Crash [@ __memset_sse2] or Crash [@ js::jit::Linker::newCode] (shell only)
Categories
(Core :: JavaScript Engine: JIT, defect, P2)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr102 | --- | unaffected |
| firefox-esr115 | --- | unaffected |
| firefox114 | --- | unaffected |
| firefox115 | --- | unaffected |
| firefox116 | --- | verified |
People
(Reporter: decoder, Assigned: jandem)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: crash, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])
Crash Data
Attachments
(3 files)
The following testcase crashes on mozilla-central revision 20230613-e974af195c98 (debug build, run with --fuzzing-safe --ion-offthread-compile=off):
setJitCompilerOption("write-protect-code", 0);
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 __memset_sse2 () at ../sysdeps/x86_64/multiarch/../memset.S:78
#1 0x0000555557ce2de1 in js::jit::ExecutableAllocator::poisonCode(JSRuntime*, mozilla::Vector<js::jit::JitPoisonRange, 0ul, js::SystemAllocPolicy>&) ()
#2 0x0000555557730531 in JS::GCContext::poisonJitCode() ()
#3 0x0000555557804ea3 in js::gc::GCRuntime::performSweepActions(js::SliceBudget&) ()
#4 0x000055555774d411 in js::gc::GCRuntime::incrementalSlice(js::SliceBudget&, JS::GCReason, bool) ()
#5 0x0000555557750b88 in js::gc::GCRuntime::gcCycle(bool, js::SliceBudget const&, JS::GCReason) ()
#6 0x00005555577521e4 in js::gc::GCRuntime::collect(bool, js::SliceBudget const&, JS::GCReason) ()
#7 0x000055555771ab8a in js::gc::GCRuntime::gc(JS::GCOptions, JS::GCReason) ()
#8 0x0000555557154515 in JSRuntime::destroyRuntime() ()
#9 0x0000555556fd2a05 in js::DestroyContext(JSContext*) ()
#10 0x0000555556c06b84 in main ()
rax 0xd9f48033000 14977759129600
rbx 0x7ffff3e23760 140737285076832
rcx 0xd9f48033040 14977759129664
rdx 0x2b80 11136
rsi 0xed 237
rdi 0xd9f48033000 14977759129600
rbp 0x7fffffffd9e0 140737488345568
rsp 0x7fffffffd9a8 140737488345512
r8 0x0 0
r9 0x0 0
r10 0x0 0
r11 0x246 582
r12 0x1 1
r13 0x7ffff3e23000 140737285074944
r14 0x7ffff3e06a10 140737284958736
r15 0x18 24
rip 0x7ffff6dce294 <__memset_sse2+84>
=> 0x7ffff6dce294 <__memset_sse2+84>: movdqu %xmm0,(%rdi)
0x7ffff6dce298 <__memset_sse2+88>: and $0xffffffffffffffc0,%rcx
This is likely shell-only and caused by the recent changes to making W^X configurable.
|
Reporter | |
Comment 1•2 years ago
|
||
|
|
Reporter | |
Comment 2•2 years ago
|
||
|
||
Comment 3•2 years ago
|
||
Probably something minor where we forgot to reset the page access right correctly before poisoning the content.
|
||
Comment 4•2 years ago
|
||
Set release status flags based on info from the regressing bug 1837194
|
||
Comment 5•2 years ago
|
||
Verified bug as reproducible on mozilla-central 20230613152538-37def70ef369.
Unable to bisect testcase (Unable to launch the start build!):
Start: 466d30a90a012ce9d5a620c6d61b9176be8d8641 (20220615035543)
End: e974af195c9886356987dd99ba40ab25692c134c (20230613034225)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=False, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)
|
Assignee | |
Updated•2 years ago
|
|
|
Assignee | |
Comment 6•2 years ago
|
||
To support this we'd have to reprotect all of the allocated memory pages.
|
||
Updated•2 years ago
|
|
||
Comment 8•2 years ago
|
||
| bugherder | ||
|
|
||
Comment 9•2 years ago
|
||
Verified bug as fixed on rev mozilla-central 20230615214334-272d7188fe71.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
|
|
||
Comment 10•2 years ago
|
||
Set release status flags based on info from the regressing bug 1835876
Description
•