1211977 - Crash [@ used]

Status: RESOLVED DUPLICATE of bug 1209026

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 9169f652fe5e (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2 --ion-check-range-analysis --ion-eager --baseline-eager --ion-extra-checks):

See attachment.


Backtrace:

Program terminated with signal SIGSEGV, Segmentation fault.
#0  used (this=0x0) at js/src/jit/Label.h:42
#1  js::jit::AssemblerX86Shared::bind (this=0x7f35fcaf1058, label=0x0) at js/src/jit/x86-shared/Assembler-x86-shared.h:932
#2  0x0000000000943975 in js::jit::CodeGenerator::getJumpLabelForBranch (this=this@entry=0x7f35fcaf1000, block=0x7f35fcdef9c8) at js/src/jit/CodeGenerator.cpp:664
#3  0x0000000000965462 in js::jit::CodeGenerator::visitTestVAndBranch (this=0x7f35fcaf1000, lir=0x7f35fc90d600) at js/src/jit/CodeGenerator.cpp:709
#4  0x00000000009a682e in js::jit::CodeGenerator::generateBody (this=this@entry=0x7f35fcaf1000) at js/src/jit/CodeGenerator.cpp:4149
#5  0x00000000009a6f6a in js::jit::CodeGenerator::generate (this=this@entry=0x7f35fcaf1000) at js/src/jit/CodeGenerator.cpp:7859
#6  0x00000000009a718e in js::jit::GenerateCode (mir=mir@entry=0x7f35fcddc1a8, lir=0x7f35fcdfa180) at js/src/jit/Ion.cpp:1954
#7  0x00000000009a7275 in js::jit::CompileBackEnd (mir=0x7f35fcddc1a8) at js/src/jit/Ion.cpp:1976
#8  0x0000000000675e1a in js::HelperThread::handleIonWorkload (this=this@entry=0x7f35fee2e000) at js/src/vm/HelperThreads.cpp:1180
#9  0x0000000000676fd9 in js::HelperThread::threadLoop (this=0x7f35fee2e000) at js/src/vm/HelperThreads.cpp:1482
#10 0x00000000006cd8b1 in nspr::Thread::ThreadRoutine (arg=0x7f35fee2c080) at js/src/vm/PosixNSPR.cpp:45
#11 0x00007f360007a182 in start_thread (arg=0x7f35fedff700) at pthread_create.c:312
#12 0x00007f35ff16a47d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111
rax	0x0	0
rbx	0x0	0
rcx	0xa	10
rdx	0x400	1024
rsi	0xe073ca	14709706
rdi	0xa	10
rbp	0x7f35fedfea60	139869886081632
rsp	0x7f35fedfea10	139869886081552
r8	0x0	0
r9	0xe084d8	14714072
r10	0x30	48
r11	0x7f35fedfea10	139869886081552
r12	0x31	49
r13	0x31	49
r14	0x7f35fcdef9c8	139869852465608
r15	0x7f35fcaf1058	139869849325656
rip	0x5bbd42 <js::jit::AssemblerX86Shared::bind(js::jit::Label*)+82>
=> 0x5bbd42 <js::jit::AssemblerX86Shared::bind(js::jit::Label*)+82>:	cmpb   $0x0,0x3(%rbx)
   0x5bbd46 <js::jit::AssemblerX86Shared::bind(js::jit::Label*)+86>:	jns    0x5bbd50 <js::jit::AssemblerX86Shared::bind(js::jit::Label*)+96>


The testcase doesn't reproduce for me but h4writer seems to already have found the issue, so filing now.

Comment 1

[Christian Holler (:decoder)]

Attachment: Testcase

Comment 2

[Hannes Verschore [:h4writer]]

Attachment: Propagate OOM

Comment 3

[Benjamin Bouvier [:bbouvier] (inactive)]

Comment on attachment 8670360 [details] [diff] [review]
Propagate OOM

Review of attachment 8670360 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/jit/CodeGenerator.cpp
@@ +659,4 @@
>      // backedges, so emit inline code for the patchable jump. Heap allocating
>      // the label allows it to be used by out of line blocks.
>      Label* res = alloc().lifoAlloc()->new_<Label>();
> +    masm.propagateOOM(res);

Can you make the coercion more explicit, please? !!res

Comment 4

[Jan de Mooij [:jandem]]

This looks like a duplicate of bug 1209026.

(I think with this patch we'll still crash though because we'll pass nullptr to masm.bind below.)