Closed Bug 1208403 Opened 9 years ago Closed 9 years ago

Crash [@ js::jit::AddSizeOfBaselineData] (and various other crashes) with byteSizeOfScript shell function

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla44
Tracking Flags:
Tracking Status
firefox44 --- fixed

People

(Reporter: decoder, Assigned: jandem)

Details

(4 keywords, Whiteboard: [fuzzblocker] [jsbugmon:update])

Crash Data

Attachments

(1 file)

Patch
1.57 KB, patch
jonco
: review+
Details | Diff | Splinter Review 
The following testcase crashes on mozilla-central revision f1dffc8682fb (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-debug, run with --fuzzing-safe --thread-count=2 --ion-extra-checks --ion-eager --ion-offthread-compile=off):

assertEq(byteSizeOfScript(Array) > 1, true);


Backtrace:

Program terminated with signal 11, Segmentation fault.
#0  js::jit::AddSizeOfBaselineData (script=<optimized out>, mallocSizeOf=mallocSizeOf@entry=0x44bd00 <moz_malloc_size_of(void const*)>, data=data@entry=0x7ffcdee122e0, fallbackStubs=fallbackStubs@entry=0x7ffcdee122e8) at js/src/jit/ICStubSpace.h:39
#1  0x00000000009468e1 in JS::ubi::Concrete<JSScript>::size (this=0x7ffcdee12340, mallocSizeOf=0x44bd00 <moz_malloc_size_of(void const*)>) at js/src/jsscript.cpp:4339
#2  0x000000000052c1d5 in size (mallocSizeof=<optimized out>, this=0x7ffcdee12340) at ../../dist/include/js/UbiNode.h:756
#3  ByteSizeOfScript (cx=<optimized out>, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/TestingFunctions.cpp:2487
#4  0x00000000005e8561 in CallJSNative (args=..., native=0x52c0e0 <ByteSizeOfScript(JSContext*, unsigned int, JS::Value*)>, cx=0x7f3bbb207000) at js/src/jscntxtinlines.h:235
#5  js::Invoke (cx=0x7f3bbb207000, args=..., construct=<optimized out>) at js/src/vm/Interpreter.cpp:768
#6  0x00000000005e2242 in Interpret (cx=0x7f3bbb207000, state=...) at js/src/vm/Interpreter.cpp:3071
#7  0x00000000005e7a4d in js::RunScript (cx=cx@entry=0x7f3bbb207000, state=...) at js/src/vm/Interpreter.cpp:709
#8  0x00000000005e8311 in js::Invoke (cx=cx@entry=0x7f3bbb207000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:786
#9  0x00000000005e8ccb in js::Invoke (cx=cx@entry=0x7f3bbb207000, thisv=..., fval=..., argc=argc@entry=0, argv=<optimized out>, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:823
#10 0x00000000008764b0 in js::jit::InvokeFunction (cx=0x7f3bbb207000, obj=..., constructing=<optimized out>, argc=0, argv=0x7ffcdee13310, rval=...) at js/src/jit/VMFunctions.cpp:96
#11 0x00007f3bbc880264 in ?? ()
[...]
#21 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x4800000125840f0a	5188146775655190282
rcx	0x3e	62
rdx	0x0	0
rsi	0x44bd00	4504832
rdi	0x4800000125840f0a	5188146775655190282
rbp	0x0	0
rsp	0x7ffcdee122a0	140724047782560
r8	0x2	2
r9	0x11	17
r10	0x7f3bbb3010d8	139894520287448
r11	0xe	14
r12	0x44bd00	4504832
r13	0x7ffcdee122e8	140724047782632
r14	0x1	1
r15	0x7ffcdee123b0	140724047782832
rip	0x6fc424 <js::jit::AddSizeOfBaselineData(JSScript*, unsigned long (*)(void const*), unsigned long*, unsigned long*)+52>
=> 0x6fc424 <js::jit::AddSizeOfBaselineData(JSScript*, unsigned long (*)(void const*), unsigned long*, unsigned long*)+52>:	mov    0x10(%rbx),%rbx
   0x6fc428 <js::jit::AddSizeOfBaselineData(JSScript*, unsigned long (*)(void const*), unsigned long*, unsigned long*)+56>:	test   %rbx,%rbx


Marking fuzzblocker because it asserts/crashes in various ways.
Whiteboard: [jsbugmon:update,bisect][fuzzblocker] → [fuzzblocker] [jsbugmon:update]
JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20150922121034" and the hash "e39c3474267e273b3ecd847a86fb788b43de4301".
The "bad" changeset has the timestamp "20150922121636" and the hash "562373c7e91c8b8872a3c1cbdfdcbeb5af769a8a".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=e39c3474267e273b3ecd847a86fb788b43de4301&tochange=562373c7e91c8b8872a3c1cbdfdcbeb5af769a8a
involves ByteSizeOfScript => needinfo fitzgen who implemented it :)
see comment 2 (mir air collision with the bisection bot)
Flags: needinfo?(nfitzgerald)
Looking into this.
Assignee: nobody → nfitzgerald
Status: NEW → ASSIGNED
Flags: needinfo?(nfitzgerald)
This is marked as a fuzzblocker and still not fixed. Please fix it now, thanks :)
Flags: needinfo?(nfitzgerald)
Assignee: nfitzgerald → jdemooij
Attached patch PatchSplinter Review 
The byteSizeOfScript shell function was missing a check to guard against native functions.
Attachment #8670767 - Flags: review?(jcoppeard)
Comment on attachment 8670767 [details] [diff] [review]
Patch

Review of attachment 8670767 [details] [diff] [review]:
-----------------------------------------------------------------

Looks good!
Attachment #8670767 - Flags: review?(jcoppeard) → review+
Flags: needinfo?(nfitzgerald)
Whiteboard: [fuzzblocker] [jsbugmon:update] → [fuzzblocker] [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 1f4cf75c8948).
https://hg.mozilla.org/mozilla-central/rev/c96111315a3f
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
status-firefox44: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
Whiteboard: [fuzzblocker] [jsbugmon:update,ignore] → [fuzzblocker] [jsbugmon:update]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: