Closed Bug 820873 Opened 7 years ago Closed 7 years ago

IonMonkey: Crash [@ JSString::isAtom] or Opt-Crash [@ js_ConcatStrings]

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla20

People

(Reporter: decoder, Assigned: bhackett)

References

(Blocks 1 open bug)

Details

(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(1 file)

The following testcase crashes on mozilla-central revision 553a3bcf1fe7 (run with --ion-eager):


var lfcode = new Array();
lfcode.push("3");
lfcode.push("with(evalcx('')) this.__defineGetter__('x', Function);");
lfcode.push("gczeal(2)");
lfcode.push("4");
lfcode.push("\
	var log = '';\
	for (var { m  } = i = 0 ;  ; i++) {\
		log += x; \
		if (x === 6)\
			a.slow = true; if (i > 1000) break;\
	}\
");
while (true) {
	var file = lfcode.shift(); if (file == undefined) { break; }
        loadFile(file)
}
function loadFile(lfVarx) {
	if (!isNaN(lfVarx)) {
            lfRunTypeId = parseInt(lfVarx);
        } else {
            switch (lfRunTypeId) {
                case 3: function newFunc(x) { new Function(x)(); }; newFunc(lfVarx); break;
                case 4: eval("(function() { " + lfVarx + " })();"); break;
	}
    }
}
Looks like a null-deref:

==15189== Invalid read of size 8
==15189==    at 0x40653A: JSString::isAtom() const (String.h:375)
==15189==    by 0x6F7575: js_ConcatStrings(JSContext*, JS::Handle<JSString*>, JS::Handle<JSString*>) (String.cpp:302)
==15189==    by 0x52F4EF: js::AddOperation(JSContext*, JS::Handle<JSScript*>, unsigned char*, JS::Value const&, JS::Value const&, JS::Value*) (jsinterpinlines.h:570)
==15189==    by 0x5424FA: js::AddValues(JSContext*, JS::Handle<JSScript*>, unsigned char*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Value*) (jsinterp.cpp:3965)
==15189==    by 0x4029CC4: ???
==15189==    by 0x896E8C: EnterIon(JSContext*, js::StackFrame*, void*) (Ion.cpp:1526)
==15189==    by 0x8972B0: js::ion::SideCannon(JSContext*, js::StackFrame*, unsigned char*) (Ion.cpp:1598)
==15189==    by 0x5366EA: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (jsinterp.cpp:1421)
==15189==    by 0x5326FB: js::RunScript(JSContext*, JS::Handle<JSScript*>, js::StackFrame*) (jsinterp.cpp:346)
==15189==    by 0x533686: js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::StackFrame*, JS::Value*) (jsinterp.cpp:535)
==15189==    by 0x7782D1: EvalKernel(JSContext*, JS::CallArgs const&, EvalType, js::StackFrame*, JS::Handle<JSObject*>) (Eval.cpp:286)
==15189==    by 0x7786BB: js::DirectEval(JSContext*, JS::CallArgs const&) (Eval.cpp:337)
==15189==  Address 0x0 is not stack'd, malloc'd or (recently) free'd


Marking s-s anyway because it contains gczeal(2).
Blocks: IonFuzz
Whiteboard: [jsbugmon:update,bisect]
Crash Signature: [@ JSString::isAtom] or Opt-Crash [@ js_ConcatStrings] → [@ JSString::isAtom] [@ js_ConcatStrings]
Crash Signature: [@ JSString::isAtom] [@ js_ConcatStrings] → [@ JSString::isAtom] [@ js_ConcatStrings]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   114661:0952f7c80055
user:        Brian Hackett
date:        Fri Nov 30 15:59:52 2012 -0700
summary:     Add analysis to eliminate dead resume point operands, bug 814997. r=dvander

This iteration took 66.547 seconds to run.
Ccing Brian based on comment 2. Brian, can you take a look and also suggest a security rating? Thanks!
Crash Signature: [@ JSString::isAtom] [@ js_ConcatStrings] → [@ JSString::isAtom] [@ js_ConcatStrings]
Flags: needinfo?(bhackett1024)
Attached patch patch + testSplinter Review
Argh, thought I'd handled this case in bug 814997 but apparently not.  If a definition is used in a phi in that same block, then it is live throughout the containing loop and can't be eliminated from resume point operands.
Assignee: general → bhackett1024
Attachment #691828 - Flags: review?(dvander)
Flags: needinfo?(bhackett1024)
NULL deref, doesn't affect branches, not s-s.
Group: core-security
Attachment #691828 - Flags: review?(dvander) → review+
https://hg.mozilla.org/mozilla-central/rev/c6568365b0ec
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla20
A testcase for this bug was automatically identified at js/src/jit-test/tests/ion/bug820873.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.