735957 - IonMonkey: Crash [@ JSString::isAtom] or at a weird location of 0x0066cf34 with testcase

Status: RESOLVED WORKSFORME

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

The upcoming testcase crashes js debug and opt shell on IonMonkey changeset 76e469f863ae with -m, -a, --ion and -n at a weird memory address.

Tested on 32-bit.

Opt shell stack:

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x0066cf34
0x0066cf34 in ?? ()
(gdb) bt
#0  0x0066cf34 in ?? ()
Cannot access memory at address 0x66cf34
#1  0x0055fee0 in ?? ()

Debug shell stack:

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x00fbd390
0x00fbd390 in ?? ()
(gdb) bt
#0  0x00fbd390 in ?? ()
Cannot access memory at address 0xfbd390
#1  0x00e2dde0 in ?? ()
(gdb) call js_DumpBacktrace(CurrentIonContext()->cx)
Cannot access memory at address 0xfbd390
#1      0x1800150   w11488-orig.js:96 (0x1f067b0 @ 251)
#2      0x18000e0   w11488-orig.js:73 (0x1f065e8 @ 73)
#3      0x1800078   w11488-orig.js:61 (0x1f06550 @ 72)
#4      0x1800020   w11488-orig.js:2156 (0x1f24b40 @ 5318)
Cannot access memory at address 0xfbd390

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: 170-line testcase that seems to only crash with 64-bit debug js shell

The testcase in comment 1 was further reduced, but now only crashes in debug:


Program received signal SIGSEGV, Segmentation fault.
0x0000000000423266 in JSString::isAtom (this=0x0) at /home/fuzz2lin/Desktop/jsfunfuzz-dbg-64-im-91657-55ab6c6d276a/compilePath/js/src/vm/String.h:385
385	        bool atomized = (d.lengthAndFlags & ATOM_MASK) == ATOM_FLAGS;
#0  0x0000000000423266 in JSString::isAtom (this=0x0) at /home/fuzz2lin/Desktop/jsfunfuzz-dbg-64-im-91657-55ab6c6d276a/compilePath/js/src/vm/String.h:385
#1  0x000000000063187f in js_ConcatStrings (cx=0xd15d30, left=0x7ffff6423800, right=0x0) at /home/fuzz2lin/Desktop/jsfunfuzz-dbg-64-im-91657-55ab6c6d276a/compilePath/js/src/vm/String.cpp:312
#2  0x00007ffff7f6ce0a in ?? ()
#3  0xfff880000000000a in ?? ()
#4  0x00007fffffffcbd8 in ?? ()
#5  0x000000000000000a in ?? ()
#6  0x00007ffff7f6d043 in ?? ()
#7  0x0000000000000200 in ?? ()
#8  0x00007ffff6423800 in ?? ()
#9  0x0000000000000000 in ?? ()

Comment 3

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

(In reply to Gary Kwong [:gkw, :nth10sd] from comment #2)
> Created attachment 610395 [details]
> 170-line testcase that seems to only crash with 64-bit debug js shell
> 
> The testcase in comment 1 was further reduced, but now only crashes in debug:

Tested with IonMonkey changeset 55ab6c6d276a.

Comment 4

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

> > The testcase in comment 1 was further reduced, but now only crashes in debug:
> 
> Tested with IonMonkey changeset 55ab6c6d276a.

And in Ubuntu Linux 11.10.

Comment 5

[Nicolas B. Pierron [:nbp]]

(In reply to Gary Kwong [:gkw, :nth10sd] from comment #2)
> Program received signal SIGSEGV, Segmentation fault.
> 0x0000000000423266 in JSString::isAtom (this=0x0) at
> /home/fuzz2lin/Desktop/jsfunfuzz-dbg-64-im-91657-55ab6c6d276a/compilePath/js/
> src/vm/String.h:385
> 385	        bool atomized = (d.lengthAndFlags & ATOM_MASK) == ATOM_FLAGS;
> #0  0x0000000000423266 in JSString::isAtom (this=0x0) at
> /home/fuzz2lin/Desktop/jsfunfuzz-dbg-64-im-91657-55ab6c6d276a/compilePath/js/
> src/vm/String.h:385
> #1  0x000000000063187f in js_ConcatStrings (cx=0xd15d30,
> left=0x7ffff6423800, right=0x0) at
> /home/fuzz2lin/Desktop/jsfunfuzz-dbg-64-im-91657-55ab6c6d276a/compilePath/js/
> src/vm/String.cpp:312
> #2  0x00007ffff7f6ce0a in ?? ()

This test case is *Likely* a duplicate of Bug 732847.

Comment 6

[Nicolas B. Pierron [:nbp]]

All tests of this bug are working as expected with the latest version of IonMonkey (changeset 291ff6ed10b57777cbd61bc8e4405622cb5c6d5f).

Comment 7

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

WFM as of IonMonkey changeset 72596946ff96.