crash in js::ion::MacroAssemblerARMCompat::linkExitFrame

RESOLVED FIXED in Firefox 20

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: Scoobidiver (away), Unassigned)

Tracking

({crash, regression})

20 Branch
mozilla20
ARM
Android
crash, regression
Points:
---

Firefox Tracking Flags

(firefox19 unaffected, firefox20 fixed)

Details

(Whiteboard: [native-crash], crash signature)

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
It has been hit by two users in 20.0a1/20121202. The regression range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=d2fbc67f69f5&tochange=0352a32fde64

Signature 	js::ion::MacroAssemblerARMCompat::linkExitFrame() More Reports Search
UUID	fb46db84-ab43-4f7e-a22d-15e892121203
Date Processed	2012-12-03 00:20:50
Uptime	113
Last Crash	1.3 weeks before submission
Install Age	1.9 minutes since version was first installed.
Install Time	2012-12-03 00:18:46
Product	FennecAndroid
Version	20.0a1
Build ID	20121202030723
Release Channel	nightly
OS	Android
OS Version	0.0.0 Linux 3.0.8-g4328f8b #1 SMP PREEMPT Thu Sep 20 17:31:11 CDT 2012 armv7l motorola/XT875_verizon/cdma_targa:4.0.4/6.7.2-223_DBN_M4-23/29:user/release-keys
Build Architecture	arm
Build Architecture Info	
Crash Reason	SIGSEGV
Crash Address	0x0
App Notes 	
AdapterDescription: 'Imagination Technologies -- PowerVR SGX 540 -- OpenGL ES 2.0 build 1.8@796887 -- Model: DROID BIONIC, Product: XT875_verizon, Manufacturer: motorola, Hardware: mapphone_cdma'
EGL? EGL+ GL Context? GL Context+ GL Layers? GL Layers+ 
motorola DROID BIONIC
motorola/XT875_verizon/cdma_targa:4.0.4/6.7.2-223_DBN_M4-23/29:user/release-keys
Processor Notes 	/data/socorro/stackwalk/bin/exploitable: ERROR: unable to analyze dump
EMCheckCompatibility	True
Adapter Vendor ID	Imagination Technologies
Adapter Device ID	PowerVR SGX 540
Device	motorola DROID BIONIC
Android API Version	15 (REL)
Android CPU ABI	armeabi-v7a

Frame 	Module 	Signature 	Source
0 	libxul.so 	js::ion::MacroAssemblerARMCompat::linkExitFrame 	MacroAssembler-arm.cpp:1498
1 	libxul.so 	js::ion::MacroAssembler::enterFakeExitFrame 	IonMacroAssembler.h:497
2 	libxul.so 	js::ion::CodeGenerator::visitCallNative 	CodeGenerator.cpp:633
3 	libxul.so 	js::ion::LCallNative::accept 	LIR-Common.h:602
4 	libxul.so 	js::ion::CodeGenerator::generateBody 	CodeGenerator.cpp:1536
5 	libxul.so 	js::ion::CodeGenerator::generate 	CodeGenerator.cpp:3140
6 	libxul.so 	js::ion::CompileBackEnd 	Ion.cpp:1011
7 	libxul.so 	js::WorkerThread::ThreadMain 	jsworkers.cpp:325
8 	libnspr4.so 	_pt_root 	ptthread.c:156
9 	libc.so 	libc.so@0x12d6e 	
10 	libc.so 	libc.so@0x128c2

More reports at:
https://crash-stats.mozilla.com/report/list?signature=js%3A%3Aion%3A%3AMacroAssemblerARMCompat%3A%3AlinkExitFrame%28%29
It is nice that we have a short regression range like that.  There were only two commits to IM in there, so figuring out which one caused (more likely uncovered) this should be easy, but I'm working under the assumption that this bug was recently uncovered, and will simply be trying to reproduce this, under gdb, and hope that points to a single fix.
Created attachment 687740 [details] [diff] [review]
patch

The regression range is wrong.  The stack here indicates that the user was using off thread compilation, which isn't on by default and only recently got a config option so that it could be turned on at all.  The problem is pretty easy to see though, a use of GetIonContext()->cx in the crashing function, which is NULL during off thread compilation.  The attached patch should fix this.
Attachment #687740 - Flags: review?(mrosenberg)
Comment on attachment 687740 [details] [diff] [review]
patch

Review of attachment 687740 [details] [diff] [review]:
-----------------------------------------------------------------

Thanks, That probably would have taken me much longer to track down.
Attachment #687740 - Flags: review?(mrosenberg) → review+
https://hg.mozilla.org/mozilla-central/rev/2a3f0a806e7b
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla20
(Reporter)

Updated

5 years ago
status-firefox20: affected → fixed
You need to log in before you can comment on or make changes to this bug.