Closed
Bug 1204721
Opened 9 years ago
Closed 9 years ago
Assertion failure: (*mode & PACKED_TAG_MASK) == 0 && (p.type & ~PACKED_TAG_MASK) == 0, at js/src/jit/Snapshots.cpp:353 with OOM
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1215058
Tracking | Status | |
---|---|---|
firefox43 | --- | affected |
People
(Reporter: decoder, Assigned: nbp)
References
(Blocks 1 open bug)
Details
(4 keywords, Whiteboard: [jsbugmon:update,ignore])
Attachments
(1 file, 1 obsolete file)
884 bytes,
patch
|
h4writer
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 9ed17db42e3e (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2 --ion-extra-checks --baseline-eager --ion-eager --ion-check-range-analysis):
function oomTest(f) {
var i = 1;
do {
try {
oomAtAllocation(i);
f();
} catch (e) {}
more = resetOOMFailure();
i++;
} while(more);
}
oomTest(() => gc())
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xf72cdb40 (LWP 23213)]
0x0872602e in js::jit::RValueAllocation::writePayload (writer=..., type=js::jit::RValueAllocation::PAYLOAD_PACKED_TAG, p=...) at js/src/jit/Snapshots.cpp:353
#0 0x0872602e in js::jit::RValueAllocation::writePayload (writer=..., type=js::jit::RValueAllocation::PAYLOAD_PACKED_TAG, p=...) at js/src/jit/Snapshots.cpp:353
#1 0x08726161 in js::jit::RValueAllocation::write (this=this@entry=0xf72ccf20, writer=...) at js/src/jit/Snapshots.cpp:376
#2 0x0873ddf1 in js::jit::SnapshotWriter::add (this=this@entry=0xf58b2ab0, alloc=...) at js/src/jit/Snapshots.cpp:663
#3 0x0873e498 in js::jit::CodeGeneratorShared::encodeAllocation (this=this@entry=0xf58b2000, snapshot=snapshot@entry=0xf58afb18, mir=<optimized out>, allocIndex=allocIndex@entry=0xf72ccfa0) at js/src/jit/shared/CodeGenerator-shared.cpp:522
#4 0x0873ec0d in js::jit::CodeGeneratorShared::encode (this=0xf58b2000, snapshot=0xf58afb18) at js/src/jit/shared/CodeGenerator-shared.cpp:590
#5 0x0873ee19 in js::jit::CodeGeneratorShared::markOsiPoint (this=this@entry=0xf58b2000, ins=ins@entry=0xf58afb60) at js/src/jit/shared/CodeGenerator-shared.cpp:1092
#6 0x084e5efe in js::jit::CodeGenerator::visitOsiPoint (this=0xf58b2000, lir=0xf58afb60) at js/src/jit/CodeGenerator.cpp:1930
#7 0x0874a5a6 in js::jit::LOsiPoint::accept (this=0xf58afb60, visitor=0xf58b2000) at js/src/jit/shared/LIR-shared.h:75
#8 0x08582a6b in js::jit::CodeGenerator::generateBody (this=this@entry=0xf58b2000) at js/src/jit/CodeGenerator.cpp:4148
#9 0x085831a3 in js::jit::CodeGenerator::generate (this=this@entry=0xf58b2000) at js/src/jit/CodeGenerator.cpp:7822
#10 0x085bb101 in js::jit::GenerateCode (mir=mir@entry=0xf58aa150, lir=0xf58aeb88) at js/src/jit/Ion.cpp:1836
#11 0x0860596c in js::jit::CompileBackEnd (mir=0xf58aa150) at js/src/jit/Ion.cpp:1858
#12 0x082db867 in js::HelperThread::handleIonWorkload (this=this@entry=0xf7a45a28) at js/src/vm/HelperThreads.cpp:1158
#13 0x082dd08b in js::HelperThread::threadLoop (this=0xf7a45a28) at js/src/vm/HelperThreads.cpp:1459
#14 0x08358131 in nspr::Thread::ThreadRoutine (arg=0xf7a021a0) at js/src/vm/PosixNSPR.cpp:45
#15 0xf7fb0f70 in start_thread (arg=0xf72cdb40) at pthread_create.c:312
#16 0xf7d7a4ce in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:129
eax 0x0 0
ebx 0x97b5934 159078708
ecx 0xf7e3b88c -136071028
edx 0x0 0
esi 0xf58b2a08 -175429112
edi 0xf58b2ae8 -175428888
ebp 0xf72cce18 4146908696
esp 0xf72ccdb0 4146908592
eip 0x872602e <js::jit::RValueAllocation::writePayload(js::jit::CompactBufferWriter&, js::jit::RValueAllocation::PayloadType, js::jit::RValueAllocation::Payload)+286>
=> 0x872602e <js::jit::RValueAllocation::writePayload(js::jit::CompactBufferWriter&, js::jit::RValueAllocation::PayloadType, js::jit::RValueAllocation::Payload)+286>: movl $0x161,0x0
0x8726038 <js::jit::RValueAllocation::writePayload(js::jit::CompactBufferWriter&, js::jit::RValueAllocation::PayloadType, js::jit::RValueAllocation::Payload)+296>: call 0x80f3840 <abort()>
Updated•9 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Comment 1•9 years ago
|
||
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/6ffa14c65354
user: Jon Coppeard
date: Fri May 22 18:52:38 2015 +0100
summary: Bug 1155618 - Add better support for testing OOM behaviour r=terrence
This iteration took 282.210 seconds to run.
Assignee | ||
Comment 2•9 years ago
|
||
This assertion means that one can potentially re-interpreter the content of a snapshot to read unexpected register / stack positions during a bailout.
Updated•9 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
Comment 3•9 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 37c7812ce0e6).
Assignee | ||
Updated•9 years ago
|
Assignee: nobody → nicolas.b.pierron
Flags: needinfo?(nicolas.b.pierron)
Assignee | ||
Comment 4•9 years ago
|
||
I was able to reproduce Bug 1207574, so this error might have mutated into this new error, or it might be hidden by Bug 1207574.
Assignee: nicolas.b.pierron → nobody
Comment 5•9 years ago
|
||
Assignee: nobody → hv1989
Comment 6•9 years ago
|
||
Since this is your patch. Can you take this and follow-up to eventually land this?
Assignee: hv1989 → nicolas.b.pierron
Flags: needinfo?(nicolas.b.pierron)
Assignee | ||
Comment 7•9 years ago
|
||
This patch prevent any addition of extra RValueAllocation to the
CompactBuffer which is used to store the content.
The problem we saw here is that as we write a new RValueAllocation, we write
the Mode, followed by the variable part of the RValueAllocation. In such
case, the mode was proabbly a TYPED_REG or a TYPED_STACK, in which first
variable stored in the snapshot is the PAYLOAD_PACKED_TAG. The packed-tag
tried to mutate the last entry of the buffer, which caused this issue.
Attachment #8676226 -
Flags: review?(hv1989)
Assignee | ||
Updated•9 years ago
|
Attachment #8670312 -
Attachment is obsolete: true
Updated•9 years ago
|
Attachment #8676226 -
Flags: review?(hv1989) → review+
Comment 8•9 years ago
|
||
Comment on attachment 8676226 [details] [diff] [review]
Do not append any value allocation on OOM.
Review of attachment 8676226 [details] [diff] [review]:
-----------------------------------------------------------------
::: js/src/jit/Snapshots.cpp
@@ +326,5 @@
> RValueAllocation::writePayload(CompactBufferWriter& writer, PayloadType type,
> Payload p)
> {
> + if (!writer.oom())
> + return;
if (writer.oom())
return
Don't forget to remove the !
Assignee | ||
Updated•9 years ago
|
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(nicolas.b.pierron)
Resolution: --- → DUPLICATE
Updated•8 years ago
|
Group: javascript-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•