Closed
Bug 1345423
Opened 7 years ago
Closed 7 years ago
Crash [@ js::jit::BaselineScript::icEntryFromReturnAddress]
Categories
(Core :: JavaScript Engine: JIT, defect, P1)
Tracking
()
RESOLVED
DUPLICATE
of bug 1347539
People
(Reporter: decoder, Assigned: h4writer)
References
Details
(6 keywords, Whiteboard: [jsbugmon:update,bisect])
Crash Data
Attachments
(2 files)
410.52 KB,
text/plain
|
Details | |
833 bytes,
patch
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision eb2364853477 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --disable-debug --without-intl-api --enable-optimize --target=i686-pc-linux-gnu, run with --fuzzing-safe --thread-count=2 --disable-oom-functions --ion-extra-checks --ion-eager): See attachment. Backtrace: received signal SIGSEGV, Segmentation fault. 0x0818c71e in js::jit::BaselineScript::icEntryFromReturnAddress (this=0x0, returnAddr=0x5f5ad2fb "\203\304\020\271\204\377\377\377\272\001") at js/src/jit/BaselineJIT.cpp:765 #0 0x0818c71e in js::jit::BaselineScript::icEntryFromReturnAddress (this=0x0, returnAddr=0x5f5ad2fb "\203\304\020\271\204\377\377\377\272\001") at js/src/jit/BaselineJIT.cpp:765 #1 0x0826b5c0 in js::jit::JitFrameIterator::baselineScriptAndPc (this=0xffffb494, scriptRes=0x0, pcRes=0xffffb408) at js/src/jit/JitFrames.cpp:238 #2 0x087297d9 in js::jit::BaselineFrame::trace (this=0xf42fe728, trc=0xf7951fd8, frameIterator=...) at js/src/jit/BaselineFrame.cpp:61 #3 0x08275a39 in js::jit::TraceJitActivation (activations=..., trc=0xf7951fd8) at js/src/jit/JitFrames.cpp:1475 #4 js::jit::TraceJitActivations (cx=0xf791d000, target=..., trc=0xf7951fd8) at js/src/jit/JitFrames.cpp:1502 #5 0x086e3ea6 in js::gc::GCRuntime::traceRuntimeCommon (this=0xf7950240, trc=0xf7951fd8, traceOrMark=js::gc::GCRuntime::MarkRuntime, lock=...) at js/src/gc/RootMarking.cpp:332 #6 0x086e509f in js::gc::GCRuntime::traceRuntimeForMajorGC (this=0xf7950240, trc=0xf7951fd8, lock=...) at js/src/gc/RootMarking.cpp:266 #7 0x0841e22b in js::gc::GCRuntime::beginMarkPhase (this=0xf7950240, reason=JS::gcreason::DEBUG_GC, lock=...) at js/src/jsgc.cpp:3933 #8 0x0842e752 in js::gc::GCRuntime::incrementalCollectSlice (this=0xf7950240, budget=..., reason=JS::gcreason::DEBUG_GC, lock=...) at js/src/jsgc.cpp:5925 #9 0x0842f7fa in js::gc::GCRuntime::gcCycle (this=0xf7950240, nonincrementalByAPI=false, budget=..., reason=JS::gcreason::DEBUG_GC) at js/src/jsgc.cpp:6281 #10 0x0842fbfc in js::gc::GCRuntime::collect (this=0xf7950240, nonincrementalByAPI=false, budget=..., reason=JS::gcreason::DEBUG_GC) at js/src/jsgc.cpp:6430 #11 0x0843055c in js::gc::GCRuntime::runDebugGC (this=0xf7950240) at js/src/jsgc.cpp:6965 #12 0x08667a19 in js::gc::GCRuntime::gcIfNeededPerAllocation (cx=0xf791d000, this=0xf7950240) at js/src/gc/Allocator.cpp:230 #13 js::gc::GCRuntime::checkAllocatorState<(js::AllowGC)1> (this=0xf7950240, cx=0xf791d000, kind=js::gc::AllocKind::STRING) at js/src/gc/Allocator.cpp:191 #14 0x086687bc in js::Allocate<JSString, (js::AllowGC)1> (cx=0xf791d000) at js/src/gc/Allocator.cpp:142 #15 0x08595708 in JSFlatString::new_<(js::AllowGC)1, unsigned char> (length=218, chars=<optimized out>, cx=0xf791d000) at js/src/vm/String-inl.h:228 #16 NewStringDeflated<(js::AllowGC)1> (cx=0xf791d000, s=0xf5a7cf28 u"(funcName) {\n assertEq(typeof funcName, \"string\",\n", ' ' <repeats 13 times>, "\"enterFunc must be given a string funcName\");\n\n if (!StringEndsWith(funcName, \"()\"))\n funcName += \"()\";\n\n ArrayPush(callSta"..., n=218) at js/src/vm/String.cpp:1220 #17 0x085a4b65 in js::NewStringCopyN<(js::AllowGC)1, char16_t> (cx=0xf791d000, s=0xf5a7cf28 u"(funcName) {\n assertEq(typeof funcName, \"string\",\n", ' ' <repeats 13 times>, "\"enterFunc must be given a string funcName\");\n\n if (!StringEndsWith(funcName, \"()\"))\n funcName += \"()\";\n\n ArrayPush(callSta"..., n=218) at js/src/vm/String.cpp:1358 #18 0x0844c478 in js::ScriptSource::substring (stop=<optimized out>, start=12180, cx=0xf791d000, this=<optimized out>) at js/src/jsscript.cpp:1703 #19 JSScript::sourceData (cx=0xf791d000, script=...) at js/src/jsscript.cpp:1451 #20 0x08425235 in js::FunctionToString (cx=0xf791d000, fun=..., prettyPrint=true) at js/src/jsfun.cpp:1035 #21 0x084253f0 in fun_toStringHelper (cx=0xf791d000, obj=..., indent=0) at js/src/jsfun.cpp:1091 #22 0x084254ef in js::fun_toString (cx=0xf791d000, argc=0, vp=0xffffbcf8) at js/src/jsfun.cpp:1123 #23 0x08110fee in js::CallJSNative (args=..., native=<optimized out>, cx=0xf791d000) at js/src/jscntxtinlines.h:282 #24 js::InternalCallOrConstruct (cx=0xf791d000, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:448 #25 0x08111ecb in InternalCall (args=..., cx=0xf791d000) at js/src/vm/Interpreter.cpp:493 #26 js::Call (cx=0xf791d000, fval=..., thisv=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:512 #27 0x0843e68b in js::Call (rval=..., thisObj=<optimized out>, fval=..., cx=0xf791d000) at js/src/vm/Interpreter.h:96 #28 MaybeCallMethod (cx=cx@entry=0xf791d000, obj=..., obj@entry=..., id=..., id@entry=..., vp=...) at js/src/jsobj.cpp:2982 #29 0x08441f01 in JS::OrdinaryToPrimitive (cx=0xf791d000, obj=..., hint=JSTYPE_UNDEFINED, vp=...) at js/src/jsobj.cpp:3065 #30 0x0844239b in js::ToPrimitiveSlow (cx=0xf791d000, preferredType=JSTYPE_UNDEFINED, vp=...) at js/src/jsobj.cpp:3113 #31 0x080ff3cf in js::ToPrimitive (vp=..., cx=0xf791d000) at js/src/jsobj.h:1055 #32 AddOperation (res=..., rhs=..., lhs=..., cx=0xf791d000) at js/src/vm/Interpreter.cpp:1390 #33 js::AddValues (cx=0xf791d000, lhs=..., rhs=..., res=...) at js/src/vm/Interpreter.cpp:4549 #34 0x082fbe9b in js::jit::DoBinaryArithFallback (cx=0xf791d000, payload=0xffffc008, stub_=0xf17602a8, lhs=..., rhs=..., ret=...) at js/src/jit/SharedIC.cpp:705 #35 0x5eca810a in ?? () #36 0x5eca5922 in ?? () #37 0x08187d41 in EnterBaseline (cx=0xf17602a8, cx@entry=0xf791d000, data=...) at js/src/jit/BaselineJIT.cpp:162 #38 0x08189a27 in js::jit::EnterBaselineMethod (cx=0xf791d000, state=...) at js/src/jit/BaselineJIT.cpp:200 #39 0x08110c98 in js::RunScript (cx=0xf791d000, state=...) at js/src/vm/Interpreter.cpp:384 #40 0x08112ef4 in js::ExecuteKernel (result=0xffffc5d8, evalInFrame=..., newTargetValue=..., envChainArg=..., script=..., cx=0xf791d000) at js/src/vm/Interpreter.cpp:677 #41 js::Execute (cx=0xf791d000, script=..., envChainArg=..., rval=0xffffc5d8) at js/src/vm/Interpreter.cpp:710 #42 0x083cf3a3 in ExecuteScript (cx=cx@entry=0xf791d000, scope=scope@entry=..., script=script@entry=..., rval=0xffffc5d8) at js/src/jsapi.cpp:4482 #43 0x083d646c in JS_ExecuteScript (cx=0xf791d000, scriptArg=..., rval=...) at js/src/jsapi.cpp:4508 #44 0x08089a5f in Evaluate (cx=0xf791d000, argc=1, vp=0xffffc5d8) at js/src/shell/js.cpp:1829 #45 0x5f2a3f18 in ?? () Backtrace stopped: previous frame inner to this frame (corrupt stack?) eax 0xf42fe750 -198187184 ebx 0xffffb494 -19308 ecx 0x0 0 edx 0xffffb494 -19308 esi 0x0 0 edi 0x5f5ad2fb 1599787771 ebp 0xffffb494 4294947988 esp 0xffffb3ac 4294947756 eip 0x818c71e <js::jit::BaselineScript::icEntryFromReturnAddress(unsigned char*)+14> => 0x818c71e <js::jit::BaselineScript::icEntryFromReturnAddress(unsigned char*)+14>: mov (%esi),%eax 0x818c720 <js::jit::BaselineScript::icEntryFromReturnAddress(unsigned char*)+16>: mov 0x48(%esi),%ebx I keep hitting this bug but I can never reduce it without the test turning totally intermittent. The attached testcase is mostly unreduced but should reproduce fairly good. Marking s-s because this is a baseline crash with GC involved.
Reporter | ||
Comment 1•7 years ago
|
||
Comment 2•7 years ago
|
||
This signature is mostly an Android crash, with a small number of win/mac/linux (single digits). Mostly near-null crashes but a couple are UAF.
Keywords: csectype-uaf,
sec-high
Updated•7 years ago
|
Assignee: nobody → hv1989
Priority: -- → P1
Comment 3•7 years ago
|
||
Hannes, this is a sec-high that has not seen any activity in the recent weeks. Can you take a look, rather sooner than later?
Flags: needinfo?(hv1989)
Assignee | ||
Comment 4•7 years ago
|
||
I think this is fallout from bug 1334212. I think this solves it, but moving it over to Brian to investigate and fix. In order to run you need to have the files in: https://users.own-hero.net/~decoder/wasm.zip (and adjust the "/home/ubuntu/wasm" string in the testcase to point to that).
Flags: needinfo?(hv1989)
Attachment #8854434 -
Flags: feedback?(bhackett1024)
Assignee | ||
Updated•7 years ago
|
Assignee | ||
Comment 5•7 years ago
|
||
Tracking requested for high profile security bug.
Comment 6•7 years ago
|
||
[Tracking Requested - why for this release]: Signature appears on 52 (and before) in the field.
status-firefox52:
--- → affected
status-firefox53:
--- → affected
status-thunderbird_esr52:
--- → affected
tracking-firefox53:
--- → ?
Comment 7•7 years ago
|
||
Mass wontfix for bugs affecting firefox 52.
Updated•7 years ago
|
Flags: needinfo?(nihsanullah)
Comment 8•7 years ago
|
||
tracking 53/54/55+ for this sec high issues.
Comment 9•7 years ago
|
||
Comment on attachment 8854434 [details] [diff] [review] Potential fix? Review of attachment 8854434 [details] [diff] [review]: ----------------------------------------------------------------- I've tried on a couple machines bu haven't been able to reproduce this. Looking at this patch I suspect it's a duplicate of bug 1347539. Activations in a zone group should only ever be on the context which has ownership of that zone group; otherwise we will get run-to-completion semantic errors in a cooperatively scheduled runtime, and data races in a preemptively scheduled runtime. Bug 1347539 can cause multiple contexts to have JIT activations in the same zone group, since the group's owner context field is set incorrectly. Hannes, does the patch in bug 1347539 fix this crash for you?
Attachment #8854434 -
Flags: feedback?(bhackett1024)
Comment 10•7 years ago
|
||
Also, this bug is dependent on functionality that is currently shell only, so won't have any effect on crashes with this signature that are seen in the browser.
Flags: needinfo?(bhackett1024)
Assignee | ||
Comment 11•7 years ago
|
||
I tried the patch in bug 1347539 and I couldn't reproduce with that patch applied.
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: needinfo?(nihsanullah)
Resolution: --- → DUPLICATE
Comment 12•7 years ago
|
||
From bug 134739, sounds like this doesn't affect 53/54 yet and while it does affect 55 we can track it in the duplicated bug anyway.
Updated•4 years ago
|
Group: javascript-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•