Closed Bug 783537 Opened 12 years ago Closed 12 years ago

Crash [@ js::mjit::CallCompiler::patchInlinePath]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla17
Tracking Flags:
Tracking Status
firefox-esr10 --- unaffected

People

(Reporter: decoder, Assigned: billm)

Details

(Keywords: crash, testcase, Whiteboard: [jsbugmon:update][fuzzblocker])

Attachments

(1 file)

patch
2.25 KB, patch
dvander
: review+
Details | Diff | Splinter Review 
The following test crashes on mozilla-central revision 1ecca798b1fb (options -m -a):


try {
gczeal(4);
var source = "".concat( repeat_str("}", N));
} catch(exc1) {}
var g = newGlobal('new-compartment');
g.eval("function f() { return 1; }");
var N = g.N = 11;
g.eval("function h() { for (var i = 0; i < N; i += f()) {} }");
g.h();


Crash trace:

==39412== Invalid read of size 8
==39412==    at 0x82F74B: js::mjit::CallCompiler::patchInlinePath(JSScript*, JSObject*) (MonoIC.cpp:677)
==39412==    by 0x830FD8: js::mjit::CallCompiler::update() (MonoIC.cpp:968)
==39412==    by 0x831110: js::mjit::ic::Call(js::VMFrame&, js::mjit::ic::CallICInfo*) (MonoIC.cpp:997)
==39412==    by 0x403BE9E: ???
==39412==    by 0x7807C3: js::mjit::EnterMethodJIT(JSContext*, js::StackFrame*, void*, JS::Value*, bool) (MethodJIT.cpp:1016)
==39412==    by 0x780A6B: CheckStackAndEnterMethodJIT(JSContext*, js::StackFrame*, void*, bool) (MethodJIT.cpp:1074)
==39412==    by 0x780B6A: js::mjit::JaegerShot(JSContext*, bool) (MethodJIT.cpp:1086)
==39412==    by 0x530A82: js::RunScript(JSContext*, JSScript*, js::StackFrame*) (jsinterp.cpp:305)
==39412==    by 0x530F4C: js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) (jsinterp.cpp:362)
==39412==    by 0x4679FD: js::Invoke(JSContext*, js::InvokeArgsGuard&, js::MaybeConstruct) (jsinterp.h:119)
==39412==    by 0x531182: js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) (jsinterp.cpp:394)
==39412==    by 0x5BA50B: js::IndirectProxyHandler::call(JSContext*, JSObject*, unsigned int, JS::Value*) (jsproxy.cpp:477)
==39412==  Address 0x10 is not stack'd, malloc'd or (recently) free'd


Hitting this very often, marking as fuzzblocker. Also this is in mjit code and it could be a dup of bug 783421 so marking s-s.
I just bisected this to myself.

changeset:   102421:07f21ec5d516
user:        Bill McCloskey <wmccloskey@mozilla.com>
date:        Wed Aug 15 10:39:48 2012 -0700
summary:     Bug 781390 - Make barrier verifier testing work better with the methodjit (r=bhackett)
Assignee: general → wmccloskey
Attached patch patchSplinter Review 
I missed converting a few calls to needsBarrier() to compileBarriers(). I didn't think it was necessary for the ICs, but I guess it is. For one, we don't flush the ICs when starting the barrier verifier.
Attachment #652893 - Flags: review?(dvander)
Attachment #652893 - Flags: review?(dvander) → review+
https://hg.mozilla.org/mozilla-central/rev/e141e1418174
Status: NEW → RESOLVED
Closed: 12 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla17
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: