Closed Bug 1876660 Opened 1 year ago Closed 1 year ago

Crash [@ __strlen_avx2] involving disnative

Categories

(Core :: JavaScript Engine, defect, P3)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
124 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- wontfix
firefox122 --- wontfix
firefox123 --- wontfix
firefox124 --- fixed

People

(Reporter: gkw, Assigned: jandem)

References

(Blocks 1 open bug)

Details

(Keywords: regression, testcase)

Attachments

(2 files)

stack
5.87 KB, text/plain
Details
Bug 1876660 - Fix OOM crash in ARM64Disassembler::ProcessOutput. r?iain!
48 bytes, text/x-phabricator-request
Details | Review
Attached file stack 
{
    function f() {};
    f();
    this.oomAtAllocation(5);
    let g = this.disnative;
    g(f);
}

(gdb) bt
#0  0x00007ffff7dbb199 in __strlen_avx2 () from /lib64/libc.so.6
#1  0x000055555770cd46 in captureDisasmText (text=0x0) at /home/skygentoo/trees/mozilla-central/js/src/builtin/TestingFunctions.cpp:1734
#2  0x00005555581ace99 in js::jit::ARM64Disassembler::ProcessOutput (this=0x7fffffffc010, instr=0x1b39593f4270)
    at /home/skygentoo/trees/mozilla-central/js/src/jit/Disassemble.cpp:49
#3  0x0000555557ef87bd in vixl::Decoder::VisitAddSubImmediate (this=<optimized out>, instr=0x1b39593f4270)
    at /home/skygentoo/trees/mozilla-central/js/src/jit/arm64/vixl/Decoder-vixl.cpp:897
#4  vixl::Decoder::DecodeAddSubImmediate (this=<optimized out>, instr=0x1b39593f4270) at /home/skygentoo/trees/mozilla-central/js/src/jit/arm64/vixl/Decoder-vixl.cpp:464
#5  0x000055555818444b in vixl::Decoder::Decode (this=0x7fffffffc048, instr=0x1b39593f4270)
    at /home/skygentoo/trees/mozilla-central/js/src/jit/arm64/vixl/Decoder-vixl.h:162
#6  js::jit::Disassemble (code=code@entry=0x1b39593f4270 "\237#", length=length@entry=768, callback=<optimized out>)
    at /home/skygentoo/trees/mozilla-central/js/src/jit/Disassemble.cpp:67
#7  0x00005555576d77fe in DisassembleNative (cx=0x7ffff772e100, argc=<optimized out>, vp=<optimized out>)
    at /home/skygentoo/trees/mozilla-central/js/src/builtin/TestingFunctions.cpp:1856
/snip

Run with --fuzzing-safe --no-threads --ion-eager, compile with AR=ar sh ../configure --enable-simulator=arm64 --enable-debug --enable-debug-symbols --with-ccache --enable-nspr-build --enable-ctypes --enable-gczeal --enable-rust-simd --disable-tests, tested on m-c rev 3a36520bec3b.

Jan, perhaps bug 1875363 needs to be adapted for ARM64/aarch64 as well?

Flags: needinfo?(jdemooij)
Blocks: 1875363
Severity: -- → S4
Priority: -- → P3

:gkw, since this bug is a regression, could you fill (if possible) the regressed_by field?
For more information, please visit BugBot documentation.

Flags: needinfo?(nth10sd)

(In reply to BugBot [:suhaib / :marco/ :calixte] from comment #1)

could you fill (if possible) the regressed_by field?

Jan's probably the right person to answer this.

Flags: needinfo?(nth10sd)

Not adding the test because it doesn't repro on later revisions and this is just a minor issue
in the disassembler.

Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Pushed by jdemooij@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/85a703617705 Fix OOM crash in ARM64Disassembler::ProcessOutput. r=iain

https://hg.mozilla.org/mozilla-central/rev/85a703617705

Status: ASSIGNED → RESOLVED
Closed: 1 year ago
status-firefox124: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 124 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: