1345423 - Crash [@ js::jit::BaselineScript::icEntryFromReturnAddress]

Status: RESOLVED DUPLICATE of bug 1347539

(Core :: JavaScript Engine: JIT, defect, P1)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision eb2364853477 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --disable-debug --without-intl-api --enable-optimize --target=i686-pc-linux-gnu, run with --fuzzing-safe --thread-count=2 --disable-oom-functions --ion-extra-checks --ion-eager):

See attachment.


Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x0818c71e in js::jit::BaselineScript::icEntryFromReturnAddress (this=0x0, returnAddr=0x5f5ad2fb "\203\304\020\271\204\377\377\377\272\001") at js/src/jit/BaselineJIT.cpp:765
#0  0x0818c71e in js::jit::BaselineScript::icEntryFromReturnAddress (this=0x0, returnAddr=0x5f5ad2fb "\203\304\020\271\204\377\377\377\272\001") at js/src/jit/BaselineJIT.cpp:765
#1  0x0826b5c0 in js::jit::JitFrameIterator::baselineScriptAndPc (this=0xffffb494, scriptRes=0x0, pcRes=0xffffb408) at js/src/jit/JitFrames.cpp:238
#2  0x087297d9 in js::jit::BaselineFrame::trace (this=0xf42fe728, trc=0xf7951fd8, frameIterator=...) at js/src/jit/BaselineFrame.cpp:61
#3  0x08275a39 in js::jit::TraceJitActivation (activations=..., trc=0xf7951fd8) at js/src/jit/JitFrames.cpp:1475
#4  js::jit::TraceJitActivations (cx=0xf791d000, target=..., trc=0xf7951fd8) at js/src/jit/JitFrames.cpp:1502
#5  0x086e3ea6 in js::gc::GCRuntime::traceRuntimeCommon (this=0xf7950240, trc=0xf7951fd8, traceOrMark=js::gc::GCRuntime::MarkRuntime, lock=...) at js/src/gc/RootMarking.cpp:332
#6  0x086e509f in js::gc::GCRuntime::traceRuntimeForMajorGC (this=0xf7950240, trc=0xf7951fd8, lock=...) at js/src/gc/RootMarking.cpp:266
#7  0x0841e22b in js::gc::GCRuntime::beginMarkPhase (this=0xf7950240, reason=JS::gcreason::DEBUG_GC, lock=...) at js/src/jsgc.cpp:3933
#8  0x0842e752 in js::gc::GCRuntime::incrementalCollectSlice (this=0xf7950240, budget=..., reason=JS::gcreason::DEBUG_GC, lock=...) at js/src/jsgc.cpp:5925
#9  0x0842f7fa in js::gc::GCRuntime::gcCycle (this=0xf7950240, nonincrementalByAPI=false, budget=..., reason=JS::gcreason::DEBUG_GC) at js/src/jsgc.cpp:6281
#10 0x0842fbfc in js::gc::GCRuntime::collect (this=0xf7950240, nonincrementalByAPI=false, budget=..., reason=JS::gcreason::DEBUG_GC) at js/src/jsgc.cpp:6430
#11 0x0843055c in js::gc::GCRuntime::runDebugGC (this=0xf7950240) at js/src/jsgc.cpp:6965
#12 0x08667a19 in js::gc::GCRuntime::gcIfNeededPerAllocation (cx=0xf791d000, this=0xf7950240) at js/src/gc/Allocator.cpp:230
#13 js::gc::GCRuntime::checkAllocatorState<(js::AllowGC)1> (this=0xf7950240, cx=0xf791d000, kind=js::gc::AllocKind::STRING) at js/src/gc/Allocator.cpp:191
#14 0x086687bc in js::Allocate<JSString, (js::AllowGC)1> (cx=0xf791d000) at js/src/gc/Allocator.cpp:142
#15 0x08595708 in JSFlatString::new_<(js::AllowGC)1, unsigned char> (length=218, chars=<optimized out>, cx=0xf791d000) at js/src/vm/String-inl.h:228
#16 NewStringDeflated<(js::AllowGC)1> (cx=0xf791d000, s=0xf5a7cf28 u"(funcName) {\n    assertEq(typeof funcName, \"string\",\n", ' ' <repeats 13 times>, "\"enterFunc must be given a string funcName\");\n\n    if (!StringEndsWith(funcName, \"()\"))\n      funcName += \"()\";\n\n    ArrayPush(callSta"..., n=218) at js/src/vm/String.cpp:1220
#17 0x085a4b65 in js::NewStringCopyN<(js::AllowGC)1, char16_t> (cx=0xf791d000, s=0xf5a7cf28 u"(funcName) {\n    assertEq(typeof funcName, \"string\",\n", ' ' <repeats 13 times>, "\"enterFunc must be given a string funcName\");\n\n    if (!StringEndsWith(funcName, \"()\"))\n      funcName += \"()\";\n\n    ArrayPush(callSta"..., n=218) at js/src/vm/String.cpp:1358
#18 0x0844c478 in js::ScriptSource::substring (stop=<optimized out>, start=12180, cx=0xf791d000, this=<optimized out>) at js/src/jsscript.cpp:1703
#19 JSScript::sourceData (cx=0xf791d000, script=...) at js/src/jsscript.cpp:1451
#20 0x08425235 in js::FunctionToString (cx=0xf791d000, fun=..., prettyPrint=true) at js/src/jsfun.cpp:1035
#21 0x084253f0 in fun_toStringHelper (cx=0xf791d000, obj=..., indent=0) at js/src/jsfun.cpp:1091
#22 0x084254ef in js::fun_toString (cx=0xf791d000, argc=0, vp=0xffffbcf8) at js/src/jsfun.cpp:1123
#23 0x08110fee in js::CallJSNative (args=..., native=<optimized out>, cx=0xf791d000) at js/src/jscntxtinlines.h:282
#24 js::InternalCallOrConstruct (cx=0xf791d000, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:448
#25 0x08111ecb in InternalCall (args=..., cx=0xf791d000) at js/src/vm/Interpreter.cpp:493
#26 js::Call (cx=0xf791d000, fval=..., thisv=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:512
#27 0x0843e68b in js::Call (rval=..., thisObj=<optimized out>, fval=..., cx=0xf791d000) at js/src/vm/Interpreter.h:96
#28 MaybeCallMethod (cx=cx@entry=0xf791d000, obj=..., obj@entry=..., id=..., id@entry=..., vp=...) at js/src/jsobj.cpp:2982
#29 0x08441f01 in JS::OrdinaryToPrimitive (cx=0xf791d000, obj=..., hint=JSTYPE_UNDEFINED, vp=...) at js/src/jsobj.cpp:3065
#30 0x0844239b in js::ToPrimitiveSlow (cx=0xf791d000, preferredType=JSTYPE_UNDEFINED, vp=...) at js/src/jsobj.cpp:3113
#31 0x080ff3cf in js::ToPrimitive (vp=..., cx=0xf791d000) at js/src/jsobj.h:1055
#32 AddOperation (res=..., rhs=..., lhs=..., cx=0xf791d000) at js/src/vm/Interpreter.cpp:1390
#33 js::AddValues (cx=0xf791d000, lhs=..., rhs=..., res=...) at js/src/vm/Interpreter.cpp:4549
#34 0x082fbe9b in js::jit::DoBinaryArithFallback (cx=0xf791d000, payload=0xffffc008, stub_=0xf17602a8, lhs=..., rhs=..., ret=...) at js/src/jit/SharedIC.cpp:705
#35 0x5eca810a in ?? ()
#36 0x5eca5922 in ?? ()
#37 0x08187d41 in EnterBaseline (cx=0xf17602a8, cx@entry=0xf791d000, data=...) at js/src/jit/BaselineJIT.cpp:162
#38 0x08189a27 in js::jit::EnterBaselineMethod (cx=0xf791d000, state=...) at js/src/jit/BaselineJIT.cpp:200
#39 0x08110c98 in js::RunScript (cx=0xf791d000, state=...) at js/src/vm/Interpreter.cpp:384
#40 0x08112ef4 in js::ExecuteKernel (result=0xffffc5d8, evalInFrame=..., newTargetValue=..., envChainArg=..., script=..., cx=0xf791d000) at js/src/vm/Interpreter.cpp:677
#41 js::Execute (cx=0xf791d000, script=..., envChainArg=..., rval=0xffffc5d8) at js/src/vm/Interpreter.cpp:710
#42 0x083cf3a3 in ExecuteScript (cx=cx@entry=0xf791d000, scope=scope@entry=..., script=script@entry=..., rval=0xffffc5d8) at js/src/jsapi.cpp:4482
#43 0x083d646c in JS_ExecuteScript (cx=0xf791d000, scriptArg=..., rval=...) at js/src/jsapi.cpp:4508
#44 0x08089a5f in Evaluate (cx=0xf791d000, argc=1, vp=0xffffc5d8) at js/src/shell/js.cpp:1829
#45 0x5f2a3f18 in ?? ()
Backtrace stopped: previous frame inner to this frame (corrupt stack?)
eax	0xf42fe750	-198187184
ebx	0xffffb494	-19308
ecx	0x0	0
edx	0xffffb494	-19308
esi	0x0	0
edi	0x5f5ad2fb	1599787771
ebp	0xffffb494	4294947988
esp	0xffffb3ac	4294947756
eip	0x818c71e <js::jit::BaselineScript::icEntryFromReturnAddress(unsigned char*)+14>
=> 0x818c71e <js::jit::BaselineScript::icEntryFromReturnAddress(unsigned char*)+14>:	mov    (%esi),%eax
   0x818c720 <js::jit::BaselineScript::icEntryFromReturnAddress(unsigned char*)+16>:	mov    0x48(%esi),%ebx


I keep hitting this bug but I can never reduce it without the test turning totally intermittent. The attached testcase is mostly unreduced but should reproduce fairly good. Marking s-s because this is a baseline crash with GC involved.

Comment 1

[Christian Holler (:decoder)]

Attachment: Testcase

Comment 2

[Daniel Veditz [:dveditz]]

This signature is mostly an Android crash, with a small number of win/mac/linux (single digits). Mostly near-null crashes but a couple are UAF.

Comment 3

[Frederik Braun [:freddy]]

Hannes, this is a sec-high that has not seen any activity in the recent weeks.
Can you take a look, rather sooner than later?

Comment 4

[Hannes Verschore [:h4writer]]

Attachment: Potential fix?

I think this is fallout from bug 1334212.
I think this solves it, but moving it over to Brian to investigate and fix.

In order to run you need to have the files in:
https://users.own-hero.net/~decoder/wasm.zip
(and adjust the "/home/ubuntu/wasm" string in the testcase to point to that).

Comment 5

[Hannes Verschore [:h4writer]]

Tracking requested for high profile security bug.

Comment 6

[Randell Jesup [:jesup] (needinfo me)]

[Tracking Requested - why for this release]:
Signature appears on 52 (and before) in the field.

Comment 7

[Julien Cristau [:jcristau] (back April 22)]

Mass wontfix for bugs affecting firefox 52.

Comment 8

[Marcia Knous [:marcia]]

tracking 53/54/55+ for this sec high issues.

Comment 9

[Brian Hackett [Laid off!]]

Comment on attachment 8854434 [details] [diff] [review]
Potential fix?

Review of attachment 8854434 [details] [diff] [review]:
-----------------------------------------------------------------

I've tried on a couple machines bu haven't been able to reproduce this.  Looking at this patch I suspect it's a duplicate of bug 1347539.  Activations in a zone group should only ever be on the context which has ownership of that zone group; otherwise we will get run-to-completion semantic errors in a cooperatively scheduled runtime, and data races in a preemptively scheduled runtime.  Bug 1347539 can cause multiple contexts to have JIT activations in the same zone group, since the group's owner context field is set incorrectly.

Hannes, does the patch in bug 1347539 fix this crash for you?

Comment 10

[Brian Hackett [Laid off!]]

Also, this bug is dependent on functionality that is currently shell only, so won't have any effect on crashes with this signature that are seen in the browser.

Comment 11

[Hannes Verschore [:h4writer]]

I tried the patch in bug 1347539 and I couldn't reproduce with that patch applied.

Comment 12

[Liz Henry (:lizzard) (relman/hg->git project)]

From bug 134739, sounds like this doesn't affect 53/54 yet and while it does affect 55 we can track it in the duplicated bug anyway.