IonMonkey: Crash [@ js::HeapPtr<js::BaseShape, unsigned long>::operator] with ParallelArray

VERIFIED FIXED

Status

()

Core
JavaScript Engine
--
major
VERIFIED FIXED
5 years ago
5 years ago

People

(Reporter: decoder, Assigned: dvander)

Tracking

(Blocks: 2 bugs, {crash, testcase})

Other Branch
x86_64
Linux
crash, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox-esr10 unaffected)

Details

Attachments

(2 attachments, 1 obsolete attachment)

(Reporter)

Description

5 years ago
The following testcase crashes on ionmonkey revision 50177d59c0e1 (run with --ion -n -m):


var p = new ParallelArray([1,2,3,4,5]);
var r = p.scatter([0,1,0,3,4], 9, function (a,b) { return a+b; });
assertEq(r.toString( 5 ? r : 0, gc()) ,[4,2,9,4,5].join(","));


Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x00000000004145a8 in js::HeapPtr<js::BaseShape, unsigned long>::operator js::BaseShape* (this=0xdadadadadadadada) at ../../gc/Barrier.h:212
212         operator T*() const { return value; }
(gdb) bt 8
#0  0x00000000004145a8 in js::HeapPtr<js::BaseShape, unsigned long>::operator js::BaseShape* (this=0xdadadadadadadada) at ../../gc/Barrier.h:212
#1  0x0000000000405fe0 in js::Shape::base (this=0xdadadadadadadada) at ../../jsscope.h:708
#2  0x0000000000405eea in js::Shape::getObjectClass (this=0xdadadadadadadada) at ../../jsscope.h:607
#3  0x000000000040714e in js::ObjectImpl::getClass (this=0x7ffff09099a0) at ../../vm/ObjectImpl-inl.h:245
#4  0x000000000040718e in js::ObjectImpl::getOps (this=0x7ffff09099a0) at ../../vm/ObjectImpl-inl.h:263
#5  0x0000000000551738 in js_GetMethod (cx=0xd955a0, obj=..., id=..., getHow=0, vp=0x7fffffffc530) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsobj.cpp:5166
#6  0x00000000006a0cd8 in ParallelArray_forward_method (cx=0xd955a0, argc=2, vp=0x7ffff0beb0b0, native=0x6a0d90 <ParallelArray_toString(JSContext*, unsigned int, JS::Value*)>, id=...)
    at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/builtin/ParallelArray.cpp:587
#7  0x00000000006a0ddc in ParallelArray_toString (cx=0xd955a0, argc=2, vp=0x7ffff0beb0b0) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/builtin/ParallelArray.cpp:602
(More stack frames follow...)
(gdb) x /i $pc
=> 0x4145a8 <js::HeapPtr<js::BaseShape, unsigned long>::operator js::BaseShape*() const+12>:    mov    (%rax),%rax
(gdb) info reg rax
rax            0xdadadadadadadada       -2676586395008836902
Assignee: general → wmccloskey
Oops. IonMonkey bug. Never mind.
Assignee: wmccloskey → general
This is very likely to be bug 729812 so let's wait until that's fixed and try this again.
Assignee: general → dvander
Status: NEW → ASSIGNED
Created attachment 624831 [details] [diff] [review]
make ParallelArray moving GC safe

This doesn't fix the bug, but I noticed ParallelArray is not moving GC safe so this patch fixes that.
Attachment #624831 - Flags: review?(wmccloskey)
Comment on attachment 624831 [details] [diff] [review]
make ParallelArray moving GC safe

Review of attachment 624831 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/builtin/ParallelArray.cpp
@@ +320,2 @@
>      if (!obj)
> +        return false;

I think we need to |return ok| here.

::: js/src/ion/MIR.cpp
@@ +492,5 @@
>  
>  void
>  MBitNot::infer(const TypeOracle::Unary &u)
>  {
> +    JS_ASSERT(u.ival != MIRType_Value);

Not sure if you intended for this to be here...
Attachment #624831 - Flags: review?(wmccloskey) → review+
Created attachment 624865 [details] [diff] [review]
part 2: fix

Bug is, it's non-native but has no trace hook. Bill pointed out it can just be native.
Attachment #624865 - Flags: review?(wmccloskey)
Attachment #624865 - Flags: review?(wmccloskey) → review+
Thanks for the quick reviews!

http://hg.mozilla.org/projects/ionmonkey/rev/fe35715a3f01
http://hg.mozilla.org/projects/ionmonkey/rev/b15990ffc15d
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
status-firefox-esr10: --- → unaffected
Backing out part 2: http://hg.mozilla.org/projects/ionmonkey/rev/ec1aca662dbe

It turns out these objects have some non-native behavior, so it'll be easier to just implement a trace hook.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Created attachment 625033 [details] [diff] [review]
part 2: better fix
Attachment #624865 - Attachment is obsolete: true
Attachment #625033 - Flags: review?(wmccloskey)
Attachment #625033 - Flags: review?(wmccloskey) → review+
http://hg.mozilla.org/projects/ionmonkey/rev/eeae414fa07a
Status: REOPENED → RESOLVED
Last Resolved: 5 years ago5 years ago
Resolution: --- → FIXED
Duplicate of this bug: 737298
(Reporter)

Comment 11

5 years ago
JSBugMon: This bug has been automatically verified fixed.
(Reporter)

Updated

5 years ago
Status: RESOLVED → VERIFIED
(Reporter)

Updated

5 years ago
Group: core-security
(Reporter)

Comment 12

5 years ago
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/2e891e0db397
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.