jit/arm/Simulator-arm.cpp:4403
#27 0x0829327a in EnterBaseline(JSContext*, js::jit::EnterJitData&) () at js/src/jit/BaselineJIT.cpp:122
#28 0x082bf3c9 in js::jit::EnterBaselineMethod(JSContext*, js::RunState&) () at js/src/jit/BaselineJIT.cpp:154
#29 0x08198655 in js::RunScript(JSContext*, js::RunState&) () at js/src/vm/Interpreter.cpp:438
#30 0x0819ef22 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::AbstractFramePtr, JS::Value*) () at js/src/vm/Interpreter.cpp:654
#31 0x0819f227 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) () at js/src/vm/Interpreter.cpp:691
#32 0x084d59a0 in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::Value*) () at js/src/jsapi.cpp:3994
#33 0x0804b680 in Process(JSContext*, JSObject*, char const*, bool) () at js/src/shell/js.cpp:454
#34 0x0805941d in main () at js/src/shell/js.cpp:5604
eax	0x0	0
ebx	0x9329458	154309720
ecx	0xf68febfc	-158340100
edx	0xffffaf48	-20664
esi	0x9385500	154686720
edi	0x155	341
ebp	0x9386190	154689936
esp	0xffffaeb0	4294946480
eip	0x8386ec5 <js::jit::SetPropertyIC::update(JSContext*, unsigned int, JS::Handle<JSObject*>, JS::Handle<JS::Value>)+245>
=> 0x8386ec5 <_ZN2js3jit13SetPropertyIC6updateEP9JSContextjN2JS6HandleIP8JSObjectEENS5_INS4_5ValueEEE+245>:	add    0x28(%eax),%eax
   0x8386ec8 <_ZN2js3jit13SetPropertyIC6updateEP9JSContextjN2JS6HandleIP8JSObjectEENS5_INS4_5ValueEEE+248>:	add    0x164(%esp),%eax


Marking s-s for now because the test uses gc.
Is the bisector broken?
Flags: needinfo?(choller)
Yes. JSBugMon is (was) running on fuzzer-linux2, that machine is currently down per bug 1134152.
Flags: needinfo?(choller)
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
Whiteboard: [jsbugmon:bisect] → [jsbugmon:]
Whiteboard: [jsbugmon:] → [jsbugmon:update,bisect]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
Looks like --arm-asm-nop-fill support was missing in JSBugMon. Trying once more.
Whiteboard: [jsbugmon:bisect] → [jsbugmon:update,bisect]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]
Whiteboard: [jsbugmon:bisect] → [jsbugmon:]
Whiteboard: [jsbugmon:] → [jsbugmon:update,bisect]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/7584b643e7e9
user:        Shu-yu Guo
date:        Wed Jan 07 01:18:42 2015 -0800
summary:     Bug 1118038 - Remove JIT parts of PJS. (r=lth)

This iteration took 235.055 seconds to run.
Blocks: 1118038
Flags: needinfo?(shu)
I cannot reproduce this.
Flags: needinfo?(shu)
(In reply to Shu-yu Guo [:shu] from comment #7)
> I cannot reproduce this.

Scratch that, I can reproduce this, forgot to run with --arm-asm-nop-fill=1.
I asked Marty to take a look at this. He identified a bug with using masm.offset() and constant pools. Redirecting NI to him.
Flags: needinfo?(mrosenberg)
Naveed, is there somebody who can look at this?  Thanks.
Flags: needinfo?(marty.rosenberg) → needinfo?(nihsanullah)
Flags: needinfo?(nihsanullah)
Keywords: sec-high
Group: javascript-core-security
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision b9424d63fe35).
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:bisectfix]
Whiteboard: [jsbugmon:bisectfix] → [jsbugmon:]
JSBugMon: Fix Bisection requested, failed due to error (try manually).
autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/9571f765357d
user:        Jon Coppeard
date:        Wed May 20 10:30:46 2015 +0100
summary:     Bug 1135707 - Fix interaction between Arm NOP fill and calculation of IonCache rejoin label r=jandem

Jon, is bug 1135707 a likely fix?
Flags: needinfo?(jcoppeard)
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #13)

Yes, this looks like the same issue.
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(jcoppeard)
Resolution: --- → DUPLICATE
Group: core-security → core-security-release
Group: javascript-core-security, core-security-release
You need to log in before you can comment on or make changes to this bug.