817509 - crash in js::ion::MacroAssemblerARMCompat::linkExitFrame

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Scoobidiver (away)]

It has been hit by two users in 20.0a1/20121202. The regression range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=d2fbc67f69f5&tochange=0352a32fde64

Signature 	js::ion::MacroAssemblerARMCompat::linkExitFrame() More Reports Search
UUID	fb46db84-ab43-4f7e-a22d-15e892121203
Date Processed	2012-12-03 00:20:50
Uptime	113
Last Crash	1.3 weeks before submission
Install Age	1.9 minutes since version was first installed.
Install Time	2012-12-03 00:18:46
Product	FennecAndroid
Version	20.0a1
Build ID	20121202030723
Release Channel	nightly
OS	Android
OS Version	0.0.0 Linux 3.0.8-g4328f8b #1 SMP PREEMPT Thu Sep 20 17:31:11 CDT 2012 armv7l motorola/XT875_verizon/cdma_targa:4.0.4/6.7.2-223_DBN_M4-23/29:user/release-keys
Build Architecture	arm
Build Architecture Info	
Crash Reason	SIGSEGV
Crash Address	0x0
App Notes 	
AdapterDescription: 'Imagination Technologies -- PowerVR SGX 540 -- OpenGL ES 2.0 build 1.8@796887 -- Model: DROID BIONIC, Product: XT875_verizon, Manufacturer: motorola, Hardware: mapphone_cdma'
EGL? EGL+ GL Context? GL Context+ GL Layers? GL Layers+ 
motorola DROID BIONIC
motorola/XT875_verizon/cdma_targa:4.0.4/6.7.2-223_DBN_M4-23/29:user/release-keys
Processor Notes 	/data/socorro/stackwalk/bin/exploitable: ERROR: unable to analyze dump
EMCheckCompatibility	True
Adapter Vendor ID	Imagination Technologies
Adapter Device ID	PowerVR SGX 540
Device	motorola DROID BIONIC
Android API Version	15 (REL)
Android CPU ABI	armeabi-v7a

Frame 	Module 	Signature 	Source
0 	libxul.so 	js::ion::MacroAssemblerARMCompat::linkExitFrame 	MacroAssembler-arm.cpp:1498
1 	libxul.so 	js::ion::MacroAssembler::enterFakeExitFrame 	IonMacroAssembler.h:497
2 	libxul.so 	js::ion::CodeGenerator::visitCallNative 	CodeGenerator.cpp:633
3 	libxul.so 	js::ion::LCallNative::accept 	LIR-Common.h:602
4 	libxul.so 	js::ion::CodeGenerator::generateBody 	CodeGenerator.cpp:1536
5 	libxul.so 	js::ion::CodeGenerator::generate 	CodeGenerator.cpp:3140
6 	libxul.so 	js::ion::CompileBackEnd 	Ion.cpp:1011
7 	libxul.so 	js::WorkerThread::ThreadMain 	jsworkers.cpp:325
8 	libnspr4.so 	_pt_root 	ptthread.c:156
9 	libc.so 	libc.so@0x12d6e 	
10 	libc.so 	libc.so@0x128c2

More reports at:
https://crash-stats.mozilla.com/report/list?signature=js%3A%3Aion%3A%3AMacroAssemblerARMCompat%3A%3AlinkExitFrame%28%29

Comment 1

[Marty Rosenberg [:mjrosenb]]

It is nice that we have a short regression range like that.  There were only two commits to IM in there, so figuring out which one caused (more likely uncovered) this should be easy, but I'm working under the assumption that this bug was recently uncovered, and will simply be trying to reproduce this, under gdb, and hope that points to a single fix.

Comment 2

[Brian Hackett [Laid off!]]

Attachment: patch

The regression range is wrong.  The stack here indicates that the user was using off thread compilation, which isn't on by default and only recently got a config option so that it could be turned on at all.  The problem is pretty easy to see though, a use of GetIonContext()->cx in the crashing function, which is NULL during off thread compilation.  The attached patch should fix this.

Comment 3

[Marty Rosenberg [:mjrosenb]]

Comment on attachment 687740 [details] [diff] [review]
patch

Review of attachment 687740 [details] [diff] [review]:
-----------------------------------------------------------------

Thanks, That probably would have taken me much longer to track down.

Comment 4

[Brian Hackett [Laid off!]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/2a3f0a806e7b

Comment 5

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/mozilla-central/rev/2a3f0a806e7b