Closed Bug 1439180 Opened 6 years ago Closed 6 years ago

Crash [@ ??]

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla60
Tracking Flags:
Tracking Status
firefox-esr52 --- unaffected
firefox58 --- unaffected
firefox59 --- unaffected
firefox60 --- verified

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: crash, testcase, Whiteboard: [fuzzblocker] [jsbugmon:update])

Crash Data

Attachments

(1 file, 1 obsolete file)

Detailed Crash Information
2.92 KB, text/plain
Details 
The following testcase crashes on mozilla-central revision dde7eb1a589f (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --ion-eager):

h = function() {
    ff = encodeURIComponent;
    function f(x) {
        x = +ff(0 / 0);
        return /I/ (~x);
    }
    return f;
}()
for (var j = 0; j < 3; j++) {
    try {
        h();
    } catch (e) {}
}

Backtrace:

(gdb) bt
#0  0x000007507a556396 in ?? ()
#1  0xfff9800000000000 in ?? ()
#2  0xfff88000ffffffff in ?? ()
#3  0x00007ffff5d8e040 in ?? ()
#4  0x7ff8000000000000 in ?? ()
/snip

For detailed crash information, see attachment.

Setting [fuzzblocker] because this is happening very often.
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/52f1dfd75ff7
user:        Matthew Gaudet
date:        Fri Feb 02 10:38:43 2018 -0500
summary:     Bug 1434717: Part 5: Connect UnaryArith IC to IonMonkey r=tcampbell

Matthew, is bug 1434717 a likely regressor?
Flags: needinfo?(mgaudet)
Since this got landed just before the long weekend, causing jsfunfuzz to continuously hit this bug, I contemplated backing the offending patch out. However, it is a series of patches, so I am not sure if all the patches should be backed out or just this one, so I didn't do anything.

Please consider fixing this as soon as possible.
Whiteboard: [jsbugmon:update] → [fuzzblocker][jsbugmon:update]
(gdb) x/i $pc
=> 0x7507a556396:       mov    (%rax),%rdi
(gdb) x/b $rax
0x0:    Cannot access memory at address 0x0
(gdb) x/b $rdi
0x7fffffffce98: 0x00
(gdb)

Actually, locking s-s until more analysis is in place. While it seems to be a null deref, memory addresses are all over the stack.
Group: javascript-core-security
Attached patch Revert CacheIR UnaryArith Stubs (obsolete) — Splinter Review 
This patch reverts the following revisions:

 52f1dfd75ff7
 286c42a171d8
 bf1d9d0ebbe7
 5c5ec856f0a6
 43a875bf1c8a
 7fd6eaf7fc97

reverting the delivery of Bug 1434717.
Assignee: nobody → mgaudet
Status: NEW → ASSIGNED
Comment on attachment 8951944 [details] [diff] [review]
Revert CacheIR UnaryArith Stubs

(r=me because this is a revert commit generated by hg backout)
Flags: needinfo?(mgaudet)
Attachment #8951944 - Flags: review+
Attempting to land this via the original bug 1434717, depends on review.
Attachment #8951944 - Attachment is obsolete: true
Whiteboard: [fuzzblocker][jsbugmon:update] → [fuzzblocker] [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 48b635e3d447).
Priority: -- → P1
Fixed by the backout of bug 1434717.
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
status-firefox60: affectedverified
JSBugMon: This bug has been automatically verified fixed.
Blocks: 1434717
Whiteboard: [fuzzblocker] [jsbugmon:update,ignore] → [fuzzblocker] [jsbugmon:update]
status-firefox58: --- → unaffected
status-firefox59: --- → unaffected
status-firefox-esr52: --- → unaffected
Target Milestone: --- → mozilla60
Group: javascript-core-security → core-security-release
Group: core-security-release
Assignee: mgaudet → nobody
Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: