865412 - Crash on Heap near [@ js::RegExpShared::execute] with invalid read

Status: RESOLVED WORKSFORME

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision fef5f202b2dc (run with --ion-eager):


function toPrinted(value)
  value.replace(/\\n/g, 'NL')
function reportCompare (expected, actual, description) {
  toPrinted(actual);
}
var UBound = 0;
var statusitems = [];
var actualvalues = [];
var expectedvalues = [];
    capture(this.toString());
      capture(({   } )      );
function capture(val) {
  actualvalues[UBound] = val;
  UBound++;
  for (var i=0; i<UBound; i++)
    reportCompare(expectedvalues[i], actualvalues[i], statusitems[i]);
}

Comment 1

[Christian Holler (:decoder)]

Valgrind trace:

==5136== Invalid read of size 4
==5136==    at 0x41CBF72: ???
==5136==    by 0x7023F6: js::RegExpShared::execute(JSContext*, unsigned short const*, unsigned long, unsigned long*, js::MatchPairs&) (YarrJIT.h:135)
==5136==    by 0x5A7B2E: DoMatch(JSContext*, js::RegExpStatics*, JSString*, js::RegExpShared&, bool (*)(JSContext*, js::RegExpStatics*, unsigned long, void*), void*, MatchControlFlags, JS::MutableHandle<JS::Value>) (jsstr.cpp:1730)
==5136==    by 0x5B55C8: js::str_replace(JSContext*, unsigned int, JS::Value*) (jsstr.cpp:2528)
==5136==    by 0x41CC87F: ???
==5136==    by 0x81733F: EnterIon(JSContext*, js::StackFrame*, void*) (Ion.cpp:1964)
==5136==    by 0x51B17A: js::RunScript(JSContext*, js::StackFrame*) (jsinterp.cpp:324)
==5136==    by 0x51B69E: js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) (jsinterp.cpp:421)
==5136==    by 0x51C265: js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) (jsinterp.h:134)
==5136==    by 0xA1F883: js::ion::DoCallFallback(JSContext*, js::ion::BaselineFrame*, js::ion::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) (BaselineIC.cpp:6589)
==5136==    by 0x41C5BB5: ???
==5136==    by 0x603DB2F: ???
==5136==  Address 0x69ffffe is not stack'd, malloc'd or (recently) free'd
==5136== 
==5136== 
==5136== Process terminating with default action of signal 11 (SIGSEGV)
==5136==  Access not within mapped region at address 0x6A00000


S-s and sec-critical due to dangerous invalid read.

Comment 2

[Robert Kaiser]

Same as bug 864644? (that might be a dupe of this one)

Comment 3

[Christian Holler (:decoder)]

(In reply to Robert Kaiser (:kairo@mozilla.com) from comment #2)
> Same as bug 864644? (that might be a dupe of this one)

Yes, could well be :)

Comment 4

[Daniel Veditz [:dveditz]]

There was considerable instability in JS around that time (e.g. bug 864644) that has since been cleaned up. Does this still reproduce?

Comment 5

[Christian Holler (:decoder)]

I would guess it does (letting JSBugMon try), and I also think I filed a duplicate of this this morning, bug 867955.

Comment 6

[Christian Holler (:decoder)]

JSBugMon: The testcase found in this bug no longer reproduces (tried revision b842d26dd5f0).

Comment 7

[David Bolter [:davidb] (NeedInfo me for attention)]

Leaving this one open to see what jsbugmon:bisectfix tells us.

Comment 8

[Christian Holler (:decoder)]

JSBugMon: The testcase found in this bug no longer reproduces (tried revision 6c48ce88a31a).

Comment 9

[Christian Holler (:decoder)]

Bisection is probably stuck somewhere. I'll take a look later when I get time.

Comment 10

[Daniel Veditz [:dveditz]]

Twice your tool has said it can't reproduce -- close WORKSFORME? Is this an old bug or a recent regression?

Comment 11

[Christian Holler (:decoder)]

Yep, closing WFM, haven't been hitting this in the fuzzer anymore since then.