Closed Bug 844483 Opened 11 years ago Closed 11 years ago

OdinMonkey: Crash [@ js::ArrayBufferObject::addView]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
Other Branch
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: crash, testcase, Whiteboard: [jsbugmon:ignore])

Crash Data

The following testcase crashes on odinmonkey revision 1bfa5e6b2087 (run with --ion-eager):


this['Module'] = Module = {};
Module['arguments'] = [];
var TOTAL_MEMORY = Module['TOTAL_MEMORY'] || 16777216;
var buffer = new ArrayBuffer(TOTAL_MEMORY);
function _printf(format, varargs) {    }
var asm = (function(global, env, buffer) {
  'use asm';
  var HEAP32 = new global.Int32Array(buffer);
  var STACKTOP=env.STACKTOP|0;
  var tempInt = 0, tempDouble = 0.0;
  var _printf=env._printf;
  function _main() {
    _printf(5242880, (tempInt = STACKTOP, HEAP32[~  2     >> 2] = 1, tempInt) | 0) | 0;
  }
  return { _main: _main };
})({ Int32Array: Int32Array }, 
{ _printf: _printf }, buffer);
var _main = Module["_main"] = asm._main;
Module.callMain = function callMain(args) {
  var argc = args.length+1;
  ret = Module['_main'](argc, 0);
}
function run(args) {
  args = args || Module['arguments'];
  function doRun() {
    ret = Module.callMain(args);
  }
  return doRun();
}
var ret = run();
HEAPF64 = new Float64Array(buffer);
Crash trace:

Program received signal SIGSEGV, Segmentation fault.
js::ArrayBufferObject::addView (this=<optimized out>, view=(js::RawObject) 0x7ffff4e3eac0 [object Float64Array]) at /srv/repos/odinmonkey/js/src/jstypedarray.cpp:521
521             SetBufferLink(view, BufferLink(*views));
(gdb) bt
#0  js::ArrayBufferObject::addView (this=<optimized out>, view=(js::RawObject) 0x7ffff4e3eac0 [object Float64Array]) at /srv/repos/odinmonkey/js/src/jstypedarray.cpp:521
#1  0x000000000062458a in TypedArrayTemplate<double>::makeInstance (cx=<optimized out>, bufobj=..., byteOffset=0, len=2097152, proto=...) at /srv/repos/odinmonkey/js/src/jstypedarray.cpp:1780
#2  0x0000000000624969 in TypedArrayTemplate<double>::fromBuffer (cx=0xc4a210, bufobj=(JSObject * const) 0x7ffff4e291a0 [object ArrayBuffer], byteOffsetInt=-1, lengthInt=-1, proto=...)
    at /srv/repos/odinmonkey/js/src/jstypedarray.cpp:2195
#3  0x000000000063db71 in TypedArrayTemplate<double>::create (cx=0xc4a210, argc=1, argv=0x7ffff587c0b8) at /srv/repos/odinmonkey/js/src/jstypedarray.cpp:1863
#4  0x000000000063dda5 in TypedArrayTemplate<double>::class_constructor (cx=<optimized out>, argc=<optimized out>, vp=0x7ffff587c0a8) at /srv/repos/odinmonkey/js/src/jstypedarray.cpp:1802
#5  0x0000000000544e44 in CallJSNative (args=..., native=<optimized out>, cx=0xc4a210) at ../jscntxtinlines.h:327
#6  CallJSNativeConstructor (args=..., native=<optimized out>, cx=0xc4a210) at ../jscntxtinlines.h:360
#7  js::InvokeConstructorKernel (cx=0xc4a210, args=...) at /srv/repos/odinmonkey/js/src/jsinterp.cpp:438
#8  0x0000000000538b8e in js::Interpret (cx=0xc4a210, entryFrame=0x7ffff587c038, interpMode=js::JSINTERP_NORMAL) at /srv/repos/odinmonkey/js/src/jsinterp.cpp:2375
#9  0x0000000000543d4b in js::RunScript (cx=0xc4a210, fp=0x7ffff587c038) at /srv/repos/odinmonkey/js/src/jsinterp.cpp:325
#10 0x0000000000546563 in ExecuteKernel (result=0x0, evalInFrame=..., thisv=..., scopeChainArg=..., script=0x7ffff4e2d160, cx=0xc4a210, type=<optimized out>) at /srv/repos/odinmonkey/js/src/jsinterp.cpp:515
#11 js::Execute (cx=0xc4a210, script=0x7ffff4e2d160, scopeChainArg=..., rval=0x0) at /srv/repos/odinmonkey/js/src/jsinterp.cpp:555
#12 0x00000000004343c8 in JS_ExecuteScript (cx=0xc4a210, objArg=(JSObject *) 0x7ffff4e29060 [object global] delegate, scriptArg=0x7ffff4e2d160, rval=0x0) at /srv/repos/odinmonkey/js/src/jsapi.cpp:5542
#13 0x0000000000406f9e in Process (cx=0xc4a210, obj_=<optimized out>, filename=<optimized out>, forceTTY=<optimized out>) at /srv/repos/odinmonkey/js/src/shell/js.cpp:468
#14 0x0000000000412e58 in ProcessArgs (op=0x7fffffffdc40, obj_=(JSObject *) 0x7ffff4e29060 [object global] delegate, cx=0xc4a210) at /srv/repos/odinmonkey/js/src/shell/js.cpp:5022
#15 Shell (cx=0xc4a210, op=0x7fffffffdc40, envp=<optimized out>) at /srv/repos/odinmonkey/js/src/shell/js.cpp:5059
#16 0x0000000000413926 in main (argc=<optimized out>, argv=<optimized out>, envp=0x7fffffffde38) at /srv/repos/odinmonkey/js/src/shell/js.cpp:5289
(gdb) x /i $pc
=> 0x60d60b <js::ArrayBufferObject::addView(JSObject*)+139>:    mov    (%rax),%rdx
(gdb) info reg rax rdx
rax            0x100000000      4294967296
rdx            0xfffb7fffffffffff       -1266637395197953
On x64, the 32-bit immediate is sign-extended to do the 64-bit address arithmetic.  That means that the "load base+immediate" would load *before* base which bypasses the [base, base+4GiB) protected region.  The fix is simply enough to avoid creating negative 32-bit immediates.  Nice find!

http://hg.mozilla.org/users/lwagner_mozilla.com/odinmonkey/rev/0e9a09e99a15
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.