IonMonkey: Assertion failure: size_t(dst - src) >= nelem, at ../jsutil.h:229 or Crash [@ PodCopy] or Crash [@ __memcpy_ssse3]

RESOLVED DUPLICATE of bug 847412

Status

()

Core
JavaScript Engine
--
critical
RESOLVED DUPLICATE of bug 847412
5 years ago
3 years ago

People

(Reporter: decoder, Unassigned)

Tracking

(Blocks: 2 bugs, 4 keywords)

Trunk
x86
Linux
assertion, crash, sec-critical, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [jsbugmon:update])

(Reporter)

Description

5 years ago
The following testcase asserts on mozilla-central revision eccf45749400 (run with --ion-eager):


version(0);
function x1() { return  "methodjit,typeinfer"; }
function optionsClear() {
  var names = x1().split(',');
}
optionsClear();
evaluate("\
function x1 () {\
  return eval(\"let x; (function() { return delete x; })\");\
}  \
");
try { evaluate("optionsClear();"); } catch(exc) {}
evaluate("version(170);");
try { evaluate("optionsClear();"); } catch(exc) {}
(Reporter)

Comment 1

5 years ago
Crash trace from a debug build:

Program received signal SIGSEGV, Segmentation fault.
__memcpy_ssse3 () at ../sysdeps/i386/i686/multiarch/memcpy-ssse3.S:1681
1681    ../sysdeps/i386/i686/multiarch/memcpy-ssse3.S: No such file or directory.
(gdb) bt
#0  __memcpy_ssse3 () at ../sysdeps/i386/i686/multiarch/memcpy-ssse3.S:1681
#1  0x0830e648 in PodCopy<unsigned short> (nelem=<optimized out>, src=<optimized out>, dst=0xd482b008) at /usr/include/bits/string3.h:52
#2  JSRope::flattenInternal<(JSRope::UsingBarrier)1> (this=0xf752d7c0, maybecx=0x88b9be8) at /srv/repos/mozilla-central/js/src/vm/String.cpp:248
#3  0x08243cba in ensureLinear (cx=0x88b9be8, this=0xf752d7c0) at /srv/repos/mozilla-central/js/src/vm/String.h:898
#4  js::str_split (cx=0x88b9be8, argc=1, vp=0xffffbbd4) at /srv/repos/mozilla-central/js/src/jsstr.cpp:3013
#5  0xf770b424 in ?? ()
#6  0x084ed8bb in EnterIon (cx=0x887e1e0, fp=0x88b9be8, jitcode=0xf770b2d8) at /srv/repos/mozilla-central/js/src/ion/Ion.cpp:1746
#7  0x081822a9 in js::Interpret (cx=0x88b9be8, entryFrame=0xf7716088, interpMode=js::JSINTERP_NORMAL) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:2395
#8  0x08188167 in js::RunScript (cx=0x88b9be8, fp=0xf7716088) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:340
#9  0x0818a60a in ExecuteKernel (result=0xf7716060, evalInFrame=..., thisv=..., scopeChainArg=..., script=..., cx=0x88b9be8, type=<optimized out>) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:530
#10 js::Execute (cx=0x88b9be8, script=..., scopeChainArg=..., rval=0xf7716060) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:570
#11 0x0807ea7a in JS_ExecuteScript (cx=0x88b9be8, objArg=0xf7521040, scriptArg=0xf75254d8, rval=0xf7716060) at /srv/repos/mozilla-central/js/src/jsapi.cpp:5489
#12 0x08057c88 in Evaluate (cx=0x88b9be8, argc=1, vp=0xf7716060) at /srv/repos/mozilla-central/js/src/shell/js.cpp:953
#13 0x08188605 in CallJSNative (args=..., native=<optimized out>, cx=0x88b9be8) at ../jscntxtinlines.h:327
#14 js::InvokeKernel (cx=0x88b9be8, args=..., construct=js::NO_CONSTRUCT) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:383
#15 0x08179554 in js::Interpret (cx=0x88b9be8, entryFrame=0xf7716028, interpMode=js::JSINTERP_NORMAL) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:2361
#16 0x08188167 in js::RunScript (cx=0x88b9be8, fp=0xf7716028) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:340
#17 0x0818a60a in ExecuteKernel (result=0x0, evalInFrame=..., thisv=..., scopeChainArg=..., script=..., cx=0x88b9be8, type=<optimized out>) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:530
#18 js::Execute (cx=0x88b9be8, script=..., scopeChainArg=..., rval=0x0) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:570
#19 0x0807ea7a in JS_ExecuteScript (cx=0x88b9be8, objArg=0xf7521040, scriptArg=0xf7525098, rval=0x0) at /srv/repos/mozilla-central/js/src/jsapi.cpp:5489
#20 0x08052f27 in Process (cx=0x88b9be8, obj_=<optimized out>, filename=0xffffd087 "min.js", forceTTY=false) at /srv/repos/mozilla-central/js/src/shell/js.cpp:467
#21 0x0805e0d0 in ProcessArgs (op=0xffffcda0, obj_=0xf7521040, cx=0x88b9be8) at /srv/repos/mozilla-central/js/src/shell/js.cpp:5024
#22 Shell (cx=0x88b9be8, op=0xffffcda0, envp=0xffffced4) at /srv/repos/mozilla-central/js/src/shell/js.cpp:5061
#23 0x0804b805 in main (argc=3, argv=0xffffcec4, envp=0xffffced4) at /srv/repos/mozilla-central/js/src/shell/js.cpp:5284
(gdb) x /i $pc
=> 0xf7df9677 <__memcpy_ssse3+4487>:    movdqu 0x60(%eax),%xmm6
(gdb) info reg eax xmm6
eax            0xf76fff98       -143655016
xmm6           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 
    0x0}, uint128 = 0x00000000000000000000000000000000}


In Valgrind, I get the mentioned assertion instead. Sounds like a memory corruption to me, marking sec-critical.
Blocks: 724444
Keywords: crash, sec-critical
Whiteboard: [jsbugmon:update,bisect]
(Reporter)

Updated

5 years ago
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
(Reporter)

Comment 2

5 years ago
JSBugMon: Bisection requested, result:
Due to skipped revisions, the first bad revision could be any of:
changeset:   122543:5b0002d4b427
user:        Brian Hackett
date:        Thu Feb 21 06:46:46 2013 -0700
summary:     Bug 842424 - Add missing newKind, r=terrence.

changeset:   122544:985efc588a5e
user:        Mark Finkle
date:        Thu Feb 21 08:52:37 2013 -0500
summary:     Bug 843361 - Dump list of open files if we fail to unlock the DB r=blassey

changeset:   122545:cd16203968a5
user:        Brian Hackett
date:        Thu Feb 21 06:54:16 2013 -0700
summary:     Bug 842425 - Watch for arrays that need elements converted to doubles when pushing elements, r=jandem.

changeset:   122546:0ded3af9b2d7
user:        Brian Hackett
date:        Thu Feb 21 06:56:54 2013 -0700
summary:     Bug 743394 - Ion compile JSOP_EVAL, r=jandem.

changeset:   122547:48c067a87ba2
user:        Brian Hackett
date:        Thu Feb 21 07:02:41 2013 -0700
summary:     Bug 842424 - Remove assertion.

This iteration took 27.517 seconds to run.
(Reporter)

Comment 3

5 years ago
Brian, can you take a look based on comment 2? Not sure if the bisect result is usable though. Also ccing others.
Flags: needinfo?(bhackett1024)
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Flags: needinfo?(bhackett1024)
Resolution: --- → DUPLICATE
Duplicate of bug: 847412
Group: core-security
You need to log in before you can comment on or make changes to this bug.