Last Comment Bug 713209 - Crash [@ __memcpy_ssse3_rep] through JSRope::flatten
: Crash [@ __memcpy_ssse3_rep] through JSRope::flatten
[sg:critical][qa+:ashughes] js-triage...
: crash, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86 Linux
: -- critical (vote)
: mozilla10
Assigned To: Brian Hackett (:bhackett)
: Jason Orendorff [:jorendorff]
Depends on:
Blocks: langfuzz
  Show dependency treegraph
Reported: 2011-12-23 04:58 PST by Christian Holler (:decoder)
Modified: 2013-01-19 13:58 PST (History)
11 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

patch (1.83 KB, patch)
2011-12-23 15:09 PST, Brian Hackett (:bhackett)
dvander: review+
akeybl: approval‑mozilla‑aurora+
akeybl: approval‑mozilla‑beta+
Details | Diff | Splinter Review

Description Christian Holler (:decoder) 2011-12-23 04:58:12 PST
The following test crashes on mozilla-central revision c5b90ea7e475 (options -m -n -a, 32 bit only):

var save__proto__ = __proto__;
__proto__ = save__proto__;
function bar(x, y) {
  return x + y;
function foo(x, y) {
  var a = 0;
  for (var i = 0; i < 1000; i++) {
    a += (this.toString);
    a += bar(x, y);
    a = bar(x, (a));
    a += bar(x, y);
  return a;
var q = foo(0, 1);


#0  __memcpy_ssse3_rep () at ../sysdeps/i386/i686/multiarch/memcpy-ssse3-rep.S:1293
#1  0x08243150 in js::PodCopy<unsigned short> (dst=0xd477d008, src=0xf7400160, nelem=259260942) at ../jsutil.h:322
#2  0x08243dd6 in JSRope::flattenInternal<(JSRope::UsingBarrier)1> (this=0xf741db00, maybecx=0x8545568) at /srv/repos/mozilla-central/js/src/vm/String.cpp:225
#3  0x08242431 in JSRope::flatten (this=0xf741db00, maybecx=0x8545568) at /srv/repos/mozilla-central/js/src/vm/String.cpp:268
#4  0x08086f4c in JSString::ensureLinear (this=0xf741db00, cx=0x8545568) at /srv/repos/mozilla-central/js/src/vm/String.h:822
#5  0x08086ebc in JSString::getChars (this=0xf741db00, cx=0x8545568) at /srv/repos/mozilla-central/js/src/vm/String.h:804
#6  0x0817ef10 in QuoteString (sp=0xffffc804, str=0xf741db00, quote=34) at /srv/repos/mozilla-central/js/src/jsopcode.cpp:872
#7  0x0817f269 in js_QuoteString (cx=0x8545568, str=0xf741db00, quote=34) at /srv/repos/mozilla-central/js/src/jsopcode.cpp:940
#8  0x081c8c52 in str_toSource (cx=0x8545568, argc=0, vp=0xf76ea068) at /srv/repos/mozilla-central/js/src/jsstr.cpp:536
#9  0x08140a8c in js::CallJSNative (cx=0x8545568, native=0x81c8ba4 <str_toSource(JSContext*, uintN, JS::Value*)>, args=...) at ../jscntxtinlines.h:311
#10 0x08123de2 in js::InvokeKernel (cx=0x8545568, args=..., construct=js::NO_CONSTRUCT) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:625
#11 0x08132ad0 in js::Interpret (cx=0x8545568, entryFrame=0xf76ea020, interpMode=js::JSINTERP_NORMAL) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:3506
#12 0x0829e62c in js::mjit::EnterMethodJIT (cx=0x8545568, fp=0xf76ea020, code=0xf73ce050, stackLimit=0xf7aca000, partial=false)
    at /srv/repos/mozilla-central/js/src/methodjit/MethodJIT.cpp:1093

S-s and sg:critical due to obvious memory hazard (probably buffer overflow).
Comment 1 Christian Holler (:decoder) 2011-12-23 07:59:19 PST
Wow, this one is tough. It affects all shells I have tested (release, beta, aurora, central) in opt32 and dbg32 modes.
Comment 2 Luke Wagner [:luke] 2011-12-23 10:12:48 PST
I looked at this quickly.  It only repros with -m -n -a, so seems related to TI.  The 'str' passed to js_QuoteString seems to have been trashed: it is in a FINALIZE_STRING arena, but its length is garbage (that makes it look like a rope).  Interestingly, when viewed as a rope, the "left" child points to a GC thing in FINALIZE_OBJECT2.
Comment 3 Brian Hackett (:bhackett) 2011-12-23 15:09:24 PST
Created attachment 584129 [details] [diff] [review]

Regalloc bug.  When writing out the return value of an inlined call (as is done when the call's result type is unknown), the inline frame's callee might get synced when allocating a register for the type, clobbering the already-written payload.  This could cause a JSObject* to be interpreted as a value of another type, e.g. a string.
Comment 4 Alex Keybl [:akeybl] 2011-12-26 10:55:16 PST
Comment on attachment 584129 [details] [diff] [review]

[Triage Comment]
Please re-nominate once r+'d and landed on m-c.
Comment 5 Brian Hackett (:bhackett) 2011-12-27 16:04:32 PST
Comment 6 Brian Hackett (:bhackett) 2011-12-27 17:16:51 PST
Comment on attachment 584129 [details] [diff] [review]

Backed out due to some 64 bit 'make check' orange.
Comment 7 Brian Hackett (:bhackett) 2011-12-28 07:01:34 PST
Comment 8 Brian Hackett (:bhackett) 2011-12-29 16:29:24 PST
Comment 9 Brian Hackett (:bhackett) 2011-12-29 16:30:44 PST
Comment on attachment 584129 [details] [diff] [review]

[Approval Request Comment]
Regression caused by (bug #): 
User impact if declined: 
Testing completed (on m-c, etc.): 
Risk to taking this patch (and alternatives if risky):
Comment 10 Alex Keybl [:akeybl] 2012-01-03 15:06:25 PST
(In reply to Brian Hackett (:bhackett) from comment #9)
> Comment on attachment 584129 [details] [diff] [review]
> patch
> [Approval Request Comment]
> Regression caused by (bug #): 
> User impact if declined: 
> Testing completed (on m-c, etc.): 
> Risk to taking this patch (and alternatives if risky):

Brian - can you address the risk of taking this patch? The benefit seems clear from the sg:crit status.
Comment 11 Brian Hackett (:bhackett) 2012-01-03 18:28:46 PST
This is fixing a compiler bug, so the risk here is that the fix is incorrect.  This has been in nightlies for close to a week now, and doesn't seem to have been causing any problems.
Comment 12 Alex Keybl [:akeybl] 2012-01-04 13:58:15 PST
Comment on attachment 584129 [details] [diff] [review]

[Triage Comment]
Given Brian's risk evaluation, approving for Aurora/Beta.
Comment 14 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-03-06 16:13:45 PST
Verified fixed in Firefox 11.0b6 js-shell.
Comment 15 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-03-06 16:30:01 PST
(In reply to Anthony Hughes, Mozilla QA (irc: ashughes) from comment #14)
> Verified fixed in Firefox 11.0b6 js-shell.

Since this landed in Firefox 11 when it was in Aurora but verified in Beta, should this be keyword verified-beta or verified-aurora?
Comment 16 Mihaela Velimiroviciu (:mihaelav) 2012-04-06 08:00:26 PDT
Ubuntu 11.10, 32bit

Built js-shell for the latest beta release and run the tests from comment #0: no crash occured.
Comment 17 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-05-31 15:51:21 PDT
Verified fixed in Firefox 10 and ESR:10
Comment 18 Christian Holler (:decoder) 2013-01-19 13:58:09 PST
Automatically extracted testcase for this bug was committed:

Note You need to log in before you can comment on or make changes to this bug.