Closed
Bug 1180064
Opened 9 years ago
Closed 9 years ago
Crash [@ PodAssign<js::jit::Pool>] with OOM
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
People
(Reporter: decoder, Assigned: nbp)
References
(Blocks 1 open bug)
Details
(4 keywords, Whiteboard: [jsbugmon:update,bisect][fuzzblocker][adv-main44+])
Crash Data
Attachments
(1 file)
1.20 KB,
patch
|
jolesen
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision f5e3bacfb60e (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --disable-tests --enable-simulator=arm --enable-debug, run with --fuzzing-safe --thread-count=2 --arm-asm-nop-fill=1 --arm-hwcap=vfp --ion-check-range-analysis --ion-extra-checks --ion-offthread-compile=off): function oomTest(f) { var i = 1; do { try { oomAtAllocation(i); f(); } catch (e) { } more = resetOOMFailure(); i++; } while(more); } oomTest(function() { newGlobal('================================================================') }); Backtrace: Program received signal SIGSEGV, Segmentation fault. 0x08696290 in PodAssign<js::jit::Pool> (aSrc=0xffffa718, aDst=<optimized out>) at ../../dist/include/mozilla/PodOperations.h:87 #0 0x08696290 in PodAssign<js::jit::Pool> (aSrc=0xffffa718, aDst=<optimized out>) at ../../dist/include/mozilla/PodOperations.h:87 #1 PodCopy<js::jit::Pool> (aNElem=1, aSrc=0xffffa718, aDst=<optimized out>) at ../../dist/include/mozilla/PodOperations.h:107 #2 js::jit::AssemblerBufferWithConstantPools<1024u, 4u, js::jit::Instruction, js::jit::Assembler>::finishPool (this=0xffffa6c8) at js/src/jit/shared/IonAssemblerBufferWithConstantPools.h:723 #3 0x08696728 in js::jit::AssemblerBufferWithConstantPools<1024u, 4u, js::jit::Instruction, js::jit::Assembler>::insertEntryForwards (this=this@entry=0xffffa6c8, numInst=numInst@entry=1, numPoolEntries=numPoolEntries@entry=0, inst=inst@entry=0xffff9fc0 "\377\377\377\352|Ą\t\350\237\377\377\220\202b\b\v", data=data@entry=0x0) at js/src/jit/shared/IonAssemblerBufferWithConstantPools.h:545 #4 0x0864ee3a in js::jit::AssemblerBufferWithConstantPools<1024u, 4u, js::jit::Instruction, js::jit::Assembler>::allocEntry (this=this@entry=0xffffa6c8, inst=inst@entry=0xffff9fc0 "\377\377\377\352|Ą\t\350\237\377\377\220\202b\b\v", markAsBranch=markAsBranch@entry=false, pe=0x0, data=0x0, numPoolEntries=0, numInst=1) at js/src/jit/shared/IonAssemblerBufferWithConstantPools.h:588 #5 0x0864fe45 in putInt (markAsBranch=false, value=3942645759, this=0xffffa6c8) at js/src/jit/shared/IonAssemblerBufferWithConstantPools.h:610 #6 insertNopFill (this=0xffffa6c8) at js/src/jit/shared/IonAssemblerBufferWithConstantPools.h:508 #7 allocEntry (numInst=1, numPoolEntries=0, data=0x0, pe=0x0, markAsBranch=false, inst=0xffff9fb0 "", this=0xffffa6c8) at js/src/jit/shared/IonAssemblerBufferWithConstantPools.h:571 #8 putInt (markAsBranch=false, value=3852009472, this=0xffffa6c8) at js/src/jit/shared/IonAssemblerBufferWithConstantPools.h:610 #9 js::jit::Assembler::writeInst (this=this@entry=0xffffa4cc, x=3852009472) at js/src/jit/arm/Assembler-arm.cpp:1352 #10 0x0865d8c8 in as_dtr (c=<optimized out>, addr=..., rt=..., mode=<optimized out>, size=<optimized out>, ls=<optimized out>, this=<optimized out>) at js/src/jit/arm/Assembler-arm.cpp:1667 #11 js::jit::MacroAssemblerARM::ma_dataTransferN (this=this@entry=0xffffa4cc, ls=js::jit::IsLoad, rn=..., offset=offset@entry=..., rt=..., mode=mode@entry=js::jit::Offset, cc=cc@entry=js::jit::Assembler::Always, IsSigned=true, size=32) at js/src/jit/arm/MacroAssembler-arm.cpp:1268 #12 0x0865f1bd in js::jit::MacroAssemblerARM::ma_dtr (this=this@entry=0xffffa4cc, rt=..., rt@entry=..., addr=..., mode=mode@entry=js::jit::Offset, cc=cc@entry=js::jit::Assembler::Always, ls=js::jit::IsLoad) at js/src/jit/arm/MacroAssembler-arm.cpp:1075 #13 0x0865f9d7 in ma_ldr (cc=js::jit::Assembler::Always, mode=js::jit::Offset, rt=..., addr=..., this=this@entry=0xffffa4cc) at js/src/jit/arm/MacroAssembler-arm.cpp:1099 #14 js::jit::MacroAssemblerARMCompat::loadPtr (this=this@entry=0xffffa4cc, address=..., dest=dest@entry=...) at js/src/jit/arm/MacroAssembler-arm.cpp:2215 #15 0x0847a477 in EmitCallIC (masm=..., patchOffset=<synthetic pointer>) at js/src/jit/arm/SharedICHelpers-arm.h:46 #16 js::jit::BaselineCompiler::emitIC (this=0xffffa4c0, stub=0xf7a21a28, kind=js::jit::ICEntry::Kind_NonOp) at js/src/jit/BaselineCompiler.cpp:511 #17 0x0847adca in emitNonOpIC (stub=<optimized out>, this=0xffffa4c0) at js/src/jit/BaselineCompiler.h:256 #18 js::jit::BaselineCompiler::emitArgumentTypeChecks (this=this@entry=0xffffa4c0) at js/src/jit/BaselineCompiler.cpp:766 #19 0x08495330 in js::jit::BaselineCompiler::emitPrologue (this=this@entry=0xffffa4c0) at js/src/jit/BaselineCompiler.cpp:437 #20 0x084b720b in js::jit::BaselineCompiler::compile (this=this@entry=0xffffa4c0) at js/src/jit/BaselineCompiler.cpp:98 #21 0x084b8b51 in js::jit::BaselineCompile (cx=cx@entry=0xf7a80040, script=0xf574b1f0, forceDebugInstrumentation=false) at js/src/jit/BaselineJIT.cpp:263 #22 0x084b9371 in CanEnterBaselineJIT (cx=cx@entry=0xf7a80040, script=..., script@entry=..., osrFrame=osrFrame@entry=0x0) at js/src/jit/BaselineJIT.cpp:302 #23 0x084b9707 in js::jit::CanEnterBaselineMethod (cx=cx@entry=0xf7a80040, state=...) at js/src/jit/BaselineJIT.cpp:370 #24 0x082bf62f in js::RunScript (cx=cx@entry=0xf7a80040, state=...) at js/src/vm/Interpreter.cpp:641 #25 0x082bfe83 in js::Invoke (cx=cx@entry=0xf7a80040, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:731 #26 0x082c1133 in js::Invoke (cx=cx@entry=0xf7a80040, thisv=..., fval=..., argc=argc@entry=0, argv=argv@entry=0xf59ffec8, rval=rval@entry=...) at js/src/vm/Interpreter.cpp:768 #27 0x084b5e8e in js::jit::DoCallFallback (cx=0xf7a80040, frame=0xf59ffef8, stub_=0xf7a21510, argc=0, vp=0xf59ffeb8, res=...) at js/src/jit/BaselineIC.cpp:9859 #28 0x0867a8f3 in js::jit::Simulator::softwareInterrupt (this=0xf7a7f000, instr=0xf7a02e14) at js/src/jit/arm/Simulator-arm.cpp:2171 #29 0x0867ab36 in js::jit::Simulator::decodeType7 (this=0xf7a7f000, instr=0xf7a02e14) at js/src/jit/arm/Simulator-arm.cpp:3270 #30 0x08678e45 in js::jit::Simulator::instructionDecode (this=this@entry=0xf7a7f000, instr=instr@entry=0xf7a02e14) at js/src/jit/arm/Simulator-arm.cpp:4189 #31 0x0867c6ac in execute<false> (this=0xf7a7f000) at js/src/jit/arm/Simulator-arm.cpp:4244 #32 js::jit::Simulator::callInternal (this=this@entry=0xf7a7f000, entry=entry@entry=0xf7fc91f8 "\377\377\377\352\360O-\351\377\377\377\352\004\320M\342\377\377\377\352\020\212-\355\377\377\377\352\r\200\240\341\377\377\377\352h\220\235\345\377\377\377\352\r\260\240\341\377\377\377\352t\240\235\345\377\377\377", <incomplete sequence \352>) at js/src/jit/arm/Simulator-arm.cpp:4332 #33 0x0867cb31 in js::jit::Simulator::call (this=<optimized out>, entry=entry@entry=0xf7fc91f8 "\377\377\377\352\360O-\351\377\377\377\352\004\320M\342\377\377\377\352\020\212-\355\377\377\377\352\r\200\240\341\377\377\377\352h\220\235\345\377\377\377\352\r\260\240\341\377\377\377\352t\240\235\345\377\377\377", <incomplete sequence \352>, argument_count=<optimized out>, argument_count@entry=8) at js/src/jit/arm/Simulator-arm.cpp:4415 #34 0x08438c59 in EnterBaseline (cx=cx@entry=0xf7a80040, data=...) at js/src/jit/BaselineJIT.cpp:124 #35 0x0849e539 in js::jit::EnterBaselineAtBranch (cx=0xf7a80040, fp=0xf56b6080, pc=0xf7a8d961 "う\232") at js/src/jit/BaselineJIT.cpp:228 #36 0x082be493 in Interpret (cx=cx@entry=0xf7a80040, state=...) at js/src/vm/Interpreter.cpp:2024 #37 0x082bf549 in js::RunScript (cx=cx@entry=0xf7a80040, state=...) at js/src/vm/Interpreter.cpp:655 #38 0x082c76a5 in js::ExecuteKernel (cx=cx@entry=0xf7a80040, script=..., script@entry=..., scopeChainArg=..., thisv=..., newTargetValue=..., type=type@entry=js::EXECUTE_GLOBAL, evalInFrame=evalInFrame@entry=..., result=result@entry=0x0) at js/src/vm/Interpreter.cpp:895 #39 0x082c7ac0 in js::Execute (cx=cx@entry=0xf7a80040, script=script@entry=..., scopeChainArg=..., rval=rval@entry=0x0) at js/src/vm/Interpreter.cpp:929 #40 0x08705644 in ExecuteScript (cx=cx@entry=0xf7a80040, scope=..., script=script@entry=..., rval=rval@entry=0x0) at js/src/jsapi.cpp:4325 #41 0x08705836 in JS_ExecuteScript (cx=cx@entry=0xf7a80040, scriptArg=scriptArg@entry=...) at js/src/jsapi.cpp:4356 #42 0x0806b3c9 in RunFile (compileOnly=false, file=0xf7ae39e0, filename=0xffffcf5f "min.js", cx=0xf7a80040) at js/src/shell/js.cpp:446 #43 Process (cx=cx@entry=0xf7a80040, filename=0xffffcf5f "min.js", forceTTY=forceTTY@entry=false) at js/src/shell/js.cpp:564 #44 0x080c7430 in ProcessArgs (op=0xffffcb80, cx=<optimized out>) at js/src/shell/js.cpp:5909 #45 Shell (envp=<optimized out>, op=0xffffcb80, cx=<optimized out>) at js/src/shell/js.cpp:6178 #46 main (argc=9, argv=0xffffccd4, envp=0xffffccfc) at js/src/shell/js.cpp:6522 eax 0xffffab48 -21688 ebx 0x984c47c 159695996 ecx 0x10c 268 edx 0x0 0 esi 0xffffa718 -22760 edi 0x0 0 ebp 0xffff9ed8 4294942424 esp 0xffff9e80 4294942336 eip 0x8696290 <js::jit::AssemblerBufferWithConstantPools<1024u, 4u, js::jit::Instruction, js::jit::Assembler>::finishPool()+1360> => 0x8696290 <js::jit::AssemblerBufferWithConstantPools<1024u, 4u, js::jit::Instruction, js::jit::Assembler>::finishPool()+1360>: rep movsl %ds:(%esi),%es:(%edi) 0x8696292 <js::jit::AssemblerBufferWithConstantPools<1024u, 4u, js::jit::Instruction, js::jit::Assembler>::finishPool()+1362>: testb $0x2,-0x1c(%ebp) I'm marking this s-s because I'm not entirely sure if this is a null crash or not.
Reporter | ||
Updated•9 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]
Reporter | ||
Comment 1•9 years ago
|
||
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
Reporter | ||
Updated•9 years ago
|
Whiteboard: [jsbugmon:bisect] → [jsbugmon:]
Reporter | ||
Updated•9 years ago
|
Whiteboard: [jsbugmon:] → [jsbugmon:update,bisect]
Comment 2•9 years ago
|
||
Do you know who might look at this, Jandem? It has been sitting around for over a month without anybody looking at it. Thanks.
Flags: needinfo?(jdemooij)
Updated•9 years ago
|
Group: core-security → javascript-core-security
Comment 3•9 years ago
|
||
I'm going to mark this sec-moderate because it is an odd looking OOM test case with a loop, but maybe that's too low.
Keywords: sec-moderate
Reporter | ||
Comment 4•9 years ago
|
||
This is a very generic crash signature that I keep seeing. We need to get rid of it, it might hide other (real) bugs. Also, I suspect that quite a few OOM conditions might lead to this based on what I see in the fuzzer. Can the JS ARM people start looking at this? Thanks!
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,bisect][fuzzblocker]
Assignee | ||
Updated•9 years ago
|
Assignee: nobody → nicolas.b.pierron
Assignee | ||
Comment 5•9 years ago
|
||
Attachment #8670284 -
Flags: review?(jolesen)
Comment 6•9 years ago
|
||
Comment on attachment 8670284 [details] [diff] [review] AssemblerBufferWithConstantPools: Check for allocation results. Review of attachment 8670284 [details] [diff] [review]: ----------------------------------------------------------------- Yep. C++ is great!
Attachment #8670284 -
Flags: review?(jolesen) → review+
Updated•9 years ago
|
Crash Signature: [@ PodAssign<js::jit::Pool>] → [@ PodAssign<js::jit::Pool>]
[@ PodAssign<T>]
Assignee | ||
Comment 7•9 years ago
|
||
This bug got resolved with the new AssemblerBuffer that Jakob made a few weeks ago. (Bug 1207827) As the patch highlight, I think this is only a null-crash (-> sec-low) and I do not think we need to backport it, unless we see that in production.
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox44:
--- → fixed
Flags: needinfo?(jdemooij)
Keywords: sec-moderate → sec-low
Resolution: --- → FIXED
Updated•9 years ago
|
Group: javascript-core-security → core-security-release
Updated•8 years ago
|
Status: RESOLVED → VERIFIED
Crash Signature: [@ PodAssign<js::jit::Pool>]
[@ PodAssign<T>] → [@ PodAssign<js::jit::Pool>]
[@ PodAssign<T>]
status-firefox45:
--- → verified
Comment 8•8 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Updated•8 years ago
|
Crash Signature: [@ PodAssign<js::jit::Pool>]
[@ PodAssign<T>] → [@ PodAssign<js::jit::Pool>]
[@ PodAssign<T>]
status-firefox43:
--- → wontfix
Whiteboard: [jsbugmon:update,bisect][fuzzblocker] → [jsbugmon:update,bisect][fuzzblocker][adv-main44+]
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•