642159 - JM: Crash [@ js::PutEscapedStringImpl] // Memory corruption

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

Attachment: Shell testcase, unpack and run js -n -a -m main1.js

The attached test case (extract, chdir and run with "js -n -a -m main1.js") produces the following crash on JM tip (tested on 64 bit):

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7f6ac3110720 (LWP 26345)]
0x00000000005b51d4 in js::PutEscapedStringImpl (buffer=0x0, bufferSize=99, fp=0x0, str=0x7f6ac233ded8, quote=0) at jsstr.cpp:6061
6061                u = *chars++;
(gdb) bt
#0  0x00000000005b51d4 in js::PutEscapedStringImpl (buffer=0x0, bufferSize=99, fp=0x0, str=0x7f6ac233ded8, quote=0) at jsstr.cpp:6061
#1  0x0000000000439af3 in js::PutEscapedString (
    buffer=0xb09d8c "\\uDEB8\\uC233\\u7F6A\\x00\\uDEB8\\uC233\\u7F6A\\x00\\uDEC8\\uC233\\u7F6A\\x00\\uDEC8\\uC233\\u7F6A\\x00\\uDED8\\uC23", size=100, str=0x7f6ac233ded8, quote=0)
    at jsstr.h:1054
#2  0x00000000004e0792 in js::types::TypeIdStringImpl (id={asBits = 140096501440216}) at jsinfer.cpp:133
#3  0x0000000000405341 in TypeIdString (id={asBits = 140096501440216}) at ../jsinferinlines.h:127
#4  0x0000000000414d9c in js::types::TypeObject::name (this=0x7f6ac233dee8) at ./jsinferinlines.h:1123
#5  0x00000000004e095f in js::types::TypeString (type=140096501440232) at jsinfer.cpp:186
#6  0x00000000004be9b8 in JSScript::typeSetArgument (this=0x261f720, cx=0x2593be0, arg=0, type=140096501440232) at ./jsinferinlines.h:642
#7  0x0000000000710a63 in UncachedInlineCall (f=@0x7fff121843d0, flags=0, pret=0x7fff12184320, unjittable=0x7fff12184328, argc=1, argTypes=0x261a4b0)
    at ./methodjit/InvokeHelpers.cpp:372
#8  0x00000000007110e6 in js::mjit::stubs::UncachedCallHelper (f=@0x7fff121843d0, argc=1, argTypes=0x261a4b0, ucr=0x7fff12184310) at ./methodjit/InvokeHelpers.cpp:496
#9  0x00000000006f5bd1 in CallCompiler::update (this=0x7fff12184390) at ./methodjit/MonoIC.cpp:973
#10 0x00000000006efb51 in js::mjit::ic::Call (f=@0x7fff121843d0, ic=0x2621218) at ./methodjit/MonoIC.cpp:1033
#11 0x00007f6ac1bb6864 in ?? ()
#12 0x00007f6ac1bb2f70 in ?? ()
#13 0x0000000002624030 in ?? ()
#14 0x00007f6ac1a06700 in ?? ()
#15 0x00007fff12185290 in ?? ()
#16 0x0000000000000000 in ?? ()


The test case is not stable under minimization and switched between asserts and crash, the original assertion was: 

Assertion failure: !isRope(), at ../jsstr.h:335

Might be hard to reproduce, could be a gc related problem or other non-deterministic memory corruption. This is security relevant as soon as the code is merged with TM.

Comment 1

[Brian Hackett [Laid off!]]

This works for me.  Looking at the stack trace, this definitely could have been fixed by the below cset, which fixed a use-after-free bug when sweeping type data that could leave rubbish pointers (and jsids).  The only problem with this theory is that this test never GCs.  No problems reported by valgrind on x86 or x64.

http://hg.mozilla.org/projects/jaegermonkey/rev/0548f6d12aa6

Reopen if you can still repro.

Comment 2

[Christian Holler (:decoder)]

I can confirm that it does no longer repro on tip (but still on the older revision).

Comment 3

[Christian Holler (:decoder)]

This still exists on tip, working on a new test case now.

Comment 4

[Christian Holler (:decoder)]

Attachment: shell testcase, unpack, chdir and run main.js with options "-n -m -a"

New test case

Comment 5

[Brian Hackett [Laid off!]]

OK, I can repro now.  Thanks!

Comment 6

[Brian Hackett [Laid off!]]

Oops, stupid typo could leave a ClonedTypeSet pointing to a freed array, rather than an element of the array.

http://hg.mozilla.org/projects/jaegermonkey/rev/5f46e05ceecb

Comment 7

[Christian Holler (:decoder)]

I'm still hitting this.. or again. I'll try to reproduce again and get a new testcase.

Comment 8

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

(In reply to comment #7)
> I'm still hitting this.. or again. I'll try to reproduce again and get a new
> testcase.

See bug 643243