If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

IonMonkey: (ARM) Crash [@ js::EncapsulatedPtr] with use-after-free

RESOLVED WORKSFORME

Status

()

Core
JavaScript Engine
--
major
RESOLVED WORKSFORME
5 years ago
5 years ago

People

(Reporter: decoder, Unassigned)

Tracking

(Blocks: 2 bugs, {crash, testcase})

Other Branch
ARM
Linux
crash, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [ion:p1:fx18], crash signature)

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
Created attachment 643311 [details]
Testcase for shell

The attached testcase crashes on ionmonkey-arm (private branch) revision 153a2db06024 (run with --ion -n -m --ion-eager).
(Reporter)

Comment 1

5 years ago
The comment 0 branch spec is wrong, this is actually the regular ionmonkey repository.

Before reduction this showed up as an unsupported relocation, but now it just crashes:


Program received signal SIGSEGV, Segmentation fault.
0x0001988e in js::EncapsulatedPtr<JSObject, unsigned int>::operator JSObject* (this=0xdadadade) at ../../gc/Barrier.h:172
172         operator T*() const { return value; }
(gdb) bt
#0  0x0001988e in js::EncapsulatedPtr<JSObject, unsigned int>::operator JSObject* (this=0xdadadade) at ../../gc/Barrier.h:172
#1  0x00028b4c in js::ObjectImpl::hasSingletonType (this=0x40a0cb50) at ../vm/ObjectImpl.h:1067
#2  0x0005afa0 in js::types::Type::ObjectType (obj=0x40a0cb50) at ../jsinferinlines.h:34
#3  0x0005b046 in js::types::GetValueType (cx=0x104e0d0, val=...) at ../jsinferinlines.h:60
#4  0x000d8f54 in js::types::TypeMonitorResult (cx=0x104e0d0, script=0x40a060b0, pc=0x1057148 "\232", rval=...) at /home/decoder/ionmonkey-arm/js/src/jsinfer.cpp:5002
#5  0x000eb6e6 in js::types::TypeScript::Monitor (cx=0x104e0d0, script=0x40a060b0, pc=0x1057148 "\232", rval=...) at ../jsinferinlines.h:590
#6  0x003365e6 in js::ion::ReflowTypeInfo (bailoutResult=4) at /home/decoder/ionmonkey-arm/js/src/ion/Bailouts.cpp:478
#7  0x4005f734 in ?? ()
#8  0x4005f734 in ?? ()
(Reporter)

Comment 2

5 years ago
The proper revision this was tested on is 9712a6f6b71c.
Summary: IonMonkey: Crash [@ js::EncapsulatedPtr] with use-after-free → IonMonkey: (ARM) Crash [@ js::EncapsulatedPtr] with use-after-free
Whiteboard: [ion:p1:fx18]
Sorry about not looking at this sooner, I think it was filed while I was out of the office.
I just tried this on 9712a6f6b71c, but I did not see any crashing, It just prints out:
ReferenceError: expect is not defined
Is there anything else I may need to do?
(Reporter)

Comment 4

5 years ago
Wasn't able to reproduce this on the original revision. Assuming that the repo wasn't clean and closing as WFM.
Group: core-security
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.