Crash [@ js::mjit::JITScript::chunkIndex] or [@ js::mjit::Recompiler::patchFrame] or "Assertion failure: found,"

RESOLVED FIXED in Firefox 17

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: gkw, Assigned: billm)

Tracking

(Blocks: 2 bugs, {crash, regression, testcase})

Trunk
mozilla17
crash, regression, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox14 unaffected, firefox15 unaffected, firefox16 unaffected, firefox17 fixed, firefox-esr10 unaffected)

Details

(Whiteboard: [fuzzblocker][jsbugmon:update,reconfirm] qa-)

Attachments

(3 attachments)

(Reporter)

Description

5 years ago
Created attachment 652626 [details]
stack

gc()
var p = n
function m() {
  return function(f, code, t) {
	try {
	  evalcx(code, newGlobal())
	} catch (e) {}
  }
}
function n() {
	f()
}
function h(code) {
	f = Function(code)
	p(f, code, true)
}
h("\
  p=m();\
  gcPreserveCode();\
  gcslice(7);\
")
h("\"\"")
h("")
h("gc()")
h("")
h("")
h("gczeal(4,2)")

asserts js debug shell on m-c changeset 50e4ff05741e with -m, -n and -a at Assertion failure: found, when the testcase is passed in as a CLI argument, and a variant crashes at js::mjit::JITScript::chunkIndex with js::mjit::Recompiler::patchFrame on the stack

s-s because this involves gc but inspection of the registers seems to indicate that this is a null crash.

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   102448:07f21ec5d516
user:        Bill McCloskey
date:        Wed Aug 15 10:39:48 2012 -0700
summary:     Bug 781390 - Make barrier verifier testing work better with the methodjit (r=bhackett)
(Assignee)

Updated

5 years ago
Assignee: general → wmccloskey
(Reporter)

Comment 1

5 years ago
Created attachment 652629 [details]
stack from a crash

Setting [fuzzblocker] because this is happening very very often.

p = n
function m(sandboxType) {
  switch (sandboxType) {
  default:
	a = newGlobal()
  }
  return function(f, code, t) {
	try {
	  evalcx(code, a)
	} catch (e) {}
  }
}
function n() {
  f()
}
function h(code) {
  f = Function(code)
  p(f, code, true)
}
h("p=m()")
h("f=function(){};delete[\"\"]")
h("this+''")
h("''")
h("(1 in f)")
h("gczeal(4)")


is the other testcase that crashes instead.
(Reporter)

Comment 2

5 years ago
Other assertions like:

Assertion failure: thing,
Assertion failure: thing->compartment(),
Assertion failure: bi->aliased(),

I'm going to temporarily assume that this is the same bug because this is overflowing my logs...
(Reporter)

Comment 3

5 years ago
Assertion failure: bi->aliased(), is actually bug 783441.
status-firefox-esr10: --- → unaffected
status-firefox14: --- → unaffected
status-firefox15: --- → unaffected
status-firefox16: --- → unaffected
status-firefox17: --- → affected
Also seeing this with varying signatures, would be very nice to have this fixed quickly for fuzzing.
Blocks: 676763
Whiteboard: [fuzzblocker] → [fuzzblocker][jsbugmon:update]
(Assignee)

Comment 5

5 years ago
Created attachment 652830 [details] [diff] [review]
patch

Sorry, stupid bug. I forgot that ClearAllFrames looks at the current needsBarrier()/compileBarriers() value. And the value of compileBarriers() is affected by the GC zeal. So we need to ClearAllFrames before updating the zeal or else it will try to purge the wrong stuff.
Attachment #652830 - Flags: review?(dvander)
Attachment #652830 - Flags: review?(dvander) → review+
(Assignee)

Comment 6

5 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/26c1570f162a
Group: core-security
https://hg.mozilla.org/mozilla-central/rev/26c1570f162a
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla17

Updated

5 years ago
status-firefox17: affected → fixed
Since this has a testcase, nominating it for in-testsuite.
Flags: in-testsuite?
Keywords: verifyme
I've tried several times, but I couldn't reproduce this bug. I will try on a different machine.
Whiteboard: [fuzzblocker][jsbugmon:update] → [fuzzblocker][jsbugmon:update,reconfirm]
Setting this to "qa?" and removing "verifyme" for the time being.

 Could I get some more info on how to reproduce this bug please?
Keywords: verifyme
Whiteboard: [fuzzblocker][jsbugmon:update,reconfirm] → [fuzzblocker][jsbugmon:update,reconfirm] qa?
(Reporter)

Comment 11

5 years ago
You'll have to compile a shell from m-c changeset 50e4ff05741e in comment 0 with the shell flags specified. If you cannot reproduce with a 64-bit shell, try using the configure options in bug 781343 comment 2 to get a 32-bit shell to get it to reproduce.
While trying to build Firefox on Ubuntu 12.04 (which is up-to-date), I get the following error:

http://pastebin.mozilla.org/1929133

Could you please help me solve this?
(Reporter)

Comment 13

5 years ago
> Could you please help me solve this?

You need to first install "ia32-libs gcc-multilib g++-multilib" via apt-get, I think.
Even after using the command you suggested:

  sudo apt-get install ia32-libs-multiarch gcc-multilib g++-multilib  

(only using "ia32-libs" didn't seem to work), I still receive the same error as in comment 26, when running the configure command in comment 2.
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite? → in-testsuite+
According to the automated test provided in comment 15, marking this [qa-].
Whiteboard: [fuzzblocker][jsbugmon:update,reconfirm] qa? → [fuzzblocker][jsbugmon:update,reconfirm] qa-
You need to log in before you can comment on or make changes to this bug.