Closed Bug 1298804 Opened 7 years ago Closed 7 years ago

Crash [@ __memcpy_sse2_unaligned] with CloneBuffer

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla51
Tracking Flags:
Tracking Status
firefox51 --- fixed

People

(Reporter: decoder, Assigned: sfink)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, bugmon, testcase, Whiteboard: [jsbugmon:update,bisect])

Crash Data

Attachments

(1 file)

Missing OOM check in getCloneBuffer
1.27 KB, patch
jonco
: review+
Details | Diff | Splinter Review 
The following testcase crashes on mozilla-central revision 1a5b53a831e5 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize, run with --fuzzing-safe):

lfLogBuffer = `serialize().clonebuffer`;
loadFile(lfLogBuffer);
loadFile(lfLogBuffer);
function loadFile(lfVarx) oomTest(function() {
    m = parseModule(lfVarx);
    m.declarationInstantiation();
    m.evaluation();
})



Backtrace:

 received signal SIGSEGV, Segmentation fault.
__memcpy_sse2_unaligned () at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:160
#0  __memcpy_sse2_unaligned () at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:160
#1  0x0000000000ca6c96 in memcpy (__len=<optimized out>, __src=<optimized out>, __dest=0x0) at /usr/include/x86_64-linux-gnu/bits/string3.h:53
#2  mozilla::BufferList<js::SystemAllocPolicy>::ReadBytes (aSize=16, aData=0x0, aIter=<synthetic pointer>, this=0x7ffff03fec80) at /srv/jenkins/jobs/mozilla-central-build-jsshell/workspace/arch/64/compiler/gcc/sanitizer/none/type/debug/dist/include/mozilla/BufferList.h:365
#3  CloneBufferObject::getCloneBuffer_impl (cx=cx@entry=0x7ffff695f000, args=...) at js/src/builtin/TestingFunctions.cpp:2168
#4  0x0000000000ca7133 in JS::CallNonGenericMethod<&CloneBufferObject::is, &CloneBufferObject::getCloneBuffer_impl> (args=..., cx=0x7ffff695f000) at /srv/jenkins/jobs/mozilla-central-build-jsshell/workspace/arch/64/compiler/gcc/sanitizer/none/type/debug/dist/include/js/CallNonGenericMethod.h:100
#5  CloneBufferObject::getCloneBuffer (cx=cx@entry=0x7ffff695f000, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/TestingFunctions.cpp:2179
#6  0x0000000000ae6349 in js::CallJSNative (cx=cx@entry=0x7ffff695f000, native=0xca7060 <CloneBufferObject::getCloneBuffer(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#7  0x0000000000ad6873 in js::InternalCallOrConstruct (cx=cx@entry=0x7ffff695f000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:454
#8  0x0000000000ad6ba6 in InternalCall (cx=cx@entry=0x7ffff695f000, args=...) at js/src/vm/Interpreter.cpp:499
#9  0x0000000000ad6cfe in js::Call (cx=cx@entry=0x7ffff695f000, fval=..., fval@entry=..., thisv=..., thisv@entry=..., args=..., rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:518
#10 0x0000000000ad6e15 in js::CallGetter (cx=cx@entry=0x7ffff695f000, thisv=thisv@entry=..., getter=..., getter@entry=..., rval=rval@entry=...) at js/src/vm/Interpreter.cpp:632
#11 0x0000000000ad70f7 in CallGetter (vp=..., shape=..., receiver=..., obj=..., cx=0x7ffff695f000) at js/src/vm/NativeObject.cpp:1739
#12 GetExistingProperty<(js::AllowGC)1> (cx=0x7ffff695f000, receiver=..., obj=..., shape=..., vp=...) at js/src/vm/NativeObject.cpp:1787
#13 0x0000000000ad9dde in NativeGetPropertyInline<(js::AllowGC)1> (cx=0x7ffff695f000, obj=..., receiver=..., id=..., nameLookup=nameLookup@entry=NotNameLookup, vp=...) at js/src/vm/NativeObject.cpp:2014
#14 0x0000000000ada410 in js::NativeGetProperty (cx=<optimized out>, obj=..., receiver=..., id=..., vp=...) at js/src/vm/NativeObject.cpp:2048
#15 0x00000000006a8264 in js::GetProperty (cx=<optimized out>, obj=..., receiver=..., id=..., vp=...) at js/src/vm/NativeObject.h:1479
#16 0x0000000000adb305 in js::GetProperty (vp=..., name=<optimized out>, receiver=..., obj=..., cx=0x7ffff695f000) at js/src/jsobj.h:838
#17 js::GetProperty (cx=0x7ffff695f000, v=..., name=..., vp=...) at js/src/vm/Interpreter.cpp:4238
#18 0x0000000000acaa5c in GetPropertyOperation (vp=..., lval=..., pc=<optimized out>, script=..., fp=<optimized out>, cx=0x7ffff695f000) at js/src/vm/Interpreter.cpp:190
#19 Interpret (cx=0x7ffff695f000, state=...) at js/src/vm/Interpreter.cpp:2632
#20 0x0000000000ad66c5 in js::RunScript (cx=cx@entry=0x7ffff695f000, state=...) at js/src/vm/Interpreter.cpp:400
#21 0x0000000000adf69e in js::ExecuteKernel (cx=cx@entry=0x7ffff695f000, script=..., script@entry=..., envChainArg=..., newTargetValue=..., evalInFrame=..., evalInFrame@entry=..., result=result@entry=0x7fffffffc388) at js/src/vm/Interpreter.cpp:681
#22 0x0000000000adfa40 in js::Execute (cx=cx@entry=0x7ffff695f000, script=..., script@entry=..., envChainArg=..., rval=rval@entry=0x7fffffffc388) at js/src/vm/Interpreter.cpp:714
#23 0x0000000000c1efce in js::ModuleObject::evaluate (cx=cx@entry=0x7ffff695f000, self=..., self@entry=..., rval=rval@entry=...) at js/src/builtin/ModuleObject.cpp:932
#24 0x0000000000b314df in intrinsic_EvaluateModule (cx=0x7ffff695f000, argc=<optimized out>, vp=0x7fffffffc388) at js/src/vm/SelfHosting.cpp:2128
#25 0x00007ffff7e31d05 in ?? ()
#26 0x00007fffffffc3b0 in ?? ()
#27 0x00007fffffffc360 in ?? ()
#28 0x0000000000000000 in ?? ()
rax	0xfff1000000000000	-4222124650659840
rbx	0x7ffff03fec80	140737224109184
rcx	0x20	32
rdx	0x10	16
rsi	0x7ffff69be000	140737330798592
rdi	0x0	0
rbp	0x7fffffffb580	140737488336256
rsp	0x7fffffffb4c8	140737488336072
r8	0x10	16
r9	0x7ffff03fec80	140737224109184
r10	0x10	16
r11	0x0	0
r12	0x10	16
r13	0x7ffff69be010	140737330798608
r14	0x7ffff69be000	140737330798592
r15	0x0	0
rip	0x7ffff6bd0fe0 <__memcpy_sse2_unaligned+496>
=> 0x7ffff6bd0fe0 <__memcpy_sse2_unaligned+496>:	mov    %rax,(%rdi)
   0x7ffff6bd0fe3 <__memcpy_sse2_unaligned+499>:	mov    -0x8(%rsi,%rdx,1),%rax


Likely a null pointer being passed to memcpy, not marking s-s.
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, failed due to error (try manually).
Trying another attempt at bisection...

In the meantime, setting needinfo? from :jonco as a start, as this seems to involve modules...
Flags: needinfo?(jcoppeard)
Whiteboard: [jsbugmon:update] → [jsbugmon:update,bisect]
Here's a testcase that reproduces without using modules:

lfLogBuffer = `serialize().clonebuffer`;
loadFile(lfLogBuffer);
loadFile(lfLogBuffer);
function loadFile(lfVarx) oomTest(function() {
    evaluate(lfVarx);
})

I'm guessing Steve knows more about this.
Flags: needinfo?(jcoppeard) → needinfo?(sphink)
It didn't reproduce on the debug shell I had lying around, but the bug definitely looks like mine. Building another shell now.
Assignee: nobody → sphink
Flags: needinfo?(sphink)

        Attachment #8789612 -
        Flags: review?(jcoppeard)

        Attachment #8789612 -
        Flags: review?(jcoppeard) → review+

    
    

    
  
Pushed by sfink@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/2e5657392d47
Missing OOM check in getCloneBuffer, r=jonco

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/2e5657392d47
Status: NEW → RESOLVED
Closed: 7 years ago

          status-firefox51:
          affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla51

          You need to log in
          before you can comment on or make changes to this bug.