Last Comment Bug 1180064 - Crash [@ PodAssign<js::jit::Pool>] with OOM
: Crash [@ PodAssign<js::jit::Pool>] with OOM
Status: VERIFIED FIXED
[jsbugmon:update,bisect][fuzzblocker]...
: crash, regression, sec-low, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: ARM Linux
-- critical (vote)
: ---
Assigned To: Nicolas B. Pierron [:nbp]
:
: Jason Orendorff [:jorendorff]
Mentors:
Depends on:
Blocks: langfuzz 912928
  Show dependency treegraph
 
Reported: 2015-07-02 18:02 PDT by Christian Holler (:decoder)
Modified: 2016-07-02 11:29 PDT (History)
15 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
wontfix
wontfix
fixed
verified


Attachments
AssemblerBufferWithConstantPools: Check for allocation results. (1.20 KB, patch)
2015-10-06 08:12 PDT, Nicolas B. Pierron [:nbp]
jolesen: review+
Details | Diff | Splinter Review

Description User image Christian Holler (:decoder) 2015-07-02 18:02:06 PDT
The following testcase crashes on mozilla-central revision f5e3bacfb60e (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --disable-tests --enable-simulator=arm --enable-debug, run with --fuzzing-safe --thread-count=2 --arm-asm-nop-fill=1 --arm-hwcap=vfp --ion-check-range-analysis --ion-extra-checks --ion-offthread-compile=off):

function oomTest(f) {
    var i = 1;
    do {
        try {
            oomAtAllocation(i);
            f();
        } catch (e) {
        }
        more = resetOOMFailure();
        i++;
    } while(more);
}
oomTest(function() {
    newGlobal('================================================================')     
});



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x08696290 in PodAssign<js::jit::Pool> (aSrc=0xffffa718, aDst=<optimized out>) at ../../dist/include/mozilla/PodOperations.h:87
#0  0x08696290 in PodAssign<js::jit::Pool> (aSrc=0xffffa718, aDst=<optimized out>) at ../../dist/include/mozilla/PodOperations.h:87
#1  PodCopy<js::jit::Pool> (aNElem=1, aSrc=0xffffa718, aDst=<optimized out>) at ../../dist/include/mozilla/PodOperations.h:107
#2  js::jit::AssemblerBufferWithConstantPools<1024u, 4u, js::jit::Instruction, js::jit::Assembler>::finishPool (this=0xffffa6c8) at js/src/jit/shared/IonAssemblerBufferWithConstantPools.h:723
#3  0x08696728 in js::jit::AssemblerBufferWithConstantPools<1024u, 4u, js::jit::Instruction, js::jit::Assembler>::insertEntryForwards (this=this@entry=0xffffa6c8, numInst=numInst@entry=1, numPoolEntries=numPoolEntries@entry=0, inst=inst@entry=0xffff9fc0 "\377\377\377\352|Ą\t\350\237\377\377\220\202b\b\v", data=data@entry=0x0) at js/src/jit/shared/IonAssemblerBufferWithConstantPools.h:545
#4  0x0864ee3a in js::jit::AssemblerBufferWithConstantPools<1024u, 4u, js::jit::Instruction, js::jit::Assembler>::allocEntry (this=this@entry=0xffffa6c8, inst=inst@entry=0xffff9fc0 "\377\377\377\352|Ą\t\350\237\377\377\220\202b\b\v", markAsBranch=markAsBranch@entry=false, pe=0x0, data=0x0, numPoolEntries=0, numInst=1) at js/src/jit/shared/IonAssemblerBufferWithConstantPools.h:588
#5  0x0864fe45 in putInt (markAsBranch=false, value=3942645759, this=0xffffa6c8) at js/src/jit/shared/IonAssemblerBufferWithConstantPools.h:610
#6  insertNopFill (this=0xffffa6c8) at js/src/jit/shared/IonAssemblerBufferWithConstantPools.h:508
#7  allocEntry (numInst=1, numPoolEntries=0, data=0x0, pe=0x0, markAsBranch=false, inst=0xffff9fb0 "", this=0xffffa6c8) at js/src/jit/shared/IonAssemblerBufferWithConstantPools.h:571
#8  putInt (markAsBranch=false, value=3852009472, this=0xffffa6c8) at js/src/jit/shared/IonAssemblerBufferWithConstantPools.h:610
#9  js::jit::Assembler::writeInst (this=this@entry=0xffffa4cc, x=3852009472) at js/src/jit/arm/Assembler-arm.cpp:1352
#10 0x0865d8c8 in as_dtr (c=<optimized out>, addr=..., rt=..., mode=<optimized out>, size=<optimized out>, ls=<optimized out>, this=<optimized out>) at js/src/jit/arm/Assembler-arm.cpp:1667
#11 js::jit::MacroAssemblerARM::ma_dataTransferN (this=this@entry=0xffffa4cc, ls=js::jit::IsLoad, rn=..., offset=offset@entry=..., rt=..., mode=mode@entry=js::jit::Offset, cc=cc@entry=js::jit::Assembler::Always, IsSigned=true, size=32) at js/src/jit/arm/MacroAssembler-arm.cpp:1268
#12 0x0865f1bd in js::jit::MacroAssemblerARM::ma_dtr (this=this@entry=0xffffa4cc, rt=..., rt@entry=..., addr=..., mode=mode@entry=js::jit::Offset, cc=cc@entry=js::jit::Assembler::Always, ls=js::jit::IsLoad) at js/src/jit/arm/MacroAssembler-arm.cpp:1075
#13 0x0865f9d7 in ma_ldr (cc=js::jit::Assembler::Always, mode=js::jit::Offset, rt=..., addr=..., this=this@entry=0xffffa4cc) at js/src/jit/arm/MacroAssembler-arm.cpp:1099
#14 js::jit::MacroAssemblerARMCompat::loadPtr (this=this@entry=0xffffa4cc, address=..., dest=dest@entry=...) at js/src/jit/arm/MacroAssembler-arm.cpp:2215
#15 0x0847a477 in EmitCallIC (masm=..., patchOffset=<synthetic pointer>) at js/src/jit/arm/SharedICHelpers-arm.h:46
#16 js::jit::BaselineCompiler::emitIC (this=0xffffa4c0, stub=0xf7a21a28, kind=js::jit::ICEntry::Kind_NonOp) at js/src/jit/BaselineCompiler.cpp:511
#17 0x0847adca in emitNonOpIC (stub=<optimized out>, this=0xffffa4c0) at js/src/jit/BaselineCompiler.h:256
#18 js::jit::BaselineCompiler::emitArgumentTypeChecks (this=this@entry=0xffffa4c0) at js/src/jit/BaselineCompiler.cpp:766
#19 0x08495330 in js::jit::BaselineCompiler::emitPrologue (this=this@entry=0xffffa4c0) at js/src/jit/BaselineCompiler.cpp:437
#20 0x084b720b in js::jit::BaselineCompiler::compile (this=this@entry=0xffffa4c0) at js/src/jit/BaselineCompiler.cpp:98
#21 0x084b8b51 in js::jit::BaselineCompile (cx=cx@entry=0xf7a80040, script=0xf574b1f0, forceDebugInstrumentation=false) at js/src/jit/BaselineJIT.cpp:263
#22 0x084b9371 in CanEnterBaselineJIT (cx=cx@entry=0xf7a80040, script=..., script@entry=..., osrFrame=osrFrame@entry=0x0) at js/src/jit/BaselineJIT.cpp:302
#23 0x084b9707 in js::jit::CanEnterBaselineMethod (cx=cx@entry=0xf7a80040, state=...) at js/src/jit/BaselineJIT.cpp:370
#24 0x082bf62f in js::RunScript (cx=cx@entry=0xf7a80040, state=...) at js/src/vm/Interpreter.cpp:641
#25 0x082bfe83 in js::Invoke (cx=cx@entry=0xf7a80040, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:731
#26 0x082c1133 in js::Invoke (cx=cx@entry=0xf7a80040, thisv=..., fval=..., argc=argc@entry=0, argv=argv@entry=0xf59ffec8, rval=rval@entry=...) at js/src/vm/Interpreter.cpp:768
#27 0x084b5e8e in js::jit::DoCallFallback (cx=0xf7a80040, frame=0xf59ffef8, stub_=0xf7a21510, argc=0, vp=0xf59ffeb8, res=...) at js/src/jit/BaselineIC.cpp:9859
#28 0x0867a8f3 in js::jit::Simulator::softwareInterrupt (this=0xf7a7f000, instr=0xf7a02e14) at js/src/jit/arm/Simulator-arm.cpp:2171
#29 0x0867ab36 in js::jit::Simulator::decodeType7 (this=0xf7a7f000, instr=0xf7a02e14) at js/src/jit/arm/Simulator-arm.cpp:3270
#30 0x08678e45 in js::jit::Simulator::instructionDecode (this=this@entry=0xf7a7f000, instr=instr@entry=0xf7a02e14) at js/src/jit/arm/Simulator-arm.cpp:4189
#31 0x0867c6ac in execute<false> (this=0xf7a7f000) at js/src/jit/arm/Simulator-arm.cpp:4244
#32 js::jit::Simulator::callInternal (this=this@entry=0xf7a7f000, entry=entry@entry=0xf7fc91f8 "\377\377\377\352\360O-\351\377\377\377\352\004\320M\342\377\377\377\352\020\212-\355\377\377\377\352\r\200\240\341\377\377\377\352h\220\235\345\377\377\377\352\r\260\240\341\377\377\377\352t\240\235\345\377\377\377", <incomplete sequence \352>) at js/src/jit/arm/Simulator-arm.cpp:4332
#33 0x0867cb31 in js::jit::Simulator::call (this=<optimized out>, entry=entry@entry=0xf7fc91f8 "\377\377\377\352\360O-\351\377\377\377\352\004\320M\342\377\377\377\352\020\212-\355\377\377\377\352\r\200\240\341\377\377\377\352h\220\235\345\377\377\377\352\r\260\240\341\377\377\377\352t\240\235\345\377\377\377", <incomplete sequence \352>, argument_count=<optimized out>, argument_count@entry=8) at js/src/jit/arm/Simulator-arm.cpp:4415
#34 0x08438c59 in EnterBaseline (cx=cx@entry=0xf7a80040, data=...) at js/src/jit/BaselineJIT.cpp:124
#35 0x0849e539 in js::jit::EnterBaselineAtBranch (cx=0xf7a80040, fp=0xf56b6080, pc=0xf7a8d961 "う\232") at js/src/jit/BaselineJIT.cpp:228
#36 0x082be493 in Interpret (cx=cx@entry=0xf7a80040, state=...) at js/src/vm/Interpreter.cpp:2024
#37 0x082bf549 in js::RunScript (cx=cx@entry=0xf7a80040, state=...) at js/src/vm/Interpreter.cpp:655
#38 0x082c76a5 in js::ExecuteKernel (cx=cx@entry=0xf7a80040, script=..., script@entry=..., scopeChainArg=..., thisv=..., newTargetValue=..., type=type@entry=js::EXECUTE_GLOBAL, evalInFrame=evalInFrame@entry=..., result=result@entry=0x0) at js/src/vm/Interpreter.cpp:895
#39 0x082c7ac0 in js::Execute (cx=cx@entry=0xf7a80040, script=script@entry=..., scopeChainArg=..., rval=rval@entry=0x0) at js/src/vm/Interpreter.cpp:929
#40 0x08705644 in ExecuteScript (cx=cx@entry=0xf7a80040, scope=..., script=script@entry=..., rval=rval@entry=0x0) at js/src/jsapi.cpp:4325
#41 0x08705836 in JS_ExecuteScript (cx=cx@entry=0xf7a80040, scriptArg=scriptArg@entry=...) at js/src/jsapi.cpp:4356
#42 0x0806b3c9 in RunFile (compileOnly=false, file=0xf7ae39e0, filename=0xffffcf5f "min.js", cx=0xf7a80040) at js/src/shell/js.cpp:446
#43 Process (cx=cx@entry=0xf7a80040, filename=0xffffcf5f "min.js", forceTTY=forceTTY@entry=false) at js/src/shell/js.cpp:564
#44 0x080c7430 in ProcessArgs (op=0xffffcb80, cx=<optimized out>) at js/src/shell/js.cpp:5909
#45 Shell (envp=<optimized out>, op=0xffffcb80, cx=<optimized out>) at js/src/shell/js.cpp:6178
#46 main (argc=9, argv=0xffffccd4, envp=0xffffccfc) at js/src/shell/js.cpp:6522
eax	0xffffab48	-21688
ebx	0x984c47c	159695996
ecx	0x10c	268
edx	0x0	0
esi	0xffffa718	-22760
edi	0x0	0
ebp	0xffff9ed8	4294942424
esp	0xffff9e80	4294942336
eip	0x8696290 <js::jit::AssemblerBufferWithConstantPools<1024u, 4u, js::jit::Instruction, js::jit::Assembler>::finishPool()+1360>
=> 0x8696290 <js::jit::AssemblerBufferWithConstantPools<1024u, 4u, js::jit::Instruction, js::jit::Assembler>::finishPool()+1360>:	rep movsl %ds:(%esi),%es:(%edi)
   0x8696292 <js::jit::AssemblerBufferWithConstantPools<1024u, 4u, js::jit::Instruction, js::jit::Assembler>::finishPool()+1362>:	testb  $0x2,-0x1c(%ebp)


I'm marking this s-s because I'm not entirely sure if this is a null crash or not.
Comment 1 User image Christian Holler (:decoder) 2015-07-02 20:54:08 PDT
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
Comment 2 User image Andrew McCreight [:mccr8] 2015-08-12 10:54:02 PDT
Do you know who might look at this, Jandem? It has been sitting around for over a month without anybody looking at it. Thanks.
Comment 3 User image Andrew McCreight [:mccr8] 2015-09-15 10:26:55 PDT
I'm going to mark this sec-moderate because it is an odd looking OOM test case with a loop, but maybe that's too low.
Comment 4 User image Christian Holler (:decoder) 2015-09-28 03:52:21 PDT
This is a very generic crash signature that I keep seeing. We need to get rid of it, it might hide other (real) bugs. Also, I suspect that quite a few OOM conditions might lead to this based on what I see in the fuzzer. Can the JS ARM people start looking at this? Thanks!
Comment 5 User image Nicolas B. Pierron [:nbp] 2015-10-06 08:12:52 PDT
Created attachment 8670284 [details] [diff] [review]
AssemblerBufferWithConstantPools: Check for allocation results.
Comment 6 User image Jakob Stoklund Olesen [:jolesen] 2015-10-06 08:15:42 PDT
Comment on attachment 8670284 [details] [diff] [review]
AssemblerBufferWithConstantPools: Check for allocation results.

Review of attachment 8670284 [details] [diff] [review]:
-----------------------------------------------------------------

Yep. C++ is great!
Comment 7 User image Nicolas B. Pierron [:nbp] 2015-10-27 07:25:00 PDT
This bug got resolved with the new AssemblerBuffer that Jakob made a few weeks ago. (Bug 1207827)

As the patch highlight, I think this is only a null-crash (-> sec-low) and I do not think we need to backport it, unless we see that in production.
Comment 8 User image Fuzzing Team 2015-12-11 09:01:20 PST
JSBugMon: This bug has been automatically verified fixed.

Note You need to log in before you can comment on or make changes to this bug.