Open Bug 1827160 Opened 2 years ago Updated 9 months ago

test asm.js/testBug1301191.js would segment fault when don't have right to selfhosted-xdr-path

Categories

(Core :: JavaScript Engine, defect, P3)

Product:
Core
Component:
JavaScript Engine
Version:
Firefox 109
Type:
defect

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: yahan, Unassigned, NeedInfo)

References

(Blocks 1 open bug)

Details

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36 Edg/110.0.1587.57

Steps to reproduce:

I am gdb asm.js/testBug1301191.js on riscv64 and break on js/src/shell/js.cpp:11223. Then print "p cx->zone()", result is "$1 = (JS::Zone *) 0x0"

Thread 1 received signal SIGSEGV, Segmentation fault.
JS::shadow::Zone::isAtomsZone (this=0x0) at /home/luyahan/source/gecko/obj-opt-riscv64-unknown-linux-gnu/dist/include/js/shadow/Zone.h:111
111       bool isAtomsZone() const { return kind_ == AtomsZone; }
(gdb) bt
#0  JS::shadow::Zone::isAtomsZone (this=0x0) at /home/luyahan/source/gecko/obj-opt-riscv64-unknown-linux-gnu/dist/include/js/shadow/Zone.h:111
#1  0x00000040023b7e40 in JSLinearString::newValidLength<(js::AllowGC)1, unsigned char> (cx=0x4008030100, chars=..., length=40, heap=js::gc::DefaultHeap)
    at /home/luyahan/source/gecko/js/src/vm/StringType-inl.h:283
#2  0x00000040023b7da4 in js::NewStringCopyNDontDeflateNonStaticValidLength<(js::AllowGC)1, unsigned char> (cx=0x4008030100, 
    s=0x400801b600 "Can't open self-hosted stencil XDR file.", n=40, heap=js::gc::DefaultHeap) at /home/luyahan/source/gecko/js/src/vm/StringType.cpp:1674
#3  0x00000040023b8316 in js::NewStringCopyNDontDeflate<(js::AllowGC)1, unsigned char> (cx=0x4008030100, 
    s=0x400801b600 "Can't open self-hosted stencil XDR file.", n=40, heap=js::gc::DefaultHeap) at /home/luyahan/source/gecko/js/src/vm/StringType.cpp:1694
#4  0x00000040023b864a in js::NewStringCopyN<(js::AllowGC)1, unsigned char> (cx=0x4008030100, s=0x400801b600 "Can't open self-hosted stencil XDR file.", 
    n=40, heap=js::gc::DefaultHeap) at /home/luyahan/source/gecko/js/src/vm/StringType.cpp:1733
#5  0x00000040023ab402 in js::NewStringCopyUTF8N (cx=0x4008030100, utf8=..., heap=js::gc::DefaultHeap)
    at /home/luyahan/source/gecko/js/src/vm/StringType.cpp:1807
#6  0x0000004001d59530 in js::NewStringCopyUTF8Z (cx=0x4008030100, utf8=..., heap=js::gc::DefaultHeap)
    at /home/luyahan/source/gecko/js/src/vm/StringType.h:1541
#7  0x00000040025af88a in JS_NewStringCopyUTF8Z (cx=0x4008030100, s=...) at /home/luyahan/source/gecko/js/src/jsapi.cpp:2985
#8  0x00000040025b4f2c in JSErrorBase::newMessageString (this=0x40063bc850, cx=0x4008030100) at /home/luyahan/source/gecko/js/src/jsapi.cpp:3861
#9  0x00000040025bca02 in js::ErrorToException (cx=0x4008030100, reportp=0x40063bc850, callback=0x40020783e0 <js::GetErrorMessage(void*, unsigned int)>, 
    userRef=0x0) at /home/luyahan/source/gecko/js/src/jsexn.cpp:321
#10 0x000000400207d584 in ReportError (cx=0x4008030100, reportp=0x40063bc850, callback=0x0, userRef=0x0)
    at /home/luyahan/source/gecko/js/src/vm/ErrorReporting.cpp:149
#11 0x000000400207dbe8 in js::ReportErrorVA (cx=0x4008030100, isWarning=js::IsWarning::No, 
    format=0x4000314c60 "Can't open self-hosted stencil XDR file.", argumentsType=js::ArgumentsAreUTF8, ap=0x40063bc900)
    at /home/luyahan/source/gecko/js/src/vm/ErrorReporting.cpp:553
#12 0x00000040025b3dda in JS_ReportErrorUTF8 (cx=0x4008030100, format=0x4000314c60 "Can't open self-hosted stencil XDR file.")
    at /home/luyahan/source/gecko/js/src/jsapi.cpp:3592
#13 0x0000004001cf0c72 in WriteSelfHostedXDRFile (cx=0x4008030100, buffer=...) at /home/luyahan/source/gecko/js/src/shell/js.cpp:10972
#14 0x0000004002338f08 in JSRuntime::initSelfHostingStencil (this=0x4008023000, cx=0x4008030100, xdrCache=..., 
    xdrWriter=0x4001cf0c04 <WriteSelfHostedXDRFile(JSContext*, mozilla::Span<unsigned char const, 18446744073709551615ul>)>)
    at /home/luyahan/source/gecko/js/src/vm/SelfHosting.cpp:2493
#15 0x00000040020e3c04 in JS::InitSelfHostedCode (cx=0x4008030100, cache=..., 
    writer=0x4001cf0c04 <WriteSelfHostedXDRFile(JSContext*, mozilla::Span<unsigned char const, 18446744073709551615ul>)>)
    at /home/luyahan/source/gecko/js/src/vm/Initialization.cpp:220
#16 0x0000004001cecf12 in main (argc=19, argv=0x40063bd3b8) at /home/luyahan/source/gecko/js/src/shell/js.cpp:11223

I find it pass arg `--selfhosted-xdr-path /tmp/tmp9w62cfna/shell.xdr' to js shell
It can't open this file because don't have right to /tmp/tmp9w62cfna
After I mkdir mkdir , it pass

Actual results:

Thread 1 received signal SIGSEGV, Segmentation fault.

Expected results:

Pass

Summary: test → test asm.js/testBug1301191.js would segment fault when don't have right to selfhosted-xdr-path

The Bugbug bot thinks this bug should belong to the 'Core::JavaScript Engine' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → JavaScript Engine
Product: Firefox → Core

The problem describe here is related to a JS shell feature which is about providing a file which contains the cached content of the self-hosted stencil.
This API is used to optimize the test-suite execution, as well as used to emulate what is happening between the parent-children processes where the parent process would serialize the self-hosted stencil and the children would decode it.

The access right described here are only a JS shell issue which does not affect Firefox nor the test suite execution.
This should probably be fixed by having an early error to handle it.

Blocks: sm-meta
Severity: -- → S4
Priority: -- → P3
Flags: needinfo?(nicolas.b.pierron)
Blocks: sm-runtime
No longer blocks: sm-meta
You need to log in before you can comment on or make changes to this bug.