Closed Bug 1205708 Opened 4 years ago Closed 4 years ago

Assertion failure: !errorString_, at js/src/asmjs/AsmJSValidate.cpp:2096 with OOM

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla44
Tracking Status
firefox43 --- affected
firefox44 --- fixed

People

(Reporter: decoder, Assigned: bbouvier)

References

(Blocks 2 open bugs)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update,ignore])

Attachments

(1 file)

The following testcase crashes on mozilla-central revision e7d613b3bcfe (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2 --baseline-eager --ion-extra-checks --ion-eager):

var lfcode = new Array();
var lfRunTypeId = -1;
lfcode.push = loadFile;
oomAfterAllocations(10, 2);
lfcode.push(`
function mod(stdlib, ffi, heap) {
    "use asm";
    function f3(k) {
        k = k | 0;
    }
    function g3(k) {}
`);
function loadFile(lfVarx) {
    switch (lfRunTypeId) {
        default: evaluate(lfVarx, {
        });
    }
}


Backtrace:

Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x0000000000536dcd in (anonymous namespace)::ModuleValidator::failOffset (
    this=0x7fff7df2da30, offset=<optimized out>, str=<optimized out>)
    at js/src/asmjs/AsmJSValidate.cpp:2096
To enable execution of this file add
	add-auto-load-safe-path /home/ubuntu/mozilla-central/js/src/debug64/dist/bin/js-gdb.py
line to your configuration file "/home/ubuntu/.gdbinit".
To completely disable this security protection add
	set auto-load safe-path /
line to your configuration file "/home/ubuntu/.gdbinit".
For more information about this security protection see the
"Auto-loading safe path" section in the GDB manual.  E.g., run from the shell:
	info "(gdb)Auto-loading safe path"
#0  0x0000000000536dcd in (anonymous namespace)::ModuleValidator::failOffset (this=0x7fff7df2da30, offset=<optimized out>, str=<optimized out>) at js/src/asmjs/AsmJSValidate.cpp:2096
#1  0x000000000043fb16 in CheckFunctions (m=..., results=results@entry=0x7fff7df2d980) at js/src/asmjs/AsmJSValidate.cpp:11045
#2  0x00000000005b52a3 in CheckModule (compilationTimeReport=0x7fff7df2d960, moduleOut=0x7fff7df2d970, stmtList=0x7fff7df2da30, parser=..., cx=0x7f1d6ae06800) at js/src/asmjs/AsmJSValidate.cpp:12388
#3  js::ValidateAsmJS (cx=0x7f1d6ae06800, parser=..., stmtList=stmtList@entry=0x7f1d6ae8b6b0, validated=validated@entry=0x7fff7df2dd60) at js/src/asmjs/AsmJSValidate.cpp:12472
#4  0x00000000004c21ca in js::frontend::Parser<js::frontend::FullParseHandler>::asmJS (this=this@entry=0x7fff7df2f0d0, list=0x7f1d6ae8b6b0) at js/src/frontend/Parser.cpp:2987
#5  0x00000000004d630f in js::frontend::Parser<js::frontend::FullParseHandler>::maybeParseDirective (this=this@entry=0x7fff7df2f0d0, list=list@entry=0x7f1d6ae8b6b0, pn=pn@entry=0x7f1d6ae8b720, cont=cont@entry=0x7fff7df2dde0) at js/src/frontend/Parser.cpp:3062
#6  0x00000000004f3414 in js::frontend::Parser<js::frontend::FullParseHandler>::statements (this=this@entry=0x7fff7df2f0d0, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName) at js/src/frontend/Parser.cpp:3128
#7  0x00000000004f377b in js::frontend::Parser<js::frontend::FullParseHandler>::functionBody (this=this@entry=0x7fff7df2f0d0, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, kind=kind@entry=js::frontend::Statement, type=type@entry=js::frontend::Parser<js::frontend::FullParseHandler>::StatementListBody) at js/src/frontend/Parser.cpp:1141
#8  0x00000000004f3cf0 in js::frontend::Parser<js::frontend::FullParseHandler>::functionArgsAndBodyGeneric (this=this@entry=0x7fff7df2f0d0, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, pn=pn@entry=0x7f1d6ae8b288, fun=fun@entry=..., kind=kind@entry=js::frontend::Statement) at js/src/frontend/Parser.cpp:2809
#9  0x00000000004cb2c5 in js::frontend::Parser<js::frontend::FullParseHandler>::functionArgsAndBody (this=this@entry=0x7fff7df2f0d0, inHandling=inHandling@entry=js::frontend::InAllowed, pn=0x7f1d6ae8b288, fun=..., fun@entry=..., kind=kind@entry=js::frontend::Statement, generatorKind=generatorKind@entry=js::NotGenerator, inheritedDirectives=..., newDirectives=newDirectives@entry=0x7fff7df2e400) at js/src/frontend/Parser.cpp:2613
#10 0x00000000004f40da in js::frontend::Parser<js::frontend::FullParseHandler>::functionDef (this=this@entry=0x7fff7df2f0d0, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, funName=..., funName@entry=..., kind=kind@entry=js::frontend::Statement, generatorKind=generatorKind@entry=js::NotGenerator, invoked=invoked@entry=js::frontend::Parser<js::frontend::FullParseHandler>::PredictUninvoked) at js/src/frontend/Parser.cpp:2443
#11 0x00000000004f43a9 in js::frontend::Parser<js::frontend::FullParseHandler>::functionStmt (this=this@entry=0x7fff7df2f0d0, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, defaultHandling=defaultHandling@entry=js::frontend::NameRequired) at js/src/frontend/Parser.cpp:2893
#12 0x00000000004f2f2d in js::frontend::Parser<js::frontend::FullParseHandler>::statement (this=this@entry=0x7fff7df2f0d0, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, canHaveDirectives=<optimized out>) at js/src/frontend/Parser.cpp:6718
#13 0x000000000062668b in BytecodeCompiler::compileScript (this=this@entry=0x7fff7df2ea60, scopeChain=..., scopeChain@entry=..., evalCaller=evalCaller@entry=...) at js/src/frontend/BytecodeCompiler.cpp:588
#14 0x0000000000626be3 in js::frontend::CompileScript (cx=cx@entry=0x7f1d6ae06800, alloc=<optimized out>, scopeChain=..., enclosingStaticScope=..., enclosingStaticScope@entry=..., evalCaller=evalCaller@entry=..., options=..., srcBuf=..., source_=source_@entry=0x0, extraSct=extraSct@entry=0x7fff7df2fad0, sourceObjectOut=sourceObjectOut@entry=0x0) at js/src/frontend/BytecodeCompiler.cpp:807
#15 0x0000000000b8db04 in Evaluate (cx=cx@entry=0x7f1d6ae06800, scope=..., staticScope=..., staticScope@entry=..., optionsArg=..., srcBuf=..., rval=..., rval@entry=...) at js/src/jsapi.cpp:4446
#16 0x0000000000b8ddd4 in JS::Evaluate (cx=cx@entry=0x7f1d6ae06800, options=..., bytes=<optimized out>, length=3860, rval=rval@entry=...) at js/src/jsapi.cpp:4503
#17 0x0000000000b8e0f7 in Evaluate (rval=..., filename=<optimized out>, optionsArg=..., cx=0x7f1d6ae06800, cx@entry=0x7fff7df2fce0) at js/src/jsapi.cpp:4520
#18 JS::Evaluate (cx=cx@entry=0x7f1d6ae06800, optionsArg=..., filename=<optimized out>, rval=..., rval@entry=...) at js/src/jsapi.cpp:4556
#19 0x0000000000486751 in LoadScript (cx=0x7f1d6ae06800, argc=<optimized out>, vp=0x7fff7df2ffc8, scriptRelative=false) at js/src/shell/js.cpp:785
#20 0x00007f1d6a1747ff in ?? ()
#21 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x7fff7df2da30	140735306455600
rcx	0x7f1d6b16588d	139764327405709
rdx	0x0	0
rsi	0x7f1d6b43a9d0	139764330375632
rdi	0x7f1d6b4391c0	139764330369472
rbp	0x7fff7df2d710	140735306454800
rsp	0x7fff7df2d6f0	140735306454768
r8	0x7f1d6c4aa780	139764347611008
r9	0x6372732f736a2f6c	7165916604736876396
r10	0x7f1d6b436be0	139764330359776
r11	0x0	0
r12	0x7fff7df2d840	140735306455104
r13	0x7f1d6ae05c00	139764323867648
r14	0x7fff7df2d810	140735306455056
r15	0x0	0
rip	0x536dcd <(anonymous namespace)::ModuleValidator::failOffset(uint32_t, char const*)+141>
=> 0x536dcd <(anonymous namespace)::ModuleValidator::failOffset(uint32_t, char const*)+141>:	movl   $0x830,0x0
   0x536dd8 <(anonymous namespace)::ModuleValidator::failOffset(uint32_t, char const*)+152>:	callq  0x4982c0 <abort()>
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20150911071052" and the hash "9394c5f63b56b784dcdb9f70fa0b7f428bdf4d8c".
The "bad" changeset has the timestamp "20150911071250" and the hash "9c1c2581ad6501c9a8a36920043856d46ec19c20".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=9394c5f63b56b784dcdb9f70fa0b7f428bdf4d8c&tochange=9c1c2581ad6501c9a8a36920043856d46ec19c20
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision de0e763b5210).
Attached patch ht.patchSplinter Review
(In reply to Fuzzing Team from comment #2)
> JSBugMon: The testcase found in this bug no longer reproduces (tried
> revision de0e763b5210).

And yet, it moves!

So the error is the following: there's an OOM on the helper thread, but validation has already failed on the main thread. So we already have an errorString_ and we try to clobber it (not security-sensitive).

I thought we could assume that if the main thread didn't set an error, then the error **must** have occurred on the helper thread; but that's actually not the case. When we hit a syntax error that would be thrown even on "normal" JS, then we just silently return false from asm.js (to not throw the SyntaxError twice).
Assignee: nobody → benj
Status: NEW → ASSIGNED
Attachment #8663627 - Flags: review?(luke)
Attachment #8663627 - Flags: review?(luke) → review+
https://hg.mozilla.org/mozilla-central/rev/da185719b98e
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
You need to log in before you can comment on or make changes to this bug.