Closed
Bug 713209
Opened 12 years ago
Closed 12 years ago
Crash [@ __memcpy_ssse3_rep] through JSRope::flatten
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla10
People
(Reporter: decoder, Assigned: bhackett1024)
Details
(Keywords: crash, testcase, Whiteboard: [sg:critical][qa+:ashughes] js-triage-needed)
Crash Data
Attachments
(1 file)
1.83 KB,
patch
|
dvander
:
review+
akeybl
:
approval-mozilla-aurora+
akeybl
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
The following test crashes on mozilla-central revision c5b90ea7e475 (options -m -n -a, 32 bit only): var save__proto__ = __proto__; __proto__ = save__proto__; function bar(x, y) { return x + y; } function foo(x, y) { var a = 0; for (var i = 0; i < 1000; i++) { a += (this.toString); a += bar(x, y); a = bar(x, (a)); a += bar(x, y); } return a; } var q = foo(0, 1); print(q.toSource()); Backtrace: #0 __memcpy_ssse3_rep () at ../sysdeps/i386/i686/multiarch/memcpy-ssse3-rep.S:1293 #1 0x08243150 in js::PodCopy<unsigned short> (dst=0xd477d008, src=0xf7400160, nelem=259260942) at ../jsutil.h:322 #2 0x08243dd6 in JSRope::flattenInternal<(JSRope::UsingBarrier)1> (this=0xf741db00, maybecx=0x8545568) at /srv/repos/mozilla-central/js/src/vm/String.cpp:225 #3 0x08242431 in JSRope::flatten (this=0xf741db00, maybecx=0x8545568) at /srv/repos/mozilla-central/js/src/vm/String.cpp:268 #4 0x08086f4c in JSString::ensureLinear (this=0xf741db00, cx=0x8545568) at /srv/repos/mozilla-central/js/src/vm/String.h:822 #5 0x08086ebc in JSString::getChars (this=0xf741db00, cx=0x8545568) at /srv/repos/mozilla-central/js/src/vm/String.h:804 #6 0x0817ef10 in QuoteString (sp=0xffffc804, str=0xf741db00, quote=34) at /srv/repos/mozilla-central/js/src/jsopcode.cpp:872 #7 0x0817f269 in js_QuoteString (cx=0x8545568, str=0xf741db00, quote=34) at /srv/repos/mozilla-central/js/src/jsopcode.cpp:940 #8 0x081c8c52 in str_toSource (cx=0x8545568, argc=0, vp=0xf76ea068) at /srv/repos/mozilla-central/js/src/jsstr.cpp:536 #9 0x08140a8c in js::CallJSNative (cx=0x8545568, native=0x81c8ba4 <str_toSource(JSContext*, uintN, JS::Value*)>, args=...) at ../jscntxtinlines.h:311 #10 0x08123de2 in js::InvokeKernel (cx=0x8545568, args=..., construct=js::NO_CONSTRUCT) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:625 #11 0x08132ad0 in js::Interpret (cx=0x8545568, entryFrame=0xf76ea020, interpMode=js::JSINTERP_NORMAL) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:3506 #12 0x0829e62c in js::mjit::EnterMethodJIT (cx=0x8545568, fp=0xf76ea020, code=0xf73ce050, stackLimit=0xf7aca000, partial=false) at /srv/repos/mozilla-central/js/src/methodjit/MethodJIT.cpp:1093 S-s and sg:critical due to obvious memory hazard (probably buffer overflow).
Reporter | ||
Comment 1•12 years ago
|
||
Wow, this one is tough. It affects all shells I have tested (release, beta, aurora, central) in opt32 and dbg32 modes.
Crash Signature: [@ __memcpy_ssse3_rep]
[@ JSRope::flatten]
status-firefox10:
--- → affected
status-firefox11:
--- → affected
status-firefox12:
--- → affected
status-firefox9:
--- → affected
tracking-firefox10:
--- → ?
tracking-firefox11:
--- → ?
tracking-firefox12:
--- → ?
tracking-firefox9:
--- → ?
Comment 2•12 years ago
|
||
I looked at this quickly. It only repros with -m -n -a, so seems related to TI. The 'str' passed to js_QuoteString seems to have been trashed: it is in a FINALIZE_STRING arena, but its length is garbage (that makes it look like a rope). Interestingly, when viewed as a rope, the "left" child points to a GC thing in FINALIZE_OBJECT2.
Assignee | ||
Comment 3•12 years ago
|
||
Regalloc bug. When writing out the return value of an inlined call (as is done when the call's result type is unknown), the inline frame's callee might get synced when allocating a register for the type, clobbering the already-written payload. This could cause a JSObject* to be interpreted as a value of another type, e.g. a string.
Assignee: general → bhackett1024
Attachment #584129 -
Flags: review?(dvander)
Attachment #584129 -
Flags: approval-mozilla-beta?
Attachment #584129 -
Flags: approval-mozilla-aurora?
Updated•12 years ago
|
Comment 4•12 years ago
|
||
Comment on attachment 584129 [details] [diff] [review] patch [Triage Comment] Please re-nominate once r+'d and landed on m-c.
Attachment #584129 -
Flags: approval-mozilla-beta?
Attachment #584129 -
Flags: approval-mozilla-beta-
Attachment #584129 -
Flags: approval-mozilla-aurora?
Attachment #584129 -
Flags: approval-mozilla-aurora-
Updated•12 years ago
|
Attachment #584129 -
Flags: review?(dvander) → review+
Assignee | ||
Comment 5•12 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/d10b118890e4
Assignee | ||
Updated•12 years ago
|
Attachment #584129 -
Flags: approval-mozilla-beta?
Attachment #584129 -
Flags: approval-mozilla-beta-
Attachment #584129 -
Flags: approval-mozilla-aurora?
Attachment #584129 -
Flags: approval-mozilla-aurora-
Assignee | ||
Comment 6•12 years ago
|
||
Comment on attachment 584129 [details] [diff] [review] patch Backed out due to some 64 bit 'make check' orange. https://hg.mozilla.org/integration/mozilla-inbound/rev/f623372c6de0
Attachment #584129 -
Flags: approval-mozilla-beta?
Attachment #584129 -
Flags: approval-mozilla-aurora?
Assignee | ||
Comment 7•12 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/721203297177
Assignee | ||
Comment 8•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/721203297177
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla12
Assignee | ||
Comment 9•12 years ago
|
||
Comment on attachment 584129 [details] [diff] [review] patch [Approval Request Comment] Regression caused by (bug #): User impact if declined: Testing completed (on m-c, etc.): Risk to taking this patch (and alternatives if risky):
Attachment #584129 -
Flags: approval-mozilla-beta?
Attachment #584129 -
Flags: approval-mozilla-aurora?
Comment 10•12 years ago
|
||
(In reply to Brian Hackett (:bhackett) from comment #9) > Comment on attachment 584129 [details] [diff] [review] > patch > > [Approval Request Comment] > Regression caused by (bug #): > User impact if declined: > Testing completed (on m-c, etc.): > Risk to taking this patch (and alternatives if risky): Brian - can you address the risk of taking this patch? The benefit seems clear from the sg:crit status.
Assignee | ||
Comment 11•12 years ago
|
||
This is fixing a compiler bug, so the risk here is that the fix is incorrect. This has been in nightlies for close to a week now, and doesn't seem to have been causing any problems.
Comment 12•12 years ago
|
||
Comment on attachment 584129 [details] [diff] [review] patch [Triage Comment] Given Brian's risk evaluation, approving for Aurora/Beta.
Attachment #584129 -
Flags: approval-mozilla-beta?
Attachment #584129 -
Flags: approval-mozilla-beta+
Attachment #584129 -
Flags: approval-mozilla-aurora?
Attachment #584129 -
Flags: approval-mozilla-aurora+
Assignee | ||
Comment 13•12 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/2d764ffa9bf7 https://hg.mozilla.org/releases/mozilla-beta/rev/0e556b6d0601
Assignee | ||
Updated•12 years ago
|
Target Milestone: mozilla12 → mozilla10
Whiteboard: [sg:critical] js-triage-needed → [sg:critical] js-triage-needed [qa+]
Updated•12 years ago
|
status1.9.2:
--- → unaffected
Comment 14•12 years ago
|
||
Verified fixed in Firefox 11.0b6 js-shell.
Comment 15•12 years ago
|
||
(In reply to Anthony Hughes, Mozilla QA (irc: ashughes) from comment #14) > Verified fixed in Firefox 11.0b6 js-shell. Since this landed in Firefox 11 when it was in Aurora but verified in Beta, should this be keyword verified-beta or verified-aurora?
Updated•12 years ago
|
status-firefox-esr10:
--- → fixed
Updated•12 years ago
|
tracking-firefox-esr10:
--- → 10+
Updated•12 years ago
|
Group: core-security
Reporter | ||
Updated•12 years ago
|
Status: RESOLVED → VERIFIED
Comment 16•12 years ago
|
||
Ubuntu 11.10, 32bit Built js-shell for the latest beta release and run the tests from comment #0: no crash occured.
Comment 17•12 years ago
|
||
Verified fixed in Firefox 10 and ESR:10
Whiteboard: [sg:critical] js-triage-needed [qa+] → [sg:critical][qa+:ashughes] js-triage-needed
Reporter | ||
Comment 18•11 years ago
|
||
Automatically extracted testcase for this bug was committed: https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•