Closed Bug 693144 Opened 8 years ago Closed 8 years ago

Crash [@ js::mjit::EnterMethodJIT] with typed array and TI

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

VERIFIED FIXED
Tracking Status
firefox9 + fixed
firefox10 + fixed
status1.9.2 --- unaffected

People

(Reporter: decoder, Assigned: bhackett1024)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase, Whiteboard: [sg:critical?][qa-])

Crash Data

Attachments

(1 file)

The following test crashes on mozilla-central revision b4da2d439cbc (options -m -n -a):


function f() {
  var oa = [];
  for (var i = 0; i < 8; ++i) {
    var o = {};
    oa[(new Int32Array(ArrayBuffer.prototype).length)] = o;
  }
}
f();


This also affects aurora. As the -n switch (TI) seems to be required, I assume it does not affect beta/release.

Backtrace from m-c debug build:

==3713== Invalid write of size 8
==3713==    at 0x403A464: ???
==3713==    by 0x6E6C51: js::mjit::EnterMethodJIT(JSContext*, js::StackFrame*, void*, JS::Value*, bool) (MethodJIT.cpp:884)
==3713==    by 0x6E6E71: CheckStackAndEnterMethodJIT(JSContext*, js::StackFrame*, void*, bool) (MethodJIT.cpp:945)
==3713==    by 0x6E6FC1: js::mjit::JaegerShotAtSafePoint(JSContext*, void*, bool) (MethodJIT.cpp:972)
==3713==    by 0x502930: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (jsinterp.cpp:2174)
[...]
==3713==  Address 0xffc4000006d07278 is not stack'd, malloc'd or (recently) free'd


(gdb) x /2i $pc
=> 0x7ffff7f624c0:      mov    %r10,(%r9,%r12,8)
   0x7ffff7f624c4:      mov    0x70(%rbx),%r12
(gdb) info registers r9 r10 r12
r9             0x7ffff6007278   140737320612472
r10            0xfffbfffff6009230       -1125900074577360
r12            0xfff8800000000000       -2111062325329920
Attached patch patchSplinter Review
When hoisting <typed array>.length, loadPtr was used to get an int32 out of a fixed slot holding the typed array length, which leaves the high bits still holding the type tag on x64.
Assignee: general → bhackett1024
Attachment #566262 - Flags: review?(dvander)
Whiteboard: js-triage-needed → [sg:critical?]
Attachment #566262 - Flags: review?(dvander) → review+
Attachment #566262 - Flags: approval-mozilla-aurora?
https://hg.mozilla.org/mozilla-central/rev/90bbf471c432
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Comment on attachment 566262 [details] [diff] [review]
patch

Approved for mozilla-aurora
Attachment #566262 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Can someone who is already set up to reproduce this bug please verify the fix?
Whiteboard: [sg:critical?] → [sg:critical?][qa-]
Verified fixed on Firefox 9 and 10.
Group: core-security
Status: RESOLVED → VERIFIED
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.