Crash [@ __memcpy_avx_unaligned]

RESOLVED FIXED

Status

()

Core
JavaScript Engine: JIT
--
critical
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: gkw, Unassigned)

Tracking

(Blocks: 2 bugs, {crash, jsbugmon, testcase})

Trunk
crash, jsbugmon, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox51 affected)

Details

(Whiteboard: [jsbugmon:ignore])

Attachments

(2 attachments)

(Reporter)

Description

2 years ago
Created attachment 8788646 [details]
stack

I've been hitting thousands of crashes at __memcpy_avx_unaligned but strangely none of them are manually reproducible. Filing in case the stack makes sense.

One of the testcases seem to involve running the testcase file "js/src/jit-test/tests/asm.js/testBug1117255.js" but I've tried manually running it with the flags "--fuzzing-safe --ion-sincos=on --no-ggc --no-unboxed-objects --gc-zeal=15 --no-threads --no-native-regexp --ion-offthread-compile=off --ion-inlining=off --ion-regalloc=testbed --ion-extra-checks" on the same m-c rev b18c8bcdc116 but this didn't help.

backtrace

#0  __memcpy_avx_unaligned () at ../sysdeps/x86_64/multiarch/memcpy-avx-unaligned.S:238
#1  0x0000000000a0a519 in memcpy (__len=65536, __src=<optimized out>, __dest=<optimized out>) at /usr/include/x86_64-linux-gnu/bits/string3.h:53
#2  js::ArrayBufferObject::prepareForAsmJS (cx=cx@entry=0x7fe75e444000, buffer=buffer@entry=...) at /home/ubuntu/trees/mozilla-central/js/src/vm/ArrayBufferObject.cpp:726
#3  0x000000000055c2cb in CheckBuffer (metadata=..., metadata=..., buffer=..., bufferVal=..., cx=0x7fe75e444000) at /home/ubuntu/trees/mozilla-central/js/src/asmjs/AsmJS.cpp:7809
#4  TryInstantiate (exportObj=..., instanceObj=..., metadata=..., module=..., cx=0x7fe75e444000, args=...) at /home/ubuntu/trees/mozilla-central/js/src/asmjs/AsmJS.cpp:7885
#5  InstantiateAsmJS (cx=cx@entry=0x7fe75e444000, argc=3, vp=0x7fff056007f8) at /home/ubuntu/trees/mozilla-central/js/src/asmjs/AsmJS.cpp:8013
#6  0x0000000000ae83e9 in js::CallJSNative (cx=cx@entry=0x7fe75e444000, native=0x55a130 <InstantiateAsmJS(JSContext*, unsigned int, JS::Value*)>, args=...) at /home/ubuntu/trees/mozilla-central/js/src/jscntxtinlines.h:235
#7  0x0000000000ad88e3 in js::InternalCallOrConstruct (cx=cx@entry=0x7fe75e444000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at /home/ubuntu/trees/mozilla-central/js/src/vm/Interpreter.cpp:454
#8  0x0000000000ad8c16 in InternalCall (cx=cx@entry=0x7fe75e444000, args=...) at /home/ubuntu/trees/mozilla-central/js/src/vm/Interpreter.cpp:499
#9  0x0000000000ad8d6e in js::Call (cx=cx@entry=0x7fe75e444000, fval=..., fval@entry=..., thisv=..., args=..., rval=...) at /home/ubuntu/trees/mozilla-central/js/src/vm/Interpreter.cpp:518
#10 0x000000000091c0b6 in js::fun_apply (cx=cx@entry=0x7fe75e444000, argc=<optimized out>, vp=0x7fe753d183b8) at /home/ubuntu/trees/mozilla-central/js/src/jsfun.cpp:1318
#11 0x0000000000ae83e9 in js::CallJSNative (cx=cx@entry=0x7fe75e444000, native=0x91bdb0 <js::fun_apply(JSContext*, unsigned int, JS::Value*)>, args=...) at /home/ubuntu/trees/mozilla-central/js/src/jscntxtinlines.h:235
#12 0x0000000000ad88e3 in js::InternalCallOrConstruct (cx=0x7fe75e444000, args=..., construct=js::NO_CONSTRUCT) at /home/ubuntu/trees/mozilla-central/js/src/vm/Interpreter.cpp:454
#13 0x0000000000ad35ec in js::CallFromStack (args=..., cx=<optimized out>) at /home/ubuntu/trees/mozilla-central/js/src/vm/Interpreter.cpp:505
#14 Interpret (cx=0x7fe75e444000, state=...) at /home/ubuntu/trees/mozilla-central/js/src/vm/Interpreter.cpp:2915
#15 0x0000000000ad8735 in js::RunScript (cx=cx@entry=0x7fe75e444000, state=...) at /home/ubuntu/trees/mozilla-central/js/src/vm/Interpreter.cpp:400
#16 0x0000000000ae170e in js::ExecuteKernel (cx=cx@entry=0x7fe75e444000, script=..., script@entry=..., envChainArg=..., newTargetValue=..., evalInFrame=..., evalInFrame@entry=..., result=result@entry=0x0) at /home/ubuntu/trees/mozilla-central/js/src/vm/Interpreter.cpp:681
#17 0x0000000000ae1ab0 in js::Execute (cx=cx@entry=0x7fe75e444000, script=..., script@entry=..., envChainArg=..., rval=0x0) at /home/ubuntu/trees/mozilla-central/js/src/vm/Interpreter.cpp:714
#18 0x00000000008c7d17 in Evaluate (cx=cx@entry=0x7fe75e444000, scopeKind=scopeKind@entry=js::ScopeKind::Global, env=..., optionsArg=..., srcBuf=..., rval=..., rval@entry=...) at /home/ubuntu/trees/mozilla-central/js/src/jsapi.cpp:4378
#19 0x00000000008c8228 in JS::Evaluate (cx=cx@entry=0x7fe75e444000, options=..., bytes=<optimized out>, length=2436, rval=rval@entry=...) at /home/ubuntu/trees/mozilla-central/js/src/jsapi.cpp:4430
#20 0x00000000008cf38d in Evaluate (rval=..., filename=0x7fe75375ebf0 "/home/ubuntu/trees/mozilla-central/js/src/jit-test/tests/asm.js/gating.js", optionsArg=..., cx=0x7fe75e444000) at /home/ubuntu/trees/mozilla-central/js/src/jsapi.cpp:4447
#21 JS::Evaluate (cx=cx@entry=0x7fe75e444000, optionsArg=..., filename=<optimized out>, rval=..., rval@entry=...) at /home/ubuntu/trees/mozilla-central/js/src/jsapi.cpp:4484
#22 0x0000000000452b69 in LoadScript (cx=0x7fe75e444000, argc=1, vp=0x7fe753d18268, scriptRelative=false) at /home/ubuntu/trees/mozilla-central/js/src/shell/js.cpp:1273
#23 0x0000000000ae83e9 in js::CallJSNative (cx=cx@entry=0x7fe75e444000, native=0x452e20 <Load(JSContext*, unsigned int, JS::Value*)>, args=...) at /home/ubuntu/trees/mozilla-central/js/src/jscntxtinlines.h:235
#24 0x0000000000ad88e3 in js::InternalCallOrConstruct (cx=0x7fe75e444000, args=..., construct=js::NO_CONSTRUCT) at /home/ubuntu/trees/mozilla-central/js/src/vm/Interpreter.cpp:454
#25 0x0000000000ad35ec in js::CallFromStack (args=..., cx=<optimized out>) at /home/ubuntu/trees/mozilla-central/js/src/vm/Interpreter.cpp:505
#26 Interpret (cx=0x7fe75e444000, state=...) at /home/ubuntu/trees/mozilla-central/js/src/vm/Interpreter.cpp:2915
#27 0x0000000000ad8735 in js::RunScript (cx=cx@entry=0x7fe75e444000, state=...) at /home/ubuntu/trees/mozilla-central/js/src/vm/Interpreter.cpp:400
#28 0x0000000000ae170e in js::ExecuteKernel (cx=cx@entry=0x7fe75e444000, script=..., script@entry=..., envChainArg=..., newTargetValue=..., evalInFrame=..., evalInFrame@entry=..., result=result@entry=0x0) at /home/ubuntu/trees/mozilla-central/js/src/vm/Interpreter.cpp:681
#29 0x0000000000ae1ab0 in js::Execute (cx=cx@entry=0x7fe75e444000, script=..., script@entry=..., envChainArg=..., rval=rval@entry=0x0) at /home/ubuntu/trees/mozilla-central/js/src/vm/Interpreter.cpp:714
#30 0x00000000008b91b5 in ExecuteScript (cx=cx@entry=0x7fe75e444000, scope=scope@entry=..., script=script@entry=..., rval=rval@entry=0x0) at /home/ubuntu/trees/mozilla-central/js/src/jsapi.cpp:4288
#31 0x00000000008bccc5 in JS_ExecuteScript (cx=cx@entry=0x7fe75e444000, scriptArg=scriptArg@entry=...) at /home/ubuntu/trees/mozilla-central/js/src/jsapi.cpp:4321
#32 0x000000000042b0bb in RunFile (compileOnly=false, file=0x7fe75e423000, filename=<optimized out>, cx=0x7fe75e444000) at /home/ubuntu/trees/mozilla-central/js/src/shell/js.cpp:641
#33 Process (cx=cx@entry=0x7fe75e444000, filename=<optimized out>, forceTTY=forceTTY@entry=false, kind=<optimized out>) at /home/ubuntu/trees/mozilla-central/js/src/shell/js.cpp:1015
#34 0x000000000043c766 in ProcessArgs (op=0x7fff05602980, cx=0x7fe75e444000) at /home/ubuntu/trees/mozilla-central/js/src/shell/js.cpp:6879
#35 Shell (envp=<optimized out>, op=0x7fff05602980, cx=0x7fe75e444000) at /home/ubuntu/trees/mozilla-central/js/src/shell/js.cpp:7248
#36 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at /home/ubuntu/trees/mozilla-central/js/src/shell/js.cpp:7623


autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/f6fddb22a8b5
user:        Dimo
date:        Mon Aug 29 21:30:04 2016 -0500
summary:     Bug 1287967 - Baldr: Add current_memory and grow_memory (r=luke,sunfish)

Setting s-s in case this is anything bad.

Luke, Dan, is bug 1287967 a likely regressor?
Flags: needinfo?(sunfish)
Flags: needinfo?(luke)
(Reporter)

Comment 1

2 years ago
Created attachment 8788648 [details]
stack for testcase involving testBug1117255.js

Comment 2

2 years ago
Looking at the crash, the faulting destination addr is 32 so this is a bug I had actually noticed and fixed in bug 1298202, second patch.  (The bug is that the null check in prepareForAsmJS is on wasmBuf->dataPointer(), not wasmBuf.)  Bug 1298202 should be landing soon.
Flags: needinfo?(luke)

Updated

2 years ago
Flags: needinfo?(sunfish)

Comment 3

2 years ago
Also, this will always crash, so I don't think it's s-s.
(Reporter)

Comment 4

2 years ago
(In reply to Luke Wagner [:luke] from comment #3)
> Also, this will always crash, so I don't think it's s-s.

Someone should open this up - I had filed this in security-sensitive-core but I don't have permissions for that group.
Group: core-security
Duplicate of this bug: 1300882

Comment 6

2 years ago
Bug 1298202 is on m-c now so if you're able to confirm this has gone away, it's a good time to resolve.
(Reporter)

Comment 7

2 years ago
I'll just go ahead and resolve, and file a new bug if another issue re-appears.

FIXED by bug 1298202.
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.