Closed
Bug 1234397
Opened 9 years ago
Closed 8 years ago
Crash [@ ??] with SharedArrayBuffer
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla46
Tracking | Status | |
---|---|---|
firefox44 | --- | unaffected |
firefox45 | --- | fixed |
firefox46 | --- | verified |
firefox-esr38 | --- | unaffected |
People
(Reporter: decoder, Assigned: lth)
References
Details
(4 keywords, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(1 file)
1.30 KB,
patch
|
luke
:
review+
Sylvestre
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 0babaa3edcf9 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --no-threads): var sab = new SharedArrayBuffer(256501); Backtrace: Program terminated with signal SIGSEGV, Segmentation fault. #0 0x00007f179eb70560 in ?? () #1 0x00000000005604a3 in AsmJSFaultHandler (signum=<optimized out>, info=0x7ffe85f253f0, context=0x7ffe85f252c0) at js/src/asmjs/AsmJSSignalHandlers.cpp:1161 #2 0x00007f179eb70340 in ?? () #3 0x0000000000000001 in ?? () #4 0x0000000000000000 in ?? () rax 0x0 0 rbx 0x7f179ee74130 139739426930992 rcx 0xffffffffffffffff -1 rdx 0x0 0 rsi 0x1bc3340 29111104 rdi 0xb 11 rbp 0x7ffe85f252b0 140731145671344 rsp 0x7ffe85f251f8 140731145671160 r8 0x2 2 r9 0x7f179d9002f8 139739404436216 r10 0x7f179d8013d0 139739403391952 r11 0x297 663 r12 0x7ffe85f252c0 140731145671360 r13 0x7ffe86722d80 140731154050432 r14 0x7ffe86721810 140731154044944 r15 0x7ffe85f253f0 140731145671664 rip 0x7f179eb70560 139739423769952 => 0x7f179eb70560: Luke has already started investing this crash a bit. It's nightly only, but marking s-s anyway because the crash looks dangerous.
Comment 1•9 years ago
|
||
Lars: it looks like the problem is that SharedArrayBuffer::New() tests IsValidAsmJSHeapLength(length) whereas SharedArrayBuffer::dropReference() tests IsValidAsmJSHeapLength(allocSize) and these can be different quantities (leading to us taking the "unmap 4GiB" path) rather than the "unmap the real size" path.
Flags: needinfo?(lhansen)
Assignee | ||
Comment 3•9 years ago
|
||
What Luke said. The error came in with the rewrite of this code to handle the Win7 address space exhaustion problem.
Attachment #8700971 -
Flags: review?(luke)
Assignee | ||
Updated•9 years ago
|
Assignee: nobody → lhansen
Status: NEW → ASSIGNED
Updated•9 years ago
|
Attachment #8700971 -
Flags: review?(luke) → review+
Assignee | ||
Comment 4•9 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/5f330d996ca4e3bd5a8c2c12e5867a406e27af66 Bug 1234397 - dispatch on the correct value. r=luke
Updated•9 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Comment 5•9 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/c0c86c046d88 user: Lars T Hansen date: Thu Dec 03 16:52:31 2015 +0100 summary: Bug 1230162 - allocate less, when we can. r=luke This iteration took 282.161 seconds to run.
Assignee | ||
Comment 6•9 years ago
|
||
(In reply to Fuzzing Team from comment #5) > > This iteration took 282.161 seconds to run. But 36 hours to report?
(In reply to Lars T Hansen [:lth] from comment #6) > But 36 hours to report? JSBugMon had hung and we restarted it recently. That message was from autoBisect, which JSBugMon makes use of.
Assignee | ||
Comment 8•9 years ago
|
||
Comment on attachment 8700971 [details] [diff] [review] check the right length Approval Request Comment [Feature/regressing bug #]: [User impact if declined]: Crashes, possible but unclear security impact cross-platform [Describe test coverage new/current, TreeHerder]: Fuzz test, not landed [Risks and why]: Zero risk for this change, old code was clearly incorrect [String/UUID change made/needed]:
Attachment #8700971 -
Flags: approval-mozilla-aurora?
Comment 9•8 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/5f330d996ca4
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla46
Updated•8 years ago
|
Status: RESOLVED → VERIFIED
Comment 10•8 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Updated•8 years ago
|
status-firefox45:
--- → affected
Comment 11•8 years ago
|
||
Comment on attachment 8700971 [details] [diff] [review] check the right length Fix a crash, taking it.
Attachment #8700971 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Looks like this was already uplifted to aurora in https://hg.mozilla.org/releases/mozilla-aurora/rev/7f9d120b9eae
Updated•8 years ago
|
Group: javascript-core-security → core-security-release
Updated•8 years ago
|
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•