Closed Bug 630048 Opened 13 years ago Closed 13 years ago

Crash in Method JIT generated code

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Tracking Flags:
Tracking Status
blocking2.0 --- final+

People

(Reporter: decoder, Assigned: dvander)

Details

(Keywords: crash, testcase, Whiteboard: [softblocker][fixed-in-tracemonkey])

Attachments

(2 files)

Shell testcase, unpack and run with "js -m -f main.js"
928 bytes, application/x-compressed-tar
Details
fix
823 bytes, patch
dmandelin
: review+
Details | Diff | Splinter Review 
The attached testcase will crash TM tip (tested on 64 bit). It consists of multiple files (I minimized this but wasn't able to fully combine all files), run like this after unpacking:

$ ./js -m -f main.js
Evaluation complete
TypeError: SECTION is undefined
TypeError: SECTION is undefined
Segmentation fault

Debugging information:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7f979fd in ?? ()
(gdb) bt
#0  0x00007ffff7f979fd in ?? ()
#1  0x00007ffff7f98000 in ?? ()
#2  0x0000000000000027 in ?? ()
#3  0xfffafffff69130e0 in ?? ()
[...]
#18 0x000000000064d3ba in js::mjit::EnterMethodJIT (cx=0x7ffff7f979d9, fp=0x7fffffffc750, code=0x7ffff69121a0, stackLimit=0x7ffff690be80) at ./methodjit/MethodJIT.cpp:748
Backtrace stopped: frame did not save the PC


(gdb) x/8i $pc 
=> 0x7ffff7f979fd:      mov    0x14(%r9),%edi
   0x7ffff7f97a01:      cmp    $0x8fffffff,%edi
   0x7ffff7f97a07:      jne    0x7ffff7f97b49
   0x7ffff7f97a0d:      mov    0x40(%r9),%r9
   0x7ffff7f97a11:      mov    0x1000000(%r9),%rdi
   0x7ffff7f97a18:      mov    %r14,%r9
   0x7ffff7f97a1b:      and    %rdi,%r9
   0x7ffff7f97a1e:      xor    %r9,%rdi


At first glance, this could be an illegal write to a NULL pointer class/struct field, but I cannot tell for sure, so locking this.
blocking2.0: --- → ?
Attached patch fixSplinter Review 
Nice catch. An opcode was missing in the bytecode analyzer. This only has an effect when the trace JIT is off (which is when we use the analyzer's use-def results).
Assignee: general → dvander
Status: NEW → ASSIGNED
Attachment #508321 - Flags: review?(dmandelin)
blocking2.0: ? → final+
Whiteboard: softblocker
Attachment #508321 - Flags: review?(dmandelin) → review+
http://hg.mozilla.org/tracemonkey/rev/62ba32799f6f
Whiteboard: softblocker → [softblocker][fixed-in-tracemonkey]
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: