Closed Bug 1204721 Opened 9 years ago Closed 9 years ago

Assertion failure: (*mode & PACKED_TAG_MASK) == 0 && (p.type & ~PACKED_TAG_MASK) == 0, at js/src/jit/Snapshots.cpp:353 with OOM

Categories

(Core :: JavaScript Engine, defect)

x86
Linux
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 1215058
Tracking Status
firefox43 --- affected

People

(Reporter: decoder, Assigned: nbp)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [jsbugmon:update,ignore])

Attachments

(1 file, 1 obsolete file)

The following testcase crashes on mozilla-central revision 9ed17db42e3e (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2 --ion-extra-checks --baseline-eager --ion-eager --ion-check-range-analysis): function oomTest(f) { var i = 1; do { try { oomAtAllocation(i); f(); } catch (e) {} more = resetOOMFailure(); i++; } while(more); } oomTest(() => gc()) Backtrace: Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0xf72cdb40 (LWP 23213)] 0x0872602e in js::jit::RValueAllocation::writePayload (writer=..., type=js::jit::RValueAllocation::PAYLOAD_PACKED_TAG, p=...) at js/src/jit/Snapshots.cpp:353 #0 0x0872602e in js::jit::RValueAllocation::writePayload (writer=..., type=js::jit::RValueAllocation::PAYLOAD_PACKED_TAG, p=...) at js/src/jit/Snapshots.cpp:353 #1 0x08726161 in js::jit::RValueAllocation::write (this=this@entry=0xf72ccf20, writer=...) at js/src/jit/Snapshots.cpp:376 #2 0x0873ddf1 in js::jit::SnapshotWriter::add (this=this@entry=0xf58b2ab0, alloc=...) at js/src/jit/Snapshots.cpp:663 #3 0x0873e498 in js::jit::CodeGeneratorShared::encodeAllocation (this=this@entry=0xf58b2000, snapshot=snapshot@entry=0xf58afb18, mir=<optimized out>, allocIndex=allocIndex@entry=0xf72ccfa0) at js/src/jit/shared/CodeGenerator-shared.cpp:522 #4 0x0873ec0d in js::jit::CodeGeneratorShared::encode (this=0xf58b2000, snapshot=0xf58afb18) at js/src/jit/shared/CodeGenerator-shared.cpp:590 #5 0x0873ee19 in js::jit::CodeGeneratorShared::markOsiPoint (this=this@entry=0xf58b2000, ins=ins@entry=0xf58afb60) at js/src/jit/shared/CodeGenerator-shared.cpp:1092 #6 0x084e5efe in js::jit::CodeGenerator::visitOsiPoint (this=0xf58b2000, lir=0xf58afb60) at js/src/jit/CodeGenerator.cpp:1930 #7 0x0874a5a6 in js::jit::LOsiPoint::accept (this=0xf58afb60, visitor=0xf58b2000) at js/src/jit/shared/LIR-shared.h:75 #8 0x08582a6b in js::jit::CodeGenerator::generateBody (this=this@entry=0xf58b2000) at js/src/jit/CodeGenerator.cpp:4148 #9 0x085831a3 in js::jit::CodeGenerator::generate (this=this@entry=0xf58b2000) at js/src/jit/CodeGenerator.cpp:7822 #10 0x085bb101 in js::jit::GenerateCode (mir=mir@entry=0xf58aa150, lir=0xf58aeb88) at js/src/jit/Ion.cpp:1836 #11 0x0860596c in js::jit::CompileBackEnd (mir=0xf58aa150) at js/src/jit/Ion.cpp:1858 #12 0x082db867 in js::HelperThread::handleIonWorkload (this=this@entry=0xf7a45a28) at js/src/vm/HelperThreads.cpp:1158 #13 0x082dd08b in js::HelperThread::threadLoop (this=0xf7a45a28) at js/src/vm/HelperThreads.cpp:1459 #14 0x08358131 in nspr::Thread::ThreadRoutine (arg=0xf7a021a0) at js/src/vm/PosixNSPR.cpp:45 #15 0xf7fb0f70 in start_thread (arg=0xf72cdb40) at pthread_create.c:312 #16 0xf7d7a4ce in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:129 eax 0x0 0 ebx 0x97b5934 159078708 ecx 0xf7e3b88c -136071028 edx 0x0 0 esi 0xf58b2a08 -175429112 edi 0xf58b2ae8 -175428888 ebp 0xf72cce18 4146908696 esp 0xf72ccdb0 4146908592 eip 0x872602e <js::jit::RValueAllocation::writePayload(js::jit::CompactBufferWriter&, js::jit::RValueAllocation::PayloadType, js::jit::RValueAllocation::Payload)+286> => 0x872602e <js::jit::RValueAllocation::writePayload(js::jit::CompactBufferWriter&, js::jit::RValueAllocation::PayloadType, js::jit::RValueAllocation::Payload)+286>: movl $0x161,0x0 0x8726038 <js::jit::RValueAllocation::writePayload(js::jit::CompactBufferWriter&, js::jit::RValueAllocation::PayloadType, js::jit::RValueAllocation::Payload)+296>: call 0x80f3840 <abort()>
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/6ffa14c65354 user: Jon Coppeard date: Fri May 22 18:52:38 2015 +0100 summary: Bug 1155618 - Add better support for testing OOM behaviour r=terrence This iteration took 282.210 seconds to run.
This assertion means that one can potentially re-interpreter the content of a snapshot to read unexpected register / stack positions during a bailout.
Group: javascript-core-security
Flags: needinfo?(nicolas.b.pierron)
Keywords: sec-want
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 37c7812ce0e6).
Assignee: nobody → nicolas.b.pierron
Flags: needinfo?(nicolas.b.pierron)
I was able to reproduce Bug 1207574, so this error might have mutated into this new error, or it might be hidden by Bug 1207574.
Assignee: nicolas.b.pierron → nobody
Attached patch Patch (obsolete) — Splinter Review
Assignee: nobody → hv1989
Since this is your patch. Can you take this and follow-up to eventually land this?
Assignee: hv1989 → nicolas.b.pierron
Flags: needinfo?(nicolas.b.pierron)
This patch prevent any addition of extra RValueAllocation to the CompactBuffer which is used to store the content. The problem we saw here is that as we write a new RValueAllocation, we write the Mode, followed by the variable part of the RValueAllocation. In such case, the mode was proabbly a TYPED_REG or a TYPED_STACK, in which first variable stored in the snapshot is the PAYLOAD_PACKED_TAG. The packed-tag tried to mutate the last entry of the buffer, which caused this issue.
Attachment #8676226 - Flags: review?(hv1989)
Attachment #8670312 - Attachment is obsolete: true
Attachment #8676226 - Flags: review?(hv1989) → review+
Comment on attachment 8676226 [details] [diff] [review] Do not append any value allocation on OOM. Review of attachment 8676226 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/jit/Snapshots.cpp @@ +326,5 @@ > RValueAllocation::writePayload(CompactBufferWriter& writer, PayloadType type, > Payload p) > { > + if (!writer.oom()) > + return; if (writer.oom()) return Don't forget to remove the !
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(nicolas.b.pierron)
Resolution: --- → DUPLICATE
Group: javascript-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: