debug/bug1264961.js should pass expectExceptionOnFailure = false to oomTest
Categories
(Core :: JavaScript Engine: JIT, defect, P2)
Tracking
()
People
(Reporter: pbone, Assigned: pbone)
Details
(Keywords: crash, csectype-oom)
Attachments
(1 file)
I tried the jit-test suite with --slow and found that debug/bug1264961.js fails because there's some OOM handling missing.
If you build with:
../configure --enable-debug --disable-optimize and --enable-oom-breakpoint
and run:
../jit-test/jit_test.py --slow dist/bin/js debug/bug1264961.js
It'll crash. If you use a debugger and set a breakpoint on js_failedAllocBreakpoint
you can find the backtrace:
#0 js_failedAllocBreakpoint ()
at /mnt/dev/moz/decommit/js/src/b-debug/dist/include/js/Utility.h:134
#1 0x0000555cf9f1c7c2 in js::oom::FailureSimulator::shouldFail (
this=0x555cfbdd80a0 <js::oom::simulator>,
kind=js::oom::FailureSimulator::Kind::OOM)
at /mnt/dev/moz/decommit/js/src/b-debug/dist/include/js/Utility.h:192
#2 0x0000555cf9f1c755 in js::oom::ShouldFailWithOOM ()
at /mnt/dev/moz/decommit/js/src/b-debug/dist/include/js/Utility.h:209
#3 0x0000555cf9f1c101 in js::SystemAllocPolicy::checkSimulatedOOM (
this=0x7ffd87072670)
at /mnt/dev/moz/decommit/js/src/b-debug/dist/include/js/AllocPolicy.h:91
#4 0x0000555cfa78f58b in mozilla::Vector<unsigned char, 256ul, js::jit::AssemblerBufferAllocPolicy>::maybeCheckSimulatedOOM (this=0x7ffd87072670,
aRequestedSize=603)
at /mnt/dev/moz/decommit/js/src/b-debug/dist/include/mozilla/Vector.h:1071
#5 0x0000555cfa7904c7 in mozilla::Vector<unsigned char, 256ul, js::jit::AssemblerBufferAllocPolicy>::reserve (this=0x7ffd87072670, aRequest=603)
at /mnt/dev/moz/decommit/js/src/b-debug/dist/include/mozilla/Vector.h:1081
#6 0x0000555cfa790008 in js::jit::AssemblerBuffer::ensureSpace (
this=0x7ffd87072670, space=16)
at /mnt/dev/moz/decommit/js/src/jit/x86-shared/AssemblerBuffer-x86-shared.h:129
#7 0x0000555cfa793ed9 in js::jit::X86Encoding::BaseAssembler::X86InstructionFormatter::oneByteOp64 (this=0x7ffd87072670,
opcode=js::jit::X86Encoding::OP_GROUP1_EvIb, rm=js::jit::X86Encoding::rsp,
reg=0)
at /mnt/dev/moz/decommit/js/src/jit/x86-shared/BaseAssembler-x86-shared.h:4726
#8 0x0000555cfa7970dc in js::jit::X86Encoding::BaseAssemblerX64::addq_ir (
this=0x7ffd87072668, imm=8, dst=js::jit::X86Encoding::rsp)
at /mnt/dev/moz/decommit/js/src/jit/x64/BaseAssembler-x64.h:58
#9 0x0000555cfa796fbe in js::jit::Assembler::addq (this=0x7ffd87072258,
imm=..., dest=...)
at /mnt/dev/moz/decommit/js/src/jit/x64/Assembler-x64.h:693
#10 0x0000555cfa7850ed in js::jit::MacroAssembler::addPtr (
this=0x7ffd87072258, imm=..., dest=...)
at /mnt/dev/moz/decommit/js/src/jit/x64/MacroAssembler-x64-inl.h:134
#11 0x0000555cfa786262 in js::jit::MacroAssembler::addToStackPtr<js::jit::Imm32> (this=0x7ffd87072258, t=...)
at /mnt/dev/moz/decommit/js/src/jit/MacroAssembler-inl.h:790
#12 0x0000555cfb19803b in js::jit::MacroAssembler::freeStack (
this=0x7ffd87072258, amount=8)
at /mnt/dev/moz/decommit/js/src/jit/MacroAssembler.cpp:2723
#13 0x0000555cfae33a46 in js::jit::MacroAssembler::callWithABIPost (
this=0x7ffd87072258, stackAdjust=8, result=js::jit::MoveOp::GENERAL,
cleanupArg=false)
at /mnt/dev/moz/decommit/js/src/jit/x64/MacroAssembler-x64.cpp:348
#14 0x0000555cfb19860a in js::jit::MacroAssembler::callWithABINoProfiler (
this=0x7ffd87072258, fun=0x555cfb193380 <AssumeUnreachable_(char const*)>,
result=js::jit::MoveOp::GENERAL,
check=js::jit::CheckUnsafeCallWithABI::DontCheckOther)
at /mnt/dev/moz/decommit/js/src/jit/MacroAssembler.cpp:2841
#15 0x0000555cfa7854af in js::jit::MacroAssembler::callWithABI (
this=0x7ffd87072258, fun=0x555cfb193380 <AssumeUnreachable_(char const*)>,
result=js::jit::MoveOp::GENERAL,
check=js::jit::CheckUnsafeCallWithABI::DontCheckOther)
at /mnt/dev/moz/decommit/js/src/jit/MacroAssembler-inl.h:98
#16 0x0000555cfb18c169 in js::jit::MacroAssembler::assumeUnreachable (
this=0x7ffd87072258,
output=0x555cf8b29f2b "BaselineFrame shouldn't override pc when executing JIT code") at /mnt/dev/moz/decommit/js/src/jit/MacroAssembler.cpp:1726
#17 0x0000555cfad34ec0 in js::jit::BaselineCodeGen<js::jit::BaselineCompilerHandler>::callVMInternal (this=0x7ffd87072108,
id=js::jit::VMFunctionId::CheckOverRecursedBaseline,
kind=js::jit::RetAddrEntry::Kind::StackCheck,
phase=js::jit::BaselineCodeGen<js::jit::BaselineCompilerHandler>::CallVMPhase::BeforePushingLocals)
at /mnt/dev/moz/decommit/js/src/jit/BaselineCodeGen.cpp:745
#18 0x0000555cfad3551b in js::jit::BaselineCodeGen<js::jit::BaselineCompilerHandler>::callVM<bool ()(JSContext, js::jit::BaselineFrame*), &js::jit::CheckOverRecursedBaseline> (this=0x7ffd87072108,
kind=js::jit::RetAddrEntry::Kind::StackCheck,
phase=js::jit::BaselineCodeGen<js::jit::BaselineCompilerHandler>::CallVMPhase::BeforePushingLocals)
at /mnt/dev/moz/decommit/js/src/jit/BaselineCodeGen.cpp:809
#19 0x0000555cfad34789 in js::jit::BaselineCodeGen<js::jit::BaselineCompilerHandler>::emitStackCheck (this=0x7ffd87072108)
at /mnt/dev/moz/decommit/js/src/jit/BaselineCodeGen.cpp:837
#20 0x0000555cfacf9661 in js::jit::BaselineCodeGen<js::jit::BaselineCompilerHandler>::emitPrologue (this=0x7ffd87072108)
at /mnt/dev/moz/decommit/js/src/jit/BaselineCodeGen.cpp:6760
#21 0x0000555cfacb8125 in js::jit::BaselineCompiler::compile (
this=0x7ffd87072108)
at /mnt/dev/moz/decommit/js/src/jit/BaselineCodeGen.cpp:231
#22 0x0000555cfaebd195 in js::jit::BaselineCompile (cx=0x7ff8af51a000,
script=0x120fcc0b6890, forceDebugInstrumentation=false)
at /mnt/dev/moz/decommit/js/src/jit/BaselineJIT.cpp:217
#23 0x0000555cfaebd973 in CanEnterBaselineJIT (cx=0x7ff8af51a000, script=...,
osrSourceFrame=...) at /mnt/dev/moz/decommit/js/src/jit/BaselineJIT.cpp:305
#24 0x0000555cfaebdb23 in js::jit::BaselineCompileFromBaselineInterpreter (
cx=0x7ff8af51a000, frame=0x7ffd87073010, res=0x7ffd87072fe0)
at /mnt/dev/moz/decommit/js/src/jit/BaselineJIT.cpp:407
The comments in AssemblerBuffer::oomDetected() say that something isn't checking for OOM when it should be. I think this is best sent to someone familiar with the JIT.
I've enabled the security flag in case this could lead to an OOB memory access, but it looks like AssemblerBuffer won't let an OOB write occur. But what if something executes this buffer and just falls of the end?
Assignee | ||
Comment 1•5 years ago
|
||
It'd be good to run these tests in CI, but now I'm a little afraid to mention that publically in case it shows someone where an exploit might be. That is until we know that there's no security impact.
Updated•5 years ago
|
Updated•5 years ago
|
Comment 2•5 years ago
|
||
This is just a problem with the test, it needs to pass {expectExceptionOnFailure: false}
to oomTest. The debugger terminates execution and termination is represented as failure + no pending exception.
Comment 3•5 years ago
|
||
(Also note that the test fails the same way with --no-blinterp to disable all JS JITs.)
Updated•5 years ago
|
Assignee | ||
Comment 4•5 years ago
|
||
Thanks jandem, that's worked.
Assignee | ||
Comment 5•5 years ago
|
||
Pushed by pbone@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/c7301314dcfc Add {expectExceptionOnFailure: false} to test r=jandem
Comment 7•5 years ago
|
||
bugherder |
Updated•5 years ago
|
Description
•