465145 - TM: Crash [@ js_FlushJITCache] or [@ TraceRecorder::popAbortStack]

Status: VERIFIED FIXED

(Core :: JavaScript Engine, defect, P1)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: opt and dbg crashlogs

this.__defineSetter__("x", function(){});
this.watch("x", function(){});
y = this;
for (var z = 0; z < 2; ++z) { x = y };
this.__defineSetter__("x", function(){});
for (var z = 0; z < 2; ++z) { x = y };


This crashes opt at the seemingly exploitable address of 0x000000003e0000f3 at js_FlushJITCache. It also crashes dbg at 0x0000000000000074 at TraceRecorder::popAbortStack.

This appears to be fairly recent but jsfunfuzz hits it often.

Comment 1

[David Anderson [:dvander] - inactive, e-mail if emergency]

Attachment: proposed fix

Sigh, the logic here is starting to get... disturbing.

js_Interpret uses wasDeepAborted to check whether a JIT cache flush already removed it off the stack.  The bug: I had the interpreter putting recorders on the stack even if they were already deep aborted.

This could be done cleaner but I'm more concerned about getting the fix in atm.

Comment 2

[David Anderson [:dvander] - inactive, e-mail if emergency]

Pushed fix as changeset: http://hg.mozilla.org/tracemonkey/rev/ebb3e752cb34

Comment 3

[Damon Sicore (:damons)]

reopening, marking blocking beta2, will close once landed on m-c.

Comment 4

[Mike Beltzner [:beltzner, not reading bugmail]]

Fixed in the merge pushed by vlad on Nov 18 14:11:14 2008 -0800:
http://hg.mozilla.org/mozilla-central/rev/e8ed5d4bf531

Comment 5

[Bob Clary [:bc] (inactive)]

Attachment: js1_5/extensions/regress-465145.js

Comment 6

[Bob Clary [:bc] (inactive)]

verified fixed mozilla-central, tracemonkey

Comment 7

[Bob Clary [:bc] (inactive)]

v 1.9.1, 1.9.2

Comment 8

[Bob Clary [:bc] (inactive)]

test checked into 1.9.0, 1.9.1, 1.9.2, tracemonkey. 1.9.3 will get picked up in the next merge.