Note: There are a few cases of duplicates in user autocompletion which are being worked on.

Crash [@ __memcpy_ssse3_rep] through JSRope::flatten

VERIFIED FIXED in Firefox 10

Status

()

Core
JavaScript Engine
--
critical
VERIFIED FIXED
6 years ago
5 years ago

People

(Reporter: decoder, Assigned: bhackett)

Tracking

(Blocks: 1 bug, {crash, testcase})

Trunk
mozilla10
x86
Linux
crash, testcase
Points:
---
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox9+ affected, firefox10+ verified, firefox11+ verified, firefox12+ verified, firefox-esr1010+ verified, status1.9.2 unaffected)

Details

(Whiteboard: [sg:critical][qa+:ashughes] js-triage-needed, crash signature)

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
The following test crashes on mozilla-central revision c5b90ea7e475 (options -m -n -a, 32 bit only):


var save__proto__ = __proto__;
__proto__ = save__proto__;
function bar(x, y) {
  return x + y;
}
function foo(x, y) {
  var a = 0;
  for (var i = 0; i < 1000; i++) {
    a += (this.toString);
    a += bar(x, y);
    a = bar(x, (a));
    a += bar(x, y);
  }
  return a;
}
var q = foo(0, 1);
print(q.toSource());


Backtrace:

#0  __memcpy_ssse3_rep () at ../sysdeps/i386/i686/multiarch/memcpy-ssse3-rep.S:1293
#1  0x08243150 in js::PodCopy<unsigned short> (dst=0xd477d008, src=0xf7400160, nelem=259260942) at ../jsutil.h:322
#2  0x08243dd6 in JSRope::flattenInternal<(JSRope::UsingBarrier)1> (this=0xf741db00, maybecx=0x8545568) at /srv/repos/mozilla-central/js/src/vm/String.cpp:225
#3  0x08242431 in JSRope::flatten (this=0xf741db00, maybecx=0x8545568) at /srv/repos/mozilla-central/js/src/vm/String.cpp:268
#4  0x08086f4c in JSString::ensureLinear (this=0xf741db00, cx=0x8545568) at /srv/repos/mozilla-central/js/src/vm/String.h:822
#5  0x08086ebc in JSString::getChars (this=0xf741db00, cx=0x8545568) at /srv/repos/mozilla-central/js/src/vm/String.h:804
#6  0x0817ef10 in QuoteString (sp=0xffffc804, str=0xf741db00, quote=34) at /srv/repos/mozilla-central/js/src/jsopcode.cpp:872
#7  0x0817f269 in js_QuoteString (cx=0x8545568, str=0xf741db00, quote=34) at /srv/repos/mozilla-central/js/src/jsopcode.cpp:940
#8  0x081c8c52 in str_toSource (cx=0x8545568, argc=0, vp=0xf76ea068) at /srv/repos/mozilla-central/js/src/jsstr.cpp:536
#9  0x08140a8c in js::CallJSNative (cx=0x8545568, native=0x81c8ba4 <str_toSource(JSContext*, uintN, JS::Value*)>, args=...) at ../jscntxtinlines.h:311
#10 0x08123de2 in js::InvokeKernel (cx=0x8545568, args=..., construct=js::NO_CONSTRUCT) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:625
#11 0x08132ad0 in js::Interpret (cx=0x8545568, entryFrame=0xf76ea020, interpMode=js::JSINTERP_NORMAL) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:3506
#12 0x0829e62c in js::mjit::EnterMethodJIT (cx=0x8545568, fp=0xf76ea020, code=0xf73ce050, stackLimit=0xf7aca000, partial=false)
    at /srv/repos/mozilla-central/js/src/methodjit/MethodJIT.cpp:1093


S-s and sg:critical due to obvious memory hazard (probably buffer overflow).
(Reporter)

Comment 1

6 years ago
Wow, this one is tough. It affects all shells I have tested (release, beta, aurora, central) in opt32 and dbg32 modes.
Crash Signature: [@ __memcpy_ssse3_rep] [@ JSRope::flatten]
status-firefox10: --- → affected
status-firefox11: --- → affected
status-firefox12: --- → affected
status-firefox9: --- → affected
tracking-firefox10: --- → ?
tracking-firefox11: --- → ?
tracking-firefox12: --- → ?
tracking-firefox9: --- → ?

Comment 2

6 years ago
I looked at this quickly.  It only repros with -m -n -a, so seems related to TI.  The 'str' passed to js_QuoteString seems to have been trashed: it is in a FINALIZE_STRING arena, but its length is garbage (that makes it look like a rope).  Interestingly, when viewed as a rope, the "left" child points to a GC thing in FINALIZE_OBJECT2.
(Assignee)

Comment 3

6 years ago
Created attachment 584129 [details] [diff] [review]
patch

Regalloc bug.  When writing out the return value of an inlined call (as is done when the call's result type is unknown), the inline frame's callee might get synced when allocating a register for the type, clobbering the already-written payload.  This could cause a JSObject* to be interpreted as a value of another type, e.g. a string.
Assignee: general → bhackett1024
Attachment #584129 - Flags: review?(dvander)
Attachment #584129 - Flags: approval-mozilla-beta?
Attachment #584129 - Flags: approval-mozilla-aurora?

Updated

6 years ago
tracking-firefox10: ? → +
tracking-firefox11: ? → +
tracking-firefox12: ? → +
tracking-firefox9: ? → +

Comment 4

6 years ago
Comment on attachment 584129 [details] [diff] [review]
patch

[Triage Comment]
Please re-nominate once r+'d and landed on m-c.
Attachment #584129 - Flags: approval-mozilla-beta?
Attachment #584129 - Flags: approval-mozilla-beta-
Attachment #584129 - Flags: approval-mozilla-aurora?
Attachment #584129 - Flags: approval-mozilla-aurora-
Attachment #584129 - Flags: review?(dvander) → review+
(Assignee)

Comment 5

6 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/d10b118890e4
(Assignee)

Updated

6 years ago
Attachment #584129 - Flags: approval-mozilla-beta?
Attachment #584129 - Flags: approval-mozilla-beta-
Attachment #584129 - Flags: approval-mozilla-aurora?
Attachment #584129 - Flags: approval-mozilla-aurora-
(Assignee)

Comment 6

6 years ago
Comment on attachment 584129 [details] [diff] [review]
patch

Backed out due to some 64 bit 'make check' orange.

https://hg.mozilla.org/integration/mozilla-inbound/rev/f623372c6de0
Attachment #584129 - Flags: approval-mozilla-beta?
Attachment #584129 - Flags: approval-mozilla-aurora?
(Assignee)

Comment 7

6 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/721203297177
(Assignee)

Comment 8

6 years ago
https://hg.mozilla.org/mozilla-central/rev/721203297177
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla12
(Assignee)

Comment 9

6 years ago
Comment on attachment 584129 [details] [diff] [review]
patch

[Approval Request Comment]
Regression caused by (bug #): 
User impact if declined: 
Testing completed (on m-c, etc.): 
Risk to taking this patch (and alternatives if risky):
Attachment #584129 - Flags: approval-mozilla-beta?
Attachment #584129 - Flags: approval-mozilla-aurora?
(In reply to Brian Hackett (:bhackett) from comment #9)
> Comment on attachment 584129 [details] [diff] [review]
> patch
> 
> [Approval Request Comment]
> Regression caused by (bug #): 
> User impact if declined: 
> Testing completed (on m-c, etc.): 
> Risk to taking this patch (and alternatives if risky):

Brian - can you address the risk of taking this patch? The benefit seems clear from the sg:crit status.
(Assignee)

Comment 11

6 years ago
This is fixing a compiler bug, so the risk here is that the fix is incorrect.  This has been in nightlies for close to a week now, and doesn't seem to have been causing any problems.
Comment on attachment 584129 [details] [diff] [review]
patch

[Triage Comment]
Given Brian's risk evaluation, approving for Aurora/Beta.
Attachment #584129 - Flags: approval-mozilla-beta?
Attachment #584129 - Flags: approval-mozilla-beta+
Attachment #584129 - Flags: approval-mozilla-aurora?
Attachment #584129 - Flags: approval-mozilla-aurora+
(Assignee)

Comment 13

6 years ago
https://hg.mozilla.org/releases/mozilla-aurora/rev/2d764ffa9bf7
https://hg.mozilla.org/releases/mozilla-beta/rev/0e556b6d0601
(Assignee)

Updated

6 years ago
status-firefox10: affected → fixed
status-firefox11: affected → fixed
status-firefox12: affected → fixed
Target Milestone: mozilla12 → mozilla10
Whiteboard: [sg:critical] js-triage-needed → [sg:critical] js-triage-needed [qa+]
status1.9.2: --- → unaffected
Verified fixed in Firefox 11.0b6 js-shell.
status-firefox11: fixed → verified
(In reply to Anthony Hughes, Mozilla QA (irc: ashughes) from comment #14)
> Verified fixed in Firefox 11.0b6 js-shell.

Since this landed in Firefox 11 when it was in Aurora but verified in Beta, should this be keyword verified-beta or verified-aurora?

Updated

5 years ago
status-firefox-esr10: --- → fixed

Updated

5 years ago
tracking-firefox-esr10: --- → 10+
Group: core-security
(Reporter)

Updated

5 years ago
Status: RESOLVED → VERIFIED
Ubuntu 11.10, 32bit

Built js-shell for the latest beta release and run the tests from comment #0: no crash occured.
status-firefox12: fixed → verified
Verified fixed in Firefox 10 and ESR:10
status-firefox-esr10: fixed → verified
status-firefox10: fixed → verified
Whiteboard: [sg:critical] js-triage-needed [qa+] → [sg:critical][qa+:ashughes] js-triage-needed
(Reporter)

Comment 18

5 years ago
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.