Closed Bug 713209 Opened 13 years ago Closed 13 years ago

Crash [@ __memcpy_ssse3_rep] through JSRope::flatten

Categories

(Core :: JavaScript Engine, defect)

x86
Linux
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla10
Tracking Status
firefox9 + affected
firefox10 + verified
firefox11 + verified
firefox12 + verified
firefox-esr10 10+ verified
status1.9.2 --- unaffected

People

(Reporter: decoder, Assigned: bhackett1024)

Details

(Keywords: crash, testcase, Whiteboard: [sg:critical][qa+:ashughes] js-triage-needed)

Crash Data

Attachments

(1 file)

The following test crashes on mozilla-central revision c5b90ea7e475 (options -m -n -a, 32 bit only): var save__proto__ = __proto__; __proto__ = save__proto__; function bar(x, y) { return x + y; } function foo(x, y) { var a = 0; for (var i = 0; i < 1000; i++) { a += (this.toString); a += bar(x, y); a = bar(x, (a)); a += bar(x, y); } return a; } var q = foo(0, 1); print(q.toSource()); Backtrace: #0 __memcpy_ssse3_rep () at ../sysdeps/i386/i686/multiarch/memcpy-ssse3-rep.S:1293 #1 0x08243150 in js::PodCopy<unsigned short> (dst=0xd477d008, src=0xf7400160, nelem=259260942) at ../jsutil.h:322 #2 0x08243dd6 in JSRope::flattenInternal<(JSRope::UsingBarrier)1> (this=0xf741db00, maybecx=0x8545568) at /srv/repos/mozilla-central/js/src/vm/String.cpp:225 #3 0x08242431 in JSRope::flatten (this=0xf741db00, maybecx=0x8545568) at /srv/repos/mozilla-central/js/src/vm/String.cpp:268 #4 0x08086f4c in JSString::ensureLinear (this=0xf741db00, cx=0x8545568) at /srv/repos/mozilla-central/js/src/vm/String.h:822 #5 0x08086ebc in JSString::getChars (this=0xf741db00, cx=0x8545568) at /srv/repos/mozilla-central/js/src/vm/String.h:804 #6 0x0817ef10 in QuoteString (sp=0xffffc804, str=0xf741db00, quote=34) at /srv/repos/mozilla-central/js/src/jsopcode.cpp:872 #7 0x0817f269 in js_QuoteString (cx=0x8545568, str=0xf741db00, quote=34) at /srv/repos/mozilla-central/js/src/jsopcode.cpp:940 #8 0x081c8c52 in str_toSource (cx=0x8545568, argc=0, vp=0xf76ea068) at /srv/repos/mozilla-central/js/src/jsstr.cpp:536 #9 0x08140a8c in js::CallJSNative (cx=0x8545568, native=0x81c8ba4 <str_toSource(JSContext*, uintN, JS::Value*)>, args=...) at ../jscntxtinlines.h:311 #10 0x08123de2 in js::InvokeKernel (cx=0x8545568, args=..., construct=js::NO_CONSTRUCT) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:625 #11 0x08132ad0 in js::Interpret (cx=0x8545568, entryFrame=0xf76ea020, interpMode=js::JSINTERP_NORMAL) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:3506 #12 0x0829e62c in js::mjit::EnterMethodJIT (cx=0x8545568, fp=0xf76ea020, code=0xf73ce050, stackLimit=0xf7aca000, partial=false) at /srv/repos/mozilla-central/js/src/methodjit/MethodJIT.cpp:1093 S-s and sg:critical due to obvious memory hazard (probably buffer overflow).
Wow, this one is tough. It affects all shells I have tested (release, beta, aurora, central) in opt32 and dbg32 modes.
Crash Signature: [@ __memcpy_ssse3_rep] [@ JSRope::flatten]
I looked at this quickly. It only repros with -m -n -a, so seems related to TI. The 'str' passed to js_QuoteString seems to have been trashed: it is in a FINALIZE_STRING arena, but its length is garbage (that makes it look like a rope). Interestingly, when viewed as a rope, the "left" child points to a GC thing in FINALIZE_OBJECT2.
Attached patch patchSplinter Review
Regalloc bug. When writing out the return value of an inlined call (as is done when the call's result type is unknown), the inline frame's callee might get synced when allocating a register for the type, clobbering the already-written payload. This could cause a JSObject* to be interpreted as a value of another type, e.g. a string.
Assignee: general → bhackett1024
Attachment #584129 - Flags: review?(dvander)
Attachment #584129 - Flags: approval-mozilla-beta?
Attachment #584129 - Flags: approval-mozilla-aurora?
Comment on attachment 584129 [details] [diff] [review] patch [Triage Comment] Please re-nominate once r+'d and landed on m-c.
Attachment #584129 - Flags: approval-mozilla-beta?
Attachment #584129 - Flags: approval-mozilla-beta-
Attachment #584129 - Flags: approval-mozilla-aurora?
Attachment #584129 - Flags: approval-mozilla-aurora-
Attachment #584129 - Flags: review?(dvander) → review+
Attachment #584129 - Flags: approval-mozilla-beta?
Attachment #584129 - Flags: approval-mozilla-beta-
Attachment #584129 - Flags: approval-mozilla-aurora?
Attachment #584129 - Flags: approval-mozilla-aurora-
Comment on attachment 584129 [details] [diff] [review] patch Backed out due to some 64 bit 'make check' orange. https://hg.mozilla.org/integration/mozilla-inbound/rev/f623372c6de0
Attachment #584129 - Flags: approval-mozilla-beta?
Attachment #584129 - Flags: approval-mozilla-aurora?
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla12
Comment on attachment 584129 [details] [diff] [review] patch [Approval Request Comment] Regression caused by (bug #): User impact if declined: Testing completed (on m-c, etc.): Risk to taking this patch (and alternatives if risky):
Attachment #584129 - Flags: approval-mozilla-beta?
Attachment #584129 - Flags: approval-mozilla-aurora?
(In reply to Brian Hackett (:bhackett) from comment #9) > Comment on attachment 584129 [details] [diff] [review] > patch > > [Approval Request Comment] > Regression caused by (bug #): > User impact if declined: > Testing completed (on m-c, etc.): > Risk to taking this patch (and alternatives if risky): Brian - can you address the risk of taking this patch? The benefit seems clear from the sg:crit status.
This is fixing a compiler bug, so the risk here is that the fix is incorrect. This has been in nightlies for close to a week now, and doesn't seem to have been causing any problems.
Comment on attachment 584129 [details] [diff] [review] patch [Triage Comment] Given Brian's risk evaluation, approving for Aurora/Beta.
Attachment #584129 - Flags: approval-mozilla-beta?
Attachment #584129 - Flags: approval-mozilla-beta+
Attachment #584129 - Flags: approval-mozilla-aurora?
Attachment #584129 - Flags: approval-mozilla-aurora+
Target Milestone: mozilla12 → mozilla10
Whiteboard: [sg:critical] js-triage-needed → [sg:critical] js-triage-needed [qa+]
Verified fixed in Firefox 11.0b6 js-shell.
(In reply to Anthony Hughes, Mozilla QA (irc: ashughes) from comment #14) > Verified fixed in Firefox 11.0b6 js-shell. Since this landed in Firefox 11 when it was in Aurora but verified in Beta, should this be keyword verified-beta or verified-aurora?
Group: core-security
Status: RESOLVED → VERIFIED
Ubuntu 11.10, 32bit Built js-shell for the latest beta release and run the tests from comment #0: no crash occured.
Verified fixed in Firefox 10 and ESR:10
Whiteboard: [sg:critical] js-triage-needed [qa+] → [sg:critical][qa+:ashughes] js-triage-needed
Automatically extracted testcase for this bug was committed: https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: