Closed
Bug 805299
Opened 12 years ago
Closed 12 years ago
IonMonkey: Crash [@ 0xdeadbeee]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla20
Tracking | Status | |
---|---|---|
firefox17 | --- | unaffected |
firefox18 | + | fixed |
firefox19 | + | fixed |
firefox20 | + | fixed |
firefox-esr10 | --- | unaffected |
People
(Reporter: decoder, Assigned: mjrosenb)
References
Details
(Keywords: crash, sec-critical, testcase, Whiteboard: [jsbugmon:ignore][adv-main18-])
Crash Data
Attachments
(3 files)
1.60 KB,
application/javascript
|
Details | |
6.87 KB,
patch
|
dvander
:
review+
|
Details | Diff | Splinter Review |
8.68 KB,
patch
|
lsblakk
:
approval-mozilla-aurora+
lsblakk
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
The attached testcase crashes on mozilla-central revision 1c3e4cb1f754 (run with --ion-eager).
Reporter | ||
Comment 1•12 years ago
|
||
Crash trace: Program received signal SIGSEGV, Segmentation fault. 0xdeadbeee in ?? () (gdb) bt #0 0xdeadbeee in ?? () #1 0x0047f4e4 in js::ion::AutoFlushCache::~AutoFlushCache (this=0x40030788, __in_chrg=<value optimized out>) at /home/decoder/mozilla-central/js/src/ion/arm/Assembler-arm.cpp:2474 #2 0x00d8d690 in ?? () Cannot access memory at address 0x0 #3 0x00d8d690 in ?? () Cannot access memory at address 0x0 Backtrace stopped: previous frame identical to this frame (corrupt stack?)
Summary: Crash [@ 0xdeadbeee] → IonMonkey: Crash [@ 0xdeadbeee]
Whiteboard: [jsbugmon:ignore]
Updated•12 years ago
|
Keywords: sec-critical
Reporter | ||
Updated•12 years ago
|
Assignee: general → mrosenberg
Updated•12 years ago
|
status-firefox18:
--- → affected
Updated•12 years ago
|
Status: NEW → ASSIGNED
Updated•12 years ago
|
status-firefox19:
--- → affected
Updated•12 years ago
|
status-firefox-esr10:
--- → unaffected
status-firefox17:
--- → unaffected
Updated•12 years ago
|
tracking-firefox18:
--- → +
tracking-firefox19:
--- → +
Comment 2•12 years ago
|
||
What's the status here? This is marked tracking# for 18, which is entering beta this week.
Assignee | ||
Comment 3•12 years ago
|
||
A quick patch would be to just abort compilation when we hit this case. This case should basically never come up. The issue has to do with pools, and is a bad fix for bug 759464. I'm currently trying to cook up an actual reasonable way to handle this case.
Assignee | ||
Comment 4•12 years ago
|
||
This patch causes compilation to abort when we detect a case that we were previously handling incorrectly. There were a few cases where assertions were then triggering due to the world not looking quite right, so explicit checks needed to be added.
Attachment #685092 -
Flags: review?(dvander)
Comment on attachment 685092 [details] [diff] [review] /home/mrosenberg/patches/disable-r0.patch Review of attachment 685092 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/ion/IonMacroAssembler.h @@ +499,5 @@ > } > > void link(IonCode *code) { > + if (m_buffer.oom()) > + return; Better to make this JS_ASSERT(!m_buffer.oom()), and then check for OOM where needed in ion::Linker::newCode(). ::: js/src/ion/RangeAnalysis.cpp @@ +532,5 @@ > return false; > } > } > iters++; > + if (iters >= numBlocks * 1000) Part of this patch?
Attachment #685092 -
Flags: review?(dvander) → review+
Comment 6•12 years ago
|
||
Marty, are you planning to land this reviewed patch? Also, please nominate for beta and aurora approval once it sticks on trunk.
Assignee | ||
Comment 7•12 years ago
|
||
landed on mi: https://hg.mozilla.org/integration/mozilla-inbound/rev/162e2608bd3c
Comment 8•12 years ago
|
||
Backed out because this breaks debug builds: https://hg.mozilla.org/integration/mozilla-inbound/rev/97b197902642
Assignee | ||
Comment 9•12 years ago
|
||
My bad. tbpl logs point right at the culprit: I directly reference m_buffer in shared code inside of JS_ASSERT, so it will crash only in debug builds on all non-arm platforms.
Assignee | ||
Comment 10•12 years ago
|
||
re-landed, more green: https://hg.mozilla.org/integration/mozilla-inbound/rev/a592d7dfb470
Comment 11•12 years ago
|
||
Backed out for crashes on Android: https://tbpl.mozilla.org/php/getParsedLog.php?id=17551768&tree=Mozilla-Inbound https://hg.mozilla.org/integration/mozilla-inbound/rev/3559bc4dfe1b
Comment 12•12 years ago
|
||
Marty - can you continue this investigation? This is an sg:crit regression from FF17 and we're going to build with b4 Tuesday. Would be really great to get a fix uplifted before then.
Updated•12 years ago
|
status-firefox20:
--- → affected
tracking-firefox20:
--- → +
Assignee | ||
Comment 13•12 years ago
|
||
yeah, I'm working on it, and fighting with mochitests, as usual.
Assignee | ||
Comment 14•12 years ago
|
||
landed again: http://hg.mozilla.org/mozilla-central/rev/21aeb525c630 This time with a try run first.
Assignee | ||
Comment 15•12 years ago
|
||
err: http://hg.mozilla.org/integration/mozilla-inbound/rev/21aeb525c630 my script occasionally generates bogus urls.
Assignee | ||
Comment 16•12 years ago
|
||
[Approval Request Comment] Bug caused by (feature/regressing bug #): IM landing + 763333 User impact if declined: mysterious crashes, possibly incorrect behavior Testing completed (on m-c, etc.): on m-i Risk to taking this patch (and alternatives if risky): This patch is the safe approach. I'm just nuking the code paths that are trick/were questionable, and causing us to not compile the code with IonMonkey. Sadly, it uses the OOM mechanism, and that isn't quite perfect. If there are paths where OOM conditions need to be checked, and they aren't we may throw an assertion. String or UUID changes made by this patch:
Attachment #690055 -
Flags: approval-mozilla-beta?
Updated•12 years ago
|
Attachment #690055 -
Flags: approval-mozilla-aurora?
Comment 17•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/21aeb525c630
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla20
Comment 18•12 years ago
|
||
Comment on attachment 690055 [details] [diff] [review] patch that was actually landed on m-i Low risk enough that we can take this for beta 4 which goes to build tomorrow, please go ahead with branch uplift.
Attachment #690055 -
Flags: approval-mozilla-beta?
Attachment #690055 -
Flags: approval-mozilla-beta+
Attachment #690055 -
Flags: approval-mozilla-aurora?
Attachment #690055 -
Flags: approval-mozilla-aurora+
Updated•12 years ago
|
Keywords: checkin-needed
Assignee | ||
Comment 19•12 years ago
|
||
landed on both aurora and beta: https://hg.mozilla.org/releases/mozilla-aurora/rev/3a41271d7364 https://hg.mozilla.org/releases/mozilla-beta/rev/4946d63b2dec
Comment 20•12 years ago
|
||
(In reply to Marty Rosenberg [:mjrosenb] from comment #19) > landed on both aurora and beta Setting flags accordingly.
Updated•12 years ago
|
Keywords: checkin-needed
Updated•12 years ago
|
Whiteboard: [jsbugmon:ignore] → [jsbugmon:ignore][adv-main18-]
Updated•11 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•