1355050 - Various crashes through [@ js::RegExpShared::addTable] or Assertion failure: mLength <= mTail.mReserved, at mozilla/Vector.h:469 or Assertion failure: !mEntered, at mozilla/ReentrancyGuard.h:39

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 2a3ecdb7d1ea (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --disable-debug --without-intl-api --enable-optimize --target=i686-pc-linux-gnu, run with --fuzzing-safe --baseline-eager --ion-extra-checks):

for (lfLocal in this) {
    function assertEq() {
        assertEq(/foo.*bar/.test('foobarbaz'), true);
    }
    gczeal(14, 10);
    assertEq("B", true);
}
while (!stop);



Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x08739e5a in mozilla::detail::VectorImpl<js::irregexp::AlternativeGeneration*, 1u, js::LifoAllocPolicy<(js::Fallibility)1>, true>::new_<js::irregexp::AlternativeGeneration* const&> (aDst=<optimized out>) at mozilla/Vector.h:172
#0  0x08739e5a in mozilla::detail::VectorImpl<js::irregexp::AlternativeGeneration*, 1u, js::LifoAllocPolicy<(js::Fallibility)1>, true>::new_<js::irregexp::AlternativeGeneration* const&> (aDst=<optimized out>) at mozilla/Vector.h:172
#1  mozilla::Vector<unsigned char*, 0u, js::SystemAllocPolicy>::internalAppend<unsigned char*&> (aU=<optimized out>, this=0xf555c06c) at mozilla/Vector.h:1257
#2  mozilla::Vector<unsigned char*, 0u, js::SystemAllocPolicy>::append<unsigned char*&> (aU=<synthetic pointer>, this=0xf555c06c) at mozilla/Vector.h:1397
#3  js::RegExpShared::addTable (table=0xf7979600 '\345' <repeats 199 times>, <incomplete sequence \345>..., this=0xf555c040) at js/src/vm/RegExpObject.h:180
#4  js::irregexp::BoyerMooreLookahead::EmitSkipInstructions (this=0xf79c73e8, masm=0xfff7dc44) at js/src/irregexp/RegExpEngine.cpp:2481
#5  0x0874a6aa in js::irregexp::ChoiceNode::Emit (this=0xf79c7330, compiler=0xfff7d800, trace=0xfff7d6b0) at js/src/irregexp/RegExpEngine.cpp:4320
#6  0x087367ed in js::irregexp::RegExpCompiler::Assemble (this=0xfff7d800, cx=0xf791d000, assembler=0xfff7dc44, start=0xf79c7330, capture_count=0) at js/src/irregexp/RegExpEngine.cpp:1669
#7  0x08746e77 in js::irregexp::CompilePattern (cx=0xf791d000, shared=..., data=0xfff7e680, sample=..., is_global=false, ignore_case=false, is_ascii=true, match_only=true, force_bytecode=false, sticky=false, unicode=false) at js/src/irregexp/RegExpEngine.cpp:1830
#8  0x085940b6 in js::RegExpShared::compile (cx=0xf791d000, re=..., pattern=..., input=..., mode=js::RegExpShared::MatchOnly, force=js::RegExpShared::DontForceByteCode) at js/src/vm/RegExpObject.cpp:1020
#9  0x085942b0 in js::RegExpShared::compile (cx=0xf791d000, re=..., input=..., mode=js::RegExpShared::MatchOnly, force=js::RegExpShared::DontForceByteCode) at js/src/vm/RegExpObject.cpp:987
#10 0x0859444a in js::RegExpShared::compileIfNecessary (cx=<optimized out>, re=..., input=..., mode=<optimized out>, force=<optimized out>) at js/src/vm/RegExpObject.cpp:1043
#11 0x08599e58 in js::RegExpShared::execute (cx=0xf791d000, re=..., input=..., start=0, matches=0x0, endIndex=0xfff7ec04) at js/src/vm/RegExpObject.cpp:1057
#12 0x08794eee in ExecuteRegExpImpl (endIndex=0xfff7ec04, matches=0x0, searchIndex=<optimized out>, input=..., re=..., res=0xf7979580, cx=0xf791d000) at js/src/builtin/RegExp.cpp:128
#13 ExecuteRegExp (staticsUpdate=js::UpdateRegExpStatics, endIndex=0xfff7ec04, matches=0x0, lastIndex=<optimized out>, string=..., regexp=..., cx=0xf791d000) at js/src/builtin/RegExp.cpp:972
#14 js::RegExpTester (cx=0xf791d000, argc=3, vp=0xfff7ef10) at js/src/builtin/RegExp.cpp:1172
#15 0x0813482a in js::CallJSNative (args=..., native=<optimized out>, cx=0xf791d000) at js/src/jscntxtinlines.h:291
#16 js::InternalCallOrConstruct (cx=0xf791d000, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:455
#17 0x08135749 in InternalCall (args=..., cx=0xf791d000) at js/src/vm/Interpreter.cpp:500
#18 js::CallFromStack (cx=0xf791d000, args=...) at js/src/vm/Interpreter.cpp:506
#19 0x081c7675 in js::jit::DoCallFallback (cx=0xf791d000, frame=0xfff7ef98, stub_=0xf53f7440, argc=3, vp=0xfff7ef10, res=...) at js/src/jit/BaselineIC.cpp:2353
#20 0x566c1c3f in ?? ()
#21 0xf53f7440 in ?? ()
#22 0x566bb925 in ?? ()
#23 0x081adc81 in EnterBaseline (cx=0xf53f7440, cx@entry=0xf791d000, data=...) at js/src/jit/BaselineJIT.cpp:162
#24 0x081af867 in js::jit::EnterBaselineMethod (cx=0xf791d000, state=...) at js/src/jit/BaselineJIT.cpp:200
#25 0x081344a8 in js::RunScript (cx=0xf791d000, state=...) at js/src/vm/Interpreter.cpp:385
#26 0x08134965 in js::InternalCallOrConstruct (cx=0xf791d000, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:473
#27 0x08135749 in InternalCall (args=..., cx=0xf791d000) at js/src/vm/Interpreter.cpp:500
#28 js::CallFromStack (cx=0xf791d000, args=...) at js/src/vm/Interpreter.cpp:506
#29 0x081c7675 in js::jit::DoCallFallback (cx=0xf791d000, frame=0xfff7f538, stub_=0xf7980218, argc=3, vp=0xfff7f4c8, res=...) at js/src/jit/BaselineIC.cpp:2353
#30 0x566c1c3f in ?? ()
#31 0xf7980218 in ?? ()
#32 0x566bb925 in ?? ()
#33 0x081adc81 in EnterBaseline (cx=0xf7980218, cx@entry=0xf791d000, data=...) at js/src/jit/BaselineJIT.cpp:162
[...]
#127 0xf535f110 in ?? ()
eax	0x45	69
ebx	0xf7979600	-141060608
ecx	0x0	0
edx	0x5	5
esi	0xfff7dc44	-533436
edi	0xf555c040	-178929600
ebp	0x4	4
esp	0xfff7d2c0	4294431424
eip	0x8739e5a <js::irregexp::BoyerMooreLookahead::EmitSkipInstructions(js::irregexp::RegExpMacroAssembler*)+330>
=> 0x8739e5a <js::irregexp::BoyerMooreLookahead::EmitSkipInstructions(js::irregexp::RegExpMacroAssembler*)+330>:	mov    %ebx,(%ecx,%eax,4)
   0x8739e5d <js::irregexp::BoyerMooreLookahead::EmitSkipInstructions(js::irregexp::RegExpMacroAssembler*)+333>:	add    $0x1,%eax


Marking s-s because I've seen multiple crashes in this bucket with crash addresses that look random, plus both of the assertions look security related (esp. the vector length assertion). Last but not least, it involves the GC.

Comment 1

[Jon Coppeard (:jonco)]

Attachment: bug1355050-root-regexp-shared

The problem is that using RegExpMacroAssembler puts an unrooted RegExpShared* on the stack.

Should the hazard analysis have caught this?  Maybe it misses it because the class is constructed in a Maybe<>.

Comment 2

[Jan de Mooij [:jandem]]

(In reply to Jon Coppeard (:jonco) from comment #1)
> Should the hazard analysis have caught this?  Maybe it misses it because the
> class is constructed in a Maybe<>.

Reminds me of bug 1264300, FWIW.

Comment 3

[Steve Fink [:sfink] [:s:]]

Comment on attachment 8856509 [details] [diff] [review]
bug1355050-root-regexp-shared

Review of attachment 8856509 [details] [diff] [review]:
-----------------------------------------------------------------

r=me for the patch, but you're right, I need to understand why that didn't get caught. I thought we had special handling for Maybe (because it contains aligned storage), but I think maybe I was thinking of MaybeRooted.

I was intending to fix this generally, by handling MOZ_INHERIT_TYPE_ANNOTATIONS_FROM_TEMPLATE_ARGS, but surprisingly enough Maybe doesn't have that anyway.

Oh! It lost it when it stopped using AlignedStorage2. Gah...

Comment 4

[Jon Coppeard (:jonco)]

https://hg.mozilla.org/integration/mozilla-inbound/rev/4bb8dbfff2b45ffcd7e51b230138b27cc0782beb

Comment 5

[Wes Kocher (:KWierso) (Not reading bugmail; email directly if needed)]

https://hg.mozilla.org/mozilla-central/rev/4bb8dbfff2b4