Closed Bug 693144 Opened 13 years ago Closed 13 years ago

Crash [@ js::mjit::EnterMethodJIT] with typed array and TI

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

VERIFIED FIXED
Tracking Status
firefox9 + fixed
firefox10 + fixed
status1.9.2 --- unaffected

People

(Reporter: decoder, Assigned: bhackett1024)

Details

(Keywords: crash, testcase, Whiteboard: [sg:critical?][qa-])

Crash Data

Attachments

(1 file)

The following test crashes on mozilla-central revision b4da2d439cbc (options -m -n -a): function f() { var oa = []; for (var i = 0; i < 8; ++i) { var o = {}; oa[(new Int32Array(ArrayBuffer.prototype).length)] = o; } } f(); This also affects aurora. As the -n switch (TI) seems to be required, I assume it does not affect beta/release. Backtrace from m-c debug build: ==3713== Invalid write of size 8 ==3713== at 0x403A464: ??? ==3713== by 0x6E6C51: js::mjit::EnterMethodJIT(JSContext*, js::StackFrame*, void*, JS::Value*, bool) (MethodJIT.cpp:884) ==3713== by 0x6E6E71: CheckStackAndEnterMethodJIT(JSContext*, js::StackFrame*, void*, bool) (MethodJIT.cpp:945) ==3713== by 0x6E6FC1: js::mjit::JaegerShotAtSafePoint(JSContext*, void*, bool) (MethodJIT.cpp:972) ==3713== by 0x502930: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (jsinterp.cpp:2174) [...] ==3713== Address 0xffc4000006d07278 is not stack'd, malloc'd or (recently) free'd (gdb) x /2i $pc => 0x7ffff7f624c0: mov %r10,(%r9,%r12,8) 0x7ffff7f624c4: mov 0x70(%rbx),%r12 (gdb) info registers r9 r10 r12 r9 0x7ffff6007278 140737320612472 r10 0xfffbfffff6009230 -1125900074577360 r12 0xfff8800000000000 -2111062325329920
Attached patch patchSplinter Review
When hoisting <typed array>.length, loadPtr was used to get an int32 out of a fixed slot holding the typed array length, which leaves the high bits still holding the type tag on x64.
Assignee: general → bhackett1024
Attachment #566262 - Flags: review?(dvander)
Whiteboard: js-triage-needed → [sg:critical?]
Attachment #566262 - Flags: review?(dvander) → review+
Attachment #566262 - Flags: approval-mozilla-aurora?
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Comment on attachment 566262 [details] [diff] [review] patch Approved for mozilla-aurora
Attachment #566262 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Can someone who is already set up to reproduce this bug please verify the fix?
Whiteboard: [sg:critical?] → [sg:critical?][qa-]
Verified fixed on Firefox 9 and 10.
Group: core-security
Status: RESOLVED → VERIFIED
Automatically extracted testcase for this bug was committed: https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: