Closed Bug 1263902 Opened 4 years ago Closed 4 years ago

Crash [@ __strlen_sse2_bsf] with OOM and asm.js

Categories

(Core :: JavaScript Engine, defect)

x86
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla48
Tracking Status
firefox48 --- fixed

People

(Reporter: decoder, Assigned: lth)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase, Whiteboard: [jsbugmon:update,ignore])

Crash Data

Attachments

(1 file, 1 obsolete file)

The following testcase crashes on mozilla-central revision 29d5a4175c8b (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2 --ion-offthread-compile=off):

lfLogBuffer = `
buf = new ArrayBuffer(4096)
function ffi() {}
function FFI1(glob, imp, b) {
    "use asm"
    var f32=new glob.Float32Array(b);
    var f64=new glob.Float64Array(b);
    var ffi=imp.ffi;
    function g() {
      ffi(+f64[0]);
    }
    return g;
}
g = FFI1(this, {ffi}, buf)
for (i of a) 
    for (j of a) {
        u32 = i;
    }
`.split('\n')
lfCodeBuffer = "";
while (true) {
    line = lfLogBuffer.shift()
    if (line == null) break;
    lfCodeBuffer += line + "\n"
}
loadFile(lfCodeBuffer)
function loadFile(lfVarx) {
   oomTest(function() {
       eval(lfVarx)
   })
} 



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
__strlen_sse2_bsf () at ../sysdeps/i386/i686/multiarch/strlen-sse2-bsf.S:50
#0  __strlen_sse2_bsf () at ../sysdeps/i386/i686/multiarch/strlen-sse2-bsf.S:50
#1  0x085619f1 in js::ExpandErrorArgumentsVA (cx=cx@entry=0xf7a77020, callback=callback@entry=0x8546240 <js::GetErrorMessage(void*, unsigned int)>, userRef=userRef@entry=0x0, errorNumber=errorNumber@entry=274, messagep=messagep@entry=0xffffa090, reportp=reportp@entry=0xffffa0a0, argumentsType=argumentsType@entry=js::ArgumentsAreASCII, ap=0xffffa138 "\360\004\227\365\315\006\032\b", ap@entry=0xffffa134 "") at js/src/jscntxt.cpp:616
#2  0x08561c6a in js::ReportErrorNumberVA (cx=0xf7a77020, flags=flags@entry=1, callback=callback@entry=0x8546240 <js::GetErrorMessage(void*, unsigned int)>, userRef=userRef@entry=0x0, errorNumber=errorNumber@entry=274, argumentsType=argumentsType@entry=js::ArgumentsAreASCII, ap=ap@entry=0xffffa134 "") at js/src/jscntxt.cpp:752
#3  0x08563464 in JS_ReportErrorFlagsAndNumber (cx=cx@entry=0xf7a77020, flags=flags@entry=1, errorCallback=0x8546240 <js::GetErrorMessage(void*, unsigned int)>, userRef=userRef@entry=0x0, errorNumber=errorNumber@entry=274) at js/src/jsapi.cpp:5582
#4  0x081dc9a7 in LinkFail (str=0x0, cx=0xf7a77020) at js/src/asmjs/AsmJS.cpp:7028
#5  CheckBuffer (buffer=..., bufferVal=..., module=..., cx=0xf7a77020) at js/src/asmjs/AsmJS.cpp:7434
#6  DynamicallyLinkModule (exportObj=..., moduleObj=..., args=..., cx=0xf7a77020) at js/src/asmjs/AsmJS.cpp:7464
#7  LinkAsmJS (cx=0xf7a77020, argc=3, vp=0xf5625120) at js/src/asmjs/AsmJS.cpp:7626
#8  0x0871e30a in js::CallJSNative (cx=0xf7a77020, native=0x81db3f0 <LinkAsmJS(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#9  0x0871a79d in js::Invoke (cx=0xf7a77020, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:476
#10 0x0870a38a in Interpret (cx=cx@entry=0xf7a77020, state=...) at js/src/vm/Interpreter.cpp:2807
#11 0x0871a51f in js::RunScript (cx=cx@entry=0xf7a77020, state=...) at js/src/vm/Interpreter.cpp:426
#12 0x0871d30d in js::ExecuteKernel (cx=cx@entry=0xf7a77020, script=..., script@entry=..., scopeChainArg=..., newTargetValue=..., evalInFrame=evalInFrame@entry=..., result=0xffffaf88) at js/src/vm/Interpreter.cpp:682
#13 0x084c5d2b in EvalKernel (cx=cx@entry=0xf7a77020, args=..., evalType=evalType@entry=DIRECT_EVAL, caller=..., scopeobj=..., scopeobj@entry=..., pc=0xf5750769 "{") at js/src/builtin/Eval.cpp:332
#14 0x084c6732 in js::DirectEval (cx=cx@entry=0xf7a77020, args=...) at js/src/builtin/Eval.cpp:439
#15 0x08280335 in js::jit::DoCallFallback (cx=0xf7a77020, frame=0xffffafc8, stub_=0xf7aaa0b0, argc=1, vp=0xffffaf88, res=...) at js/src/jit/BaselineIC.cpp:6100
#16 0xf7fcedce in ?? ()
#17 0xf7aaa0b0 in ?? ()
#18 0xf7fc8c5c in ?? ()
#19 0x0825cd1a in EnterBaseline (cx=0xf7aaa0b0, cx@entry=0xf7a77020, data=...) at js/src/jit/BaselineJIT.cpp:150
#20 0x0827ab9e in js::jit::EnterBaselineMethod (cx=cx@entry=0xf7a77020, state=...) at js/src/jit/BaselineJIT.cpp:188
#21 0x0871a5bb in js::RunScript (cx=cx@entry=0xf7a77020, state=...) at js/src/vm/Interpreter.cpp:416
#22 0x0871a7fa in js::Invoke (cx=0xf7a77020, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:494
#23 0x0871bf4a in js::Invoke (cx=cx@entry=0xf7a77020, thisv=..., fval=..., argc=argc@entry=0, argv=argv@entry=0x0, rval=rval@entry=...) at js/src/vm/Interpreter.cpp:528
#24 0x08556d30 in JS_CallFunction (cx=cx@entry=0xf7a77020, obj=..., fun=fun@entry=..., args=..., rval=rval@entry=...) at js/src/jsapi.cpp:2865
#25 0x0886737b in OOMTest (cx=0xf7a77020, argc=1, vp=0xf56250b8) at js/src/builtin/TestingFunctions.cpp:1311
[...]
#47 main (argc=5, argv=0xffffcc24, envp=0xffffcc3c) at js/src/shell/js.cpp:7443
eax	0x0	0
ebx	0x98a9314	160076564
ecx	0x0	0
edx	0x0	0
esi	0x0	0
edi	0x0	0
ebp	0xffffa068	4294942824
esp	0xffff9fa4	4294942628
eip	0xf7d11e86 <__strlen_sse2_bsf+22>
=> 0xf7d11e86 <__strlen_sse2_bsf+22>:	movdqu (%edi),%xmm1
   0xf7d11e8a <__strlen_sse2_bsf+26>:	pcmpeqb %xmm1,%xmm0
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/a196bd265eab
user:        Lars T Hansen
date:        Mon Nov 02 09:07:47 2015 +0100
summary:     Bug 1218643 - remove support for deprecated asm.js heap length.  r=luke

This iteration took 328.457 seconds to run.
That patch did not introduce the bug, but it changed a constraint so that an existing OOM problem is revealed.  The problem is that if a construction of an error message by JS_smprintf fails for OOM reasons then we start passing a null pointer around.  The problem is not exactly pervasive but this is not the only place it occurs.
Ben, can you look at the AsmJS.cpp changes?  Shu, can you look at the Debugger.cpp changes?  Thx.
Attachment #8742353 - Flags: review?(shu)
Assignee: nobody → lhansen
Status: NEW → ASSIGNED
Attachment #8742353 - Flags: review?(bbouvier)
Comment on attachment 8742353 [details] [diff] [review]
check return value from JS_smprintf

Review of attachment 8742353 [details] [diff] [review]:
-----------------------------------------------------------------

Looks good, thanks!
Attachment #8742353 - Flags: review?(bbouvier) → review+
Missed a spot in the JS shell
Attachment #8742355 - Flags: review?(shu)
Attachment #8742355 - Flags: review?(bbouvier)
Attachment #8742353 - Attachment is obsolete: true
Attachment #8742353 - Flags: review?(shu)
Comment on attachment 8742355 [details] [diff] [review]
check return value from JS_smprintf

(Cleaning up my own mess here.)

bbouvier r+'d the AsmJS.cpp bits on the previous patch.

Shu, can you look at the remaining changes to Debugger.cpp and js.cpp?  Thanks.
Attachment #8742355 - Flags: review?(bbouvier)
Comment on attachment 8742355 [details] [diff] [review]
check return value from JS_smprintf

Review of attachment 8742355 [details] [diff] [review]:
-----------------------------------------------------------------

Woops, thanks for the fix.
Attachment #8742355 - Flags: review?(shu) → review+
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 67ac40fb8f68).
Did this somehow land?
Flags: needinfo?(lhansen)
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #9)
> Did this somehow land?

Not according to hg.mozilla.org.

Note this is 32-bit only.  It was reported on Linux but I've repro'd on Mac OS.

(There was some bug traffic earlier this month re rewriting the printf library, and if that happened & landed it could have affected the OOM condition here.)
Flags: needinfo?(lhansen)
https://hg.mozilla.org/mozilla-central/rev/ff00656a1bda
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
You need to log in before you can comment on or make changes to this bug.