Closed Bug 1568427 Opened 5 years ago Closed 5 years ago

debug/bug1264961.js should pass expectExceptionOnFailure = false to oomTest

Categories

(Core :: JavaScript Engine: JIT, defect, P2)

x86_64
Linux
defect

Tracking

()

RESOLVED FIXED
mozilla71
Tracking Status
firefox-esr60 --- wontfix
firefox-esr68 --- wontfix
firefox69 --- wontfix
firefox70 --- wontfix
firefox71 --- fixed

People

(Reporter: pbone, Assigned: pbone)

Details

(Keywords: crash, csectype-oom)

Attachments

(1 file)

I tried the jit-test suite with --slow and found that debug/bug1264961.js fails because there's some OOM handling missing.

If you build with:

../configure --enable-debug --disable-optimize and --enable-oom-breakpoint

and run:

../jit-test/jit_test.py --slow dist/bin/js debug/bug1264961.js

It'll crash. If you use a debugger and set a breakpoint on js_failedAllocBreakpoint you can find the backtrace:

#0 js_failedAllocBreakpoint ()
at /mnt/dev/moz/decommit/js/src/b-debug/dist/include/js/Utility.h:134
#1 0x0000555cf9f1c7c2 in js::oom::FailureSimulator::shouldFail (
this=0x555cfbdd80a0 <js::oom::simulator>,
kind=js::oom::FailureSimulator::Kind::OOM)
at /mnt/dev/moz/decommit/js/src/b-debug/dist/include/js/Utility.h:192
#2 0x0000555cf9f1c755 in js::oom::ShouldFailWithOOM ()
at /mnt/dev/moz/decommit/js/src/b-debug/dist/include/js/Utility.h:209
#3 0x0000555cf9f1c101 in js::SystemAllocPolicy::checkSimulatedOOM (
this=0x7ffd87072670)
at /mnt/dev/moz/decommit/js/src/b-debug/dist/include/js/AllocPolicy.h:91
#4 0x0000555cfa78f58b in mozilla::Vector<unsigned char, 256ul, js::jit::AssemblerBufferAllocPolicy>::maybeCheckSimulatedOOM (this=0x7ffd87072670,
aRequestedSize=603)
at /mnt/dev/moz/decommit/js/src/b-debug/dist/include/mozilla/Vector.h:1071
#5 0x0000555cfa7904c7 in mozilla::Vector<unsigned char, 256ul, js::jit::AssemblerBufferAllocPolicy>::reserve (this=0x7ffd87072670, aRequest=603)
at /mnt/dev/moz/decommit/js/src/b-debug/dist/include/mozilla/Vector.h:1081
#6 0x0000555cfa790008 in js::jit::AssemblerBuffer::ensureSpace (
this=0x7ffd87072670, space=16)
at /mnt/dev/moz/decommit/js/src/jit/x86-shared/AssemblerBuffer-x86-shared.h:129
#7 0x0000555cfa793ed9 in js::jit::X86Encoding::BaseAssembler::X86InstructionFormatter::oneByteOp64 (this=0x7ffd87072670,
opcode=js::jit::X86Encoding::OP_GROUP1_EvIb, rm=js::jit::X86Encoding::rsp,
reg=0)
at /mnt/dev/moz/decommit/js/src/jit/x86-shared/BaseAssembler-x86-shared.h:4726
#8 0x0000555cfa7970dc in js::jit::X86Encoding::BaseAssemblerX64::addq_ir (
this=0x7ffd87072668, imm=8, dst=js::jit::X86Encoding::rsp)
at /mnt/dev/moz/decommit/js/src/jit/x64/BaseAssembler-x64.h:58
#9 0x0000555cfa796fbe in js::jit::Assembler::addq (this=0x7ffd87072258,
imm=..., dest=...)
at /mnt/dev/moz/decommit/js/src/jit/x64/Assembler-x64.h:693
#10 0x0000555cfa7850ed in js::jit::MacroAssembler::addPtr (
this=0x7ffd87072258, imm=..., dest=...)
at /mnt/dev/moz/decommit/js/src/jit/x64/MacroAssembler-x64-inl.h:134
#11 0x0000555cfa786262 in js::jit::MacroAssembler::addToStackPtr<js::jit::Imm32> (this=0x7ffd87072258, t=...)
at /mnt/dev/moz/decommit/js/src/jit/MacroAssembler-inl.h:790
#12 0x0000555cfb19803b in js::jit::MacroAssembler::freeStack (
this=0x7ffd87072258, amount=8)
at /mnt/dev/moz/decommit/js/src/jit/MacroAssembler.cpp:2723
#13 0x0000555cfae33a46 in js::jit::MacroAssembler::callWithABIPost (
this=0x7ffd87072258, stackAdjust=8, result=js::jit::MoveOp::GENERAL,
cleanupArg=false)
at /mnt/dev/moz/decommit/js/src/jit/x64/MacroAssembler-x64.cpp:348
#14 0x0000555cfb19860a in js::jit::MacroAssembler::callWithABINoProfiler (
this=0x7ffd87072258, fun=0x555cfb193380 <AssumeUnreachable_(char const*)>,
result=js::jit::MoveOp::GENERAL,
check=js::jit::CheckUnsafeCallWithABI::DontCheckOther)
at /mnt/dev/moz/decommit/js/src/jit/MacroAssembler.cpp:2841
#15 0x0000555cfa7854af in js::jit::MacroAssembler::callWithABI (
this=0x7ffd87072258, fun=0x555cfb193380 <AssumeUnreachable_(char const*)>,
result=js::jit::MoveOp::GENERAL,
check=js::jit::CheckUnsafeCallWithABI::DontCheckOther)
at /mnt/dev/moz/decommit/js/src/jit/MacroAssembler-inl.h:98
#16 0x0000555cfb18c169 in js::jit::MacroAssembler::assumeUnreachable (
this=0x7ffd87072258,
output=0x555cf8b29f2b "BaselineFrame shouldn't override pc when executing JIT code") at /mnt/dev/moz/decommit/js/src/jit/MacroAssembler.cpp:1726
#17 0x0000555cfad34ec0 in js::jit::BaselineCodeGen<js::jit::BaselineCompilerHandler>::callVMInternal (this=0x7ffd87072108,
id=js::jit::VMFunctionId::CheckOverRecursedBaseline,
kind=js::jit::RetAddrEntry::Kind::StackCheck,
phase=js::jit::BaselineCodeGen<js::jit::BaselineCompilerHandler>::CallVMPhase::BeforePushingLocals)
at /mnt/dev/moz/decommit/js/src/jit/BaselineCodeGen.cpp:745
#18 0x0000555cfad3551b in js::jit::BaselineCodeGen<js::jit::BaselineCompilerHandler>::callVM<bool ()(JSContext, js::jit::BaselineFrame*), &js::jit::CheckOverRecursedBaseline> (this=0x7ffd87072108,
kind=js::jit::RetAddrEntry::Kind::StackCheck,
phase=js::jit::BaselineCodeGen<js::jit::BaselineCompilerHandler>::CallVMPhase::BeforePushingLocals)
at /mnt/dev/moz/decommit/js/src/jit/BaselineCodeGen.cpp:809
#19 0x0000555cfad34789 in js::jit::BaselineCodeGen<js::jit::BaselineCompilerHandler>::emitStackCheck (this=0x7ffd87072108)
at /mnt/dev/moz/decommit/js/src/jit/BaselineCodeGen.cpp:837
#20 0x0000555cfacf9661 in js::jit::BaselineCodeGen<js::jit::BaselineCompilerHandler>::emitPrologue (this=0x7ffd87072108)
at /mnt/dev/moz/decommit/js/src/jit/BaselineCodeGen.cpp:6760
#21 0x0000555cfacb8125 in js::jit::BaselineCompiler::compile (
this=0x7ffd87072108)
at /mnt/dev/moz/decommit/js/src/jit/BaselineCodeGen.cpp:231
#22 0x0000555cfaebd195 in js::jit::BaselineCompile (cx=0x7ff8af51a000,
script=0x120fcc0b6890, forceDebugInstrumentation=false)
at /mnt/dev/moz/decommit/js/src/jit/BaselineJIT.cpp:217
#23 0x0000555cfaebd973 in CanEnterBaselineJIT (cx=0x7ff8af51a000, script=...,
osrSourceFrame=...) at /mnt/dev/moz/decommit/js/src/jit/BaselineJIT.cpp:305
#24 0x0000555cfaebdb23 in js::jit::BaselineCompileFromBaselineInterpreter (
cx=0x7ff8af51a000, frame=0x7ffd87073010, res=0x7ffd87072fe0)
at /mnt/dev/moz/decommit/js/src/jit/BaselineJIT.cpp:407

The comments in AssemblerBuffer::oomDetected() say that something isn't checking for OOM when it should be. I think this is best sent to someone familiar with the JIT.

I've enabled the security flag in case this could lead to an OOB memory access, but it looks like AssemblerBuffer won't let an OOB write occur. But what if something executes this buffer and just falls of the end?

It'd be good to run these tests in CI, but now I'm a little afraid to mention that publically in case it shows someone where an exploit might be. That is until we know that there's no security impact.

Group: core-security → javascript-core-security
Flags: needinfo?(jdemooij)

This is just a problem with the test, it needs to pass {expectExceptionOnFailure: false} to oomTest. The debugger terminates execution and termination is represented as failure + no pending exception.

Group: javascript-core-security
Flags: needinfo?(jdemooij)
Summary: Missing OOM handling somewhere in JIT → debug/bug1264961.js should pass expectExceptionOnFailure = false to oomTest

(Also note that the test fails the same way with --no-blinterp to disable all JS JITs.)

Thanks jandem, that's worked.

Assignee: nobody → pbone
Status: NEW → ASSIGNED
Pushed by pbone@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/c7301314dcfc
Add {expectExceptionOnFailure: false} to test r=jandem
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla71
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: