IonMonkey: Crash on heap near [@ js::mjit::ic::Call]

RESOLVED FIXED

Status

()

Core
JavaScript Engine
--
major
RESOLVED FIXED
5 years ago
4 years ago

People

(Reporter: decoder, Unassigned)

Tracking

(Blocks: 2 bugs, {crash, testcase})

Other Branch
x86
Linux
crash, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [ion:p1:fx18] [jsbugmon:update,ignore], crash signature)

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
The following testcase crashes on ionmonkey revision f1764bf06b29 (run with --ion -n -m --ion-eager):


var callStack = new Array();
function enterFunc (funcName) {
  funcName += "()";
  callStack.push(funcName);
}
function exitFunc (funcName) {
  var lastFunc = callStack.pop();
  funcName += "()";
  if (lastFunc != funcName)
    reportCompare();
}
try {
  test();
} catch(exc1) {}
function test() {
  enterFunc ('test');
  test();
}
for (var l = 0; l < 50000; l++) 
  exitFunc ('test');
(Reporter)

Comment 1

5 years ago
Also happens on 64 bit. Crash info:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7f44145 in ?? ()
Missing separate debuginfos, use: debuginfo-install zlib-1.2.3-27.el6.x86_64
(gdb) bt
#0  0x00007ffff7f44145 in ?? ()
#1  0x00007fffffffbfb0 in ?? ()
#2  0x00000000007f5c61 in js::mjit::ic::Call (f=..., ic=0x0) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/methodjit/MonoIC.cpp:1291
Backtrace stopped: previous frame inner to this frame (corrupt stack?)
(gdb) x /i $pc
=> 0x7ffff7f44145:      testl  $0x7,(%rcx)
(gdb) info reg rcx
rcx            0x0      0
Whiteboard: [jsbugmon:update] → [jsbugmon:update][ion:p1:fx18]
This is a type error. We assume that LArrayPopShiftT returns String, when this case goes through ion::ArrayPopDense() and returns UndefinedValue. Since the LIR is typed, we then load the Undefined payload 0x0 and segfault later during LCompareS.
(Reporter)

Updated

5 years ago
Whiteboard: [jsbugmon:update][ion:p1:fx18] → [ion:p1:fx18] [jsbugmon:update,ignore]
(Reporter)

Comment 3

5 years ago
JSBugMon: The testcase found in this bug no longer reproduces (tried revision a8235a2a29c2).
Created attachment 651594 [details] [diff] [review]
Fix GetPcScript() when callingIntoIon().

ion::ArrayPopDense() was correctly calling Monitor() if pop() resulted in an UndefinedValue, but the GetPcScript() function was returning a nonsensical PC when the Ion function was entered via a JM Ion-call IC.
Attachment #651594 - Flags: review?(dvander)
Attachment #651594 - Flags: review?(dvander) → review+
http://hg.mozilla.org/projects/ionmonkey/rev/e244389fbfc4
Group: core-security
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
(Reporter)

Comment 6

4 years ago
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/2e891e0db397
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.