1234397 - Crash [@ ??] with SharedArrayBuffer

Status: VERIFIED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 0babaa3edcf9 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --no-threads):

var sab = new SharedArrayBuffer(256501);


Backtrace:

Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007f179eb70560 in ?? ()
#1  0x00000000005604a3 in AsmJSFaultHandler (signum=<optimized out>, info=0x7ffe85f253f0, context=0x7ffe85f252c0) at js/src/asmjs/AsmJSSignalHandlers.cpp:1161
#2  0x00007f179eb70340 in ?? ()
#3  0x0000000000000001 in ?? ()
#4  0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x7f179ee74130	139739426930992
rcx	0xffffffffffffffff	-1
rdx	0x0	0
rsi	0x1bc3340	29111104
rdi	0xb	11
rbp	0x7ffe85f252b0	140731145671344
rsp	0x7ffe85f251f8	140731145671160
r8	0x2	2
r9	0x7f179d9002f8	139739404436216
r10	0x7f179d8013d0	139739403391952
r11	0x297	663
r12	0x7ffe85f252c0	140731145671360
r13	0x7ffe86722d80	140731154050432
r14	0x7ffe86721810	140731154044944
r15	0x7ffe85f253f0	140731145671664
rip	0x7f179eb70560	139739423769952
=> 0x7f179eb70560:	


Luke has already started investing this crash a bit. It's nightly only, but marking s-s anyway because the crash looks dangerous.

Comment 1

[Luke Wagner [:luke]]

Lars: it looks like the problem is that SharedArrayBuffer::New() tests IsValidAsmJSHeapLength(length) whereas SharedArrayBuffer::dropReference() tests IsValidAsmJSHeapLength(allocSize) and these can be different quantities (leading to us taking the "unmap 4GiB" path) rather than the "unmap the real size" path.

Comment 2

[Lars T Hansen [:lth]]

Ick.  Will look into it immediately.

Comment 3

[Lars T Hansen [:lth]]

Attachment: check the right length

What Luke said.  The error came in with the rewrite of this code to handle the Win7 address space exhaustion problem.

Comment 4

[Lars T Hansen [:lth]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/5f330d996ca4e3bd5a8c2c12e5867a406e27af66
Bug 1234397 - dispatch on the correct value.  r=luke

Comment 5

[Fuzzing Team]

JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/c0c86c046d88
user:        Lars T Hansen
date:        Thu Dec 03 16:52:31 2015 +0100
summary:     Bug 1230162 - allocate less, when we can. r=luke

This iteration took 282.161 seconds to run.

Comment 6

[Lars T Hansen [:lth]]

(In reply to Fuzzing Team from comment #5)
> 
> This iteration took 282.161 seconds to run.

But 36 hours to report?

Comment 7

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

(In reply to Lars T Hansen [:lth] from comment #6)
> But 36 hours to report?

JSBugMon had hung and we restarted it recently. That message was from autoBisect, which JSBugMon makes use of.

Comment 8

[Lars T Hansen [:lth]]

Comment on attachment 8700971 [details] [diff] [review]
check the right length

Approval Request Comment
[Feature/regressing bug #]:
[User impact if declined]: Crashes, possible but unclear security impact cross-platform
[Describe test coverage new/current, TreeHerder]: Fuzz test, not landed
[Risks and why]: Zero risk for this change, old code was clearly incorrect
[String/UUID change made/needed]:

Comment 9

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/mozilla-central/rev/5f330d996ca4

Comment 10

[Fuzzing Team]

JSBugMon: This bug has been automatically verified fixed.

Comment 11

[Sylvestre Ledru [:Sylvestre]]

Comment on attachment 8700971 [details] [diff] [review]
check the right length

Fix a crash, taking it.

Comment 12

[Wes Kocher (:KWierso) (Not reading bugmail; email directly if needed)]

Looks like this was already uplifted to aurora in https://hg.mozilla.org/releases/mozilla-aurora/rev/7f9d120b9eae