Assertion failure: idx < arrobj->getDenseInitializedLength(), at vm/SelfHosting.cpp:373 or Crash [@ js::intrinsic_UnsafeSetElement] with ParallelArray

VERIFIED FIXED in Firefox 22

Status

()

Core
JavaScript Engine
--
critical
VERIFIED FIXED
5 years ago
5 years ago

People

(Reporter: decoder, Assigned: nmatsakis)

Tracking

(Blocks: 1 bug, 5 keywords)

Trunk
mozilla22
x86_64
Linux
assertion, crash, csectype-bounds, sec-critical, testcase
Points:
---
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox19 unaffected, firefox20 unaffected, firefox21 unaffected, firefox22 fixed, firefox-esr17 unaffected, b2g18 unaffected, b2g18-v1.0.0 unaffected, b2g18-v1.0.1 unaffected)

Details

(Whiteboard: [jsbugmon:update][adv-main22-], crash signature)

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
The following testcase asserts on mozilla-central revision 1d6fe70c79c5 (no options required):


var len = 2;
function add1(x) { return x+1; }
var p = new ParallelArray(len, add1);
var idx = [0,0].concat(build(len-4, add1)).concat([len-3,len-3]);
var revidx = idx.reverse();
var r = p.scatter(revidx, 0, function (x,y) { return x+y; }, len-2, {});
(Reporter)

Comment 1

5 years ago
Crash trace:

==13859== Invalid read of size 8
==13859==    at 0x5EA9A8: js::intrinsic_UnsafeSetElement(JSContext*, unsigned int, JS::Value*) (jsobjinlines.h:449)
==13859==    by 0x4B8260: js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) (jscntxtinlines.h:338)
==13859==    by 0x4AC763: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (jsinterp.cpp:2396)
==13859==    by 0x4B80FA: js::RunScript(JSContext*, js::StackFrame*) (jsinterp.cpp:341)
==13859==    by 0x4B84AC: js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) (jsinterp.cpp:398)
==13859==    by 0x4AC763: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (jsinterp.cpp:2396)
==13859==    by 0x4B80FA: js::RunScript(JSContext*, js::StackFrame*) (jsinterp.cpp:341)
==13859==    by 0x4B84AC: js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) (jsinterp.cpp:398)
==13859==    by 0x4AC763: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (jsinterp.cpp:2396)
==13859==    by 0x4B80FA: js::RunScript(JSContext*, js::StackFrame*) (jsinterp.cpp:341)
==13859==    by 0x4BDE52: js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) (jsinterp.cpp:531)
==13859==    by 0x424700: JS_ExecuteScript(JSContext*, JSObject*, JSScript*, JS::Value*) (jsapi.cpp:5525)
==13859==  Address 0x80704e068 is not stack'd, malloc'd or (recently) free'd


S-s due to invalid read on bad address.
Crash Signature: [@ js::intrinsic_UnsafeSetElement]
Keywords: crash
Whiteboard: [jsbugmon:update,bisect]
Keywords: csec-bounds, sec-critical
(Assignee)

Updated

5 years ago
Assignee: general → nmatsakis
(Assignee)

Comment 2

5 years ago
Created attachment 730461 [details] [diff] [review]
Remember that indices can be *negative*
Attachment #730461 - Flags: review?(shu)

Updated

5 years ago
Attachment #730461 - Flags: review?(shu) → review+
(Assignee)

Comment 4

5 years ago
(No branches are affected)
Backed out for SM rootanalysis orange.
https://hg.mozilla.org/integration/mozilla-inbound/rev/bc6dfc2e65f0

https://tbpl.mozilla.org/php/getParsedLog.php?id=21184667&tree=Mozilla-Inbound

FAIL - /builds/slave/m-in_l64-d_sm-rootanalysis-000/src/js/src/jit-test/tests/parallelarray/bug853576.js
TEST-UNEXPECTED-FAIL | /builds/slave/m-in_l64-d_sm-rootanalysis-000/src/js/src/jit-test/tests/parallelarray/bug853576.js | --no-jm: /builds/slave/m-in_l64-d_sm-rootanalysis-000/src/js/src/jit-test/tests/parallelarray/bug853576.js:6:0 Error: index in scatter vector out of bounds
FAIL - /builds/slave/m-in_l64-d_sm-rootanalysis-000/src/js/src/jit-test/tests/parallelarray/bug853576.js
TEST-UNEXPECTED-FAIL | /builds/slave/m-in_l64-d_sm-rootanalysis-000/src/js/src/jit-test/tests/parallelarray/bug853576.js | --ion-eager: /builds/slave/m-in_l64-d_sm-rootanalysis-000/src/js/src/jit-test/tests/parallelarray/bug853576.js:6:0 Error: index in scatter vector out of bounds
FAIL - /builds/slave/m-in_l64-d_sm-rootanalysis-000/src/js/src/jit-test/tests/parallelarray/bug853576.js
TEST-UNEXPECTED-FAIL | /builds/slave/m-in_l64-d_sm-rootanalysis-000/src/js/src/jit-test/tests/parallelarray/bug853576.js | --no-ion --no-jm --no-ti: /builds/slave/m-in_l64-d_sm-rootanalysis-000/src/js/src/jit-test/tests/parallelarray/bug853576.js:6:0 Error: index in scatter vector out of bounds
FAIL - /builds/slave/m-in_l64-d_sm-rootanalysis-000/src/js/src/jit-test/tests/parallelarray/bug853576.js
TEST-UNEXPECTED-FAIL | /builds/slave/m-in_l64-d_sm-rootanalysis-000/src/js/src/jit-test/tests/parallelarray/bug853576.js | --no-ion --no-ti: /builds/slave/m-in_l64-d_sm-rootanalysis-000/src/js/src/jit-test/tests/parallelarray/bug853576.js:6:0 Error: index in scatter vector out of bounds
FAIL - /builds/slave/m-in_l64-d_sm-rootanalysis-000/src/js/src/jit-test/tests/parallelarray/bug853576.js
TEST-UNEXPECTED-FAIL | /builds/slave/m-in_l64-d_sm-rootanalysis-000/src/js/src/jit-test/tests/parallelarray/bug853576.js | --no-ion --no-ti --always-mjit --debugjit: /builds/slave/m-in_l64-d_sm-rootanalysis-000/src/js/src/jit-test/tests/parallelarray/bug853576.js:6:0 Error: index in scatter vector out of bounds
FAIL - /builds/slave/m-in_l64-d_sm-rootanalysis-000/src/js/src/jit-test/tests/parallelarray/bug853576.js
TEST-UNEXPECTED-FAIL | /builds/slave/m-in_l64-d_sm-rootanalysis-000/src/js/src/jit-test/tests/parallelarray/bug853576.js | --no-ion --no-jm: /builds/slave/m-in_l64-d_sm-rootanalysis-000/src/js/src/jit-test/tests/parallelarray/bug853576.js:6:0 Error: index in scatter vector out of bounds
FAIL - /builds/slave/m-in_l64-d_sm-rootanalysis-000/src/js/src/jit-test/tests/parallelarray/bug853576.js
TEST-UNEXPECTED-FAIL | /builds/slave/m-in_l64-d_sm-rootanalysis-000/src/js/src/jit-test/tests/parallelarray/bug853576.js | --no-ion: /builds/slave/m-in_l64-d_sm-rootanalysis-000/src/js/src/jit-test/tests/parallelarray/bug853576.js:6:0 Error: index in scatter vector out of bounds
FAIL - /builds/slave/m-in_l64-d_sm-rootanalysis-000/src/js/src/jit-test/tests/parallelarray/bug853576.js
TEST-UNEXPECTED-FAIL | /builds/slave/m-in_l64-d_sm-rootanalysis-000/src/js/src/jit-test/tests/parallelarray/bug853576.js | --no-ion --always-mjit: /builds/slave/m-in_l64-d_sm-rootanalysis-000/src/js/src/jit-test/tests/parallelarray/bug853576.js:6:0 Error: index in scatter vector out of bounds
TEST-PASS | /builds/slave/m-in_l64-d_sm-rootanalysis-000/src/js/src/jit-test/tests/parallelarray/bug853573.js | --no-ion --no-jm
FAIL - /builds/slave/m-in_l64-d_sm-rootanalysis-000/src/js/src/jit-test/tests/parallelarray/bug853576.js
TEST-UNEXPECTED-FAIL | /builds/slave/m-in_l64-d_sm-rootanalysis-000/src/js/src/jit-test/tests/parallelarray/bug853576.js | --no-ion --always-mjit --debugjit: /builds/slave/m-in_l64-d_sm-rootanalysis-000/src/js/src/jit-test/tests/parallelarray/bug853576.js:6:0 Error: index in scatter vector out of bounds
FAIL - /builds/slave/m-in_l64-d_sm-rootanalysis-000/src/js/src/jit-test/tests/parallelarray/bug853576.js
TEST-UNEXPECTED-FAIL | /builds/slave/m-in_l64-d_sm-rootanalysis-000/src/js/src/jit-test/tests/parallelarray/bug853576.js | --no-ion --debugjit: /builds/slave/m-in_l64-d_sm-rootanalysis-000/src/js/src/jit-test/tests/parallelarray/bug853576.js:6:0 Error: index in scatter vector out of bounds
(Reporter)

Updated

5 years ago
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
(Reporter)

Comment 6

5 years ago
JSBugMon: Bisection requested, failed due to error (try manually).
status-b2g18: --- → unaffected
status-b2g18-v1.0.0: --- → unaffected
status-b2g18-v1.0.1: --- → unaffected
status-firefox19: --- → unaffected
status-firefox20: --- → unaffected
status-firefox21: --- → unaffected
status-firefox22: --- → affected
status-firefox-esr17: --- → unaffected
https://hg.mozilla.org/mozilla-central/rev/8f1f83f4f183
Status: NEW → RESOLVED
Last Resolved: 5 years ago
status-firefox22: affected → fixed
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla22
(Reporter)

Updated

5 years ago
Status: RESOLVED → VERIFIED
(Reporter)

Comment 9

5 years ago
JSBugMon: This bug has been automatically verified fixed.
Whiteboard: [jsbugmon:update] → [jsbugmon:update][adv-main22-]
Group: core-security
You need to log in before you can comment on or make changes to this bug.