Closed
Bug 1657815
Opened 4 years ago
Closed 4 years ago
Crash [@ CoerceInPlace_JitEntry(int, js::wasm::TlsData*, JS::Value*)]
Categories
(Core :: JavaScript: WebAssembly, defect)
Tracking
()
VERIFIED
FIXED
81 Branch
Tracking | Status | |
---|---|---|
firefox-esr68 | --- | unaffected |
firefox-esr78 | --- | unaffected |
firefox79 | --- | unaffected |
firefox80 | --- | unaffected |
firefox81 | --- | fixed |
People
(Reporter: decoder, Assigned: dbezhetskov)
References
(Regression)
Details
(Keywords: crash, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed][fuzzblocker])
Crash Data
Attachments
(1 file)
10.37 KB,
application/octet-stream
|
Details |
The following testcase crashes on mozilla-central revision 20200807-d51942b1e2d8 (debug build, run with --fuzzing-safe --ion-offthread-compile=off test.js):
See attachment.
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 0x58b46e87 in CoerceInPlace_JitEntry(int, js::wasm::TlsData*, JS::Value*) ()
#1 0x43ff0946 in ?? ()
#2 0xf6eb2ee0 in ?? ()
#3 0x00002842 in ?? ()
#4 0xf5c905e0 in ?? ()
eax 0xffffa520 -23264
ebx 0x592b44ec 1496007916
ecx 0x441f0fd9 1142886361
edx 0x2842 10306
esi 0xf6e19800 -152987648
edi 0xf6ee2298 -152165736
ebp 0xffffa398 4294943640
esp 0xffffa310 4294943504
eip 0x58b46e87 <CoerceInPlace_JitEntry(int, js::wasm::TlsData*, JS::Value*)+103>
=> 0x58b46e87 <_ZL22CoerceInPlace_JitEntryiPN2js4wasm7TlsDataEPN2JS5ValueE+103>: mov 0x14(%ecx),%ecx
0x58b46e8a <_ZL22CoerceInPlace_JitEntryiPN2js4wasm7TlsDataEPN2JS5ValueE+106>: test %ecx,%ecx
This is a high frequency fuzzblocker on x86 that started popping up over night. It is likely so frequent because it fails a test in the mjsunit test suite (or a very close variation of it). Crash show evidence of memory corruption.
Reporter | ||
Comment 1•4 years ago
|
||
Comment 2•4 years ago
|
||
Oh, I'm guessing this may be Dmitry's patch set, bug 1639153. Will try to verify.
Updated•4 years ago
|
Whiteboard: [bugmon:update,bisect][fuzzblocker] → [bugmon:update,bisected,confirmed][fuzzblocker]
Comment 3•4 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200807033206-d51942b1e2d8.
The bug appears to have been introduced in the following build range:
> Start: af63ceb254223ee0868fb3ee05f17c50fd7938d4 (20200806154430)
> End: 95cbd137913873b3e3dddda4b4d895ce28e04048 (20200806215439)
> Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=af63ceb254223ee0868fb3ee05f17c50fd7938d4&tochange=95cbd137913873b3e3dddda4b4d895ce28e04048
Comment 4•4 years ago
|
||
I'm crashing elsewhere with this test case:
Thread 1 received signal SIGSEGV, Segmentation fault.
RefPtr<js::wasm::Code const>::operator* (this=0x441f0fed)
at /home/lhansen/m-u/js/src/build-32-debug/dist/include/mozilla/RefPtr.h:357
357 MOZ_ASSERT(mRawPtr != nullptr,
This is my config:
export CC="clang -m32 -msse2 -mfpmath=sse"
export CXX="clang++ -m32 -msse2 -mfpmath=sse"
../configure --target=i686-pc-linux --enable-debug --disable-optimize --without-intl-api
The stack is not useful, it looks like jitted code.
Comment 5•4 years ago
|
||
Backing out Dmitry's changes removes the crash.
Updated•4 years ago
|
Has Regression Range: --- → yes
Updated•4 years ago
|
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Comment 6•4 years ago
|
||
Bugmon Analysis: Verified bug as fixed on rev mozilla-central 20200809213940-d1de0bdfee4f. Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Updated•4 years ago
|
Assignee: nobody → dbezhetskov
Group: javascript-core-security → core-security-release
status-firefox79:
--- → unaffected
status-firefox80:
--- → unaffected
status-firefox-esr68:
--- → unaffected
status-firefox-esr78:
--- → unaffected
Target Milestone: --- → 81 Branch
Updated•3 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•