Last Comment Bug 779125 - IonMonkey: Crash on heap near [@ EnterIon] with invalid read
: IonMonkey: Crash on heap near [@ EnterIon] with invalid read
Status: RESOLVED FIXED
[jsbugmon:update][ion:p1:fx18]
: crash, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Other Branch
: x86_64 Linux
: -- major (vote)
: ---
Assigned To: Jan de Mooij [:jandem]
: general
Mentors:
Depends on:
Blocks: langfuzz IonFuzz
  Show dependency treegraph
 
Reported: 2012-07-31 07:38 PDT by Christian Holler (:decoder)
Modified: 2013-01-14 07:54 PST (History)
7 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Patch (1.32 KB, patch)
2012-07-31 08:05 PDT, Jan de Mooij [:jandem]
dvander: review+
Details | Diff | Review

Description Christian Holler (:decoder) 2012-07-31 07:38:48 PDT
The following testcase crashes on ionmonkey revision 54f9ee5403f0 (run with --ion -n):


for(var i = 0; i < 9; (i)) {
  x = ''.charAt(-1);
}
Comment 1 Christian Holler (:decoder) 2012-07-31 07:39:14 PDT
Crash info:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7f63e50 in ?? ()
(gdb) bt
#0  0x00007ffff7f63e50 in ?? ()
#1  0x00007ffff7f640ba in ?? ()
#2  0x00000000000000c1 in ?? ()
#3  0x00007ffff07070e9 in ?? ()
#4  0x0000000000000000 in ?? ()
(gdb) x /i $pc
=> 0x7ffff7f63e50:      movzwl (%rbx,%rdx,2),%ebx
(gdb) info reg rbx rdx ebx
rbx            0x7ffff0823810   140737228453904
rdx            0xffffffff       4294967295
ebx            0xf0823810       -259901424

==23264== Invalid read of size 2
==23264==    at 0x4032E50: ???
==23264==    by 0x8152A0: EnterIon(JSContext*, js::StackFrame*, void*) (Ion.cpp:1150)
==23264==    by 0x815604: js::ion::SideCannon(JSContext*, js::StackFrame*, unsigned char*) (Ion.cpp:1194)
==23264==    by 0x51DF3B: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (jsinterp.cpp:1535)
==23264==    by 0x518C83: js::RunScript(JSContext*, JSScript*, js::StackFrame*) (jsinterp.cpp:321)
==23264==    by 0x5198B7: js::ExecuteKernel(JSContext*, JSScript*, JSObject&, JS::Value const&, js::ExecuteType, js::StackFrame*, JS::Value*) (jsinterp.cpp:507)
==23264==    by 0x519AFE: js::Execute(JSContext*, JSScript*, JSObject&, JS::Value*) (jsinterp.cpp:545)
==23264==    by 0x44C1DF: JS_ExecuteScript (jsapi.cpp:5511)
==23264==    by 0x408B98: Process(JSContext*, JSObject*, char const*, bool) (js.cpp:435)
==23264==    by 0x413D3D: ProcessArgs(JSContext*, JSObject*, js::cli::OptionParser*) (js.cpp:4837)
==23264==    by 0x413F85: Shell(JSContext*, js::cli::OptionParser*, char**) (js.cpp:4878)
==23264==    by 0x4148EC: main (js.cpp:5083)
==23264==  Address 0x20c72380e is not stack'd, malloc'd or (recently) free'd
Comment 2 Jan de Mooij [:jandem] 2012-07-31 08:05:03 PDT
Created attachment 647536 [details] [diff] [review]
Patch

LBoundsCheck should do an unsigned comparison if both operands are constant.
Comment 3 Jan de Mooij [:jandem] 2012-08-01 00:35:37 PDT
https://hg.mozilla.org/projects/ionmonkey/rev/07e292dd5d3f
Comment 4 Christian Holler (:decoder) 2013-01-14 07:54:59 PST
A testcase for this bug was automatically identified at js/src/jit-test/tests/ion/bug779125.js.

Note You need to log in before you can comment on or make changes to this bug.