820873 - IonMonkey: Crash [@ JSString::isAtom] or Opt-Crash [@ js_ConcatStrings]

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 553a3bcf1fe7 (run with --ion-eager):


var lfcode = new Array();
lfcode.push("3");
lfcode.push("with(evalcx('')) this.__defineGetter__('x', Function);");
lfcode.push("gczeal(2)");
lfcode.push("4");
lfcode.push("\
	var log = '';\
	for (var { m  } = i = 0 ;  ; i++) {\
		log += x; \
		if (x === 6)\
			a.slow = true; if (i > 1000) break;\
	}\
");
while (true) {
	var file = lfcode.shift(); if (file == undefined) { break; }
        loadFile(file)
}
function loadFile(lfVarx) {
	if (!isNaN(lfVarx)) {
            lfRunTypeId = parseInt(lfVarx);
        } else {
            switch (lfRunTypeId) {
                case 3: function newFunc(x) { new Function(x)(); }; newFunc(lfVarx); break;
                case 4: eval("(function() { " + lfVarx + " })();"); break;
	}
    }
}

Comment 1

[Christian Holler (:decoder)]

Looks like a null-deref:

==15189== Invalid read of size 8
==15189==    at 0x40653A: JSString::isAtom() const (String.h:375)
==15189==    by 0x6F7575: js_ConcatStrings(JSContext*, JS::Handle<JSString*>, JS::Handle<JSString*>) (String.cpp:302)
==15189==    by 0x52F4EF: js::AddOperation(JSContext*, JS::Handle<JSScript*>, unsigned char*, JS::Value const&, JS::Value const&, JS::Value*) (jsinterpinlines.h:570)
==15189==    by 0x5424FA: js::AddValues(JSContext*, JS::Handle<JSScript*>, unsigned char*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Value*) (jsinterp.cpp:3965)
==15189==    by 0x4029CC4: ???
==15189==    by 0x896E8C: EnterIon(JSContext*, js::StackFrame*, void*) (Ion.cpp:1526)
==15189==    by 0x8972B0: js::ion::SideCannon(JSContext*, js::StackFrame*, unsigned char*) (Ion.cpp:1598)
==15189==    by 0x5366EA: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (jsinterp.cpp:1421)
==15189==    by 0x5326FB: js::RunScript(JSContext*, JS::Handle<JSScript*>, js::StackFrame*) (jsinterp.cpp:346)
==15189==    by 0x533686: js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::StackFrame*, JS::Value*) (jsinterp.cpp:535)
==15189==    by 0x7782D1: EvalKernel(JSContext*, JS::CallArgs const&, EvalType, js::StackFrame*, JS::Handle<JSObject*>) (Eval.cpp:286)
==15189==    by 0x7786BB: js::DirectEval(JSContext*, JS::CallArgs const&) (Eval.cpp:337)
==15189==  Address 0x0 is not stack'd, malloc'd or (recently) free'd


Marking s-s anyway because it contains gczeal(2).

Comment 2

[Christian Holler (:decoder)]

JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   114661:0952f7c80055
user:        Brian Hackett
date:        Fri Nov 30 15:59:52 2012 -0700
summary:     Add analysis to eliminate dead resume point operands, bug 814997. r=dvander

This iteration took 66.547 seconds to run.

Comment 3

[Christian Holler (:decoder)]

Ccing Brian based on comment 2. Brian, can you take a look and also suggest a security rating? Thanks!

Comment 4

[Brian Hackett [Laid off!]]

Attachment: patch + test

Argh, thought I'd handled this case in bug 814997 but apparently not.  If a definition is used in a phi in that same block, then it is live throughout the containing loop and can't be eliminated from resume point operands.

Comment 5

[Brian Hackett [Laid off!]]

NULL deref, doesn't affect branches, not s-s.

Comment 6

[Brian Hackett [Laid off!]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/c6568365b0ec

Comment 7

[Ed Morley [:emorley]]

https://hg.mozilla.org/mozilla-central/rev/c6568365b0ec

Comment 8

[Christian Holler (:decoder)]

A testcase for this bug was automatically identified at js/src/jit-test/tests/ion/bug820873.js.