Closed Bug 875748 Opened 7 years ago Closed 7 years ago

Crash [@ js::types::TypeObject::readBarrier] with ParallelArray

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla24
Tracking Status
firefox23 --- unaffected
firefox24 --- verified
firefox-esr17 --- unaffected
b2g18 --- unaffected

People

(Reporter: decoder, Assigned: shu)

References

(Blocks 1 open bug)

Details

(5 keywords, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(2 files, 1 obsolete file)

The following testcase crashes on mozilla-central revision df526497d949 (run with --ion-eager):


testFilter(range(0, 1024), function(hits, ... toSource) {});
function range(n, m) {
  var result = [];
  for (var i = n; i < m; i++)
    result.push(i);
  return result;
}
try {} catch (e) {}
function assertParallelArrayModesEq(modes, acc, opFunction, expect) {
  cmpFunction = function(e1, e2) { e1 instanceof Array;  e2 instanceof ParallelArray; }
  modes.forEach(function (mode) {
    var result = opFunction({ mode: mode, expect: expect });
    cmpFunction(acc, result);
  });
    var measurements = [];
}
function compareAgainstArray(jsarray, opname, func, expect) {
  var expected = jsarray[opname].apply(jsarray, [func]);
  var parray = new ParallelArray(jsarray);
  assertParallelArrayModesEq(["seq", "par", "par"], expected, function(m) {
    var result = parray[opname].apply(parray, [func, m]);
  }, expect);
}
function testFilter(jsarray, func) {
  compareAgainstArray(jsarray, "filter", func);
  assertParallelArrayModesEq(["seq", "par", "par"], expected, function(m) {});
}
Crash trace:


Program received signal SIGSEGV, Segmentation fault.
js::types::TypeObject::readBarrier (type=<optimized out>) at ../jsinferinlines.h:1698
1698        if (zone->needsBarrier()) {
#0  js::types::TypeObject::readBarrier (type=<optimized out>) at ../jsinferinlines.h:1698
#1  0x00000000004e9968 in typeObject (this=<synthetic pointer>) at ../jsinferinlines.h:1348
#2  js::types::TypeString (type=...) at js/src/jsinfer.cpp:206
#3  0x00000000004eb76a in TypeObjectString (type=0x7ffff6567078) at js/src/jsinfer.cpp:214
#4  TypeObject (unknown=true, function=<optimized out>, proto=..., clasp=0x1805f40, this=<optimized out>) at ../jsinferinlines.h:1573
#5  js::types::TypeCompartment::newTypeObject (this=<optimized out>, cx=0x185d730, clasp=0x1805f40, proto=..., unknown=true) at js/src/jsinfer.cpp:2455
#6  0x00000000004fe2c5 in JSCompartment::getNewType (this=0x1880ba0, cx=0x185d730, clasp=0x1805f40, proto_=..., fun_=0x0) at js/src/jsinfer.cpp:6215
#7  0x000000000054b74d in js::NewObjectWithGivenProto (cx=0x185d730, clasp=0x1805f40, proto_=..., parent_=<optimized out>, allocKind=js::gc::FINALIZE_OBJECT2, newKind=js::SingletonObject) at js/src/jsobj.cpp:1300
rax     0xf655d700      -1125900068989184
rip     0x45be22 <js::types::TypeObject::readBarrier(js::types::TypeObject*)+50>
=> 0x45be22 <js::types::TypeObject::readBarrier(js::types::TypeObject*)+50>:    cmpb   $0x0,(%rax)


Crashes only in a debug build for me. S-s because the memory being read here points to a bad address.
Whiteboard: [jsbugmon:update,bisect]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   132612:b2216a10f95b
user:        Shu-yu Guo
date:        Tue May 21 23:52:45 2013 -0700
summary:     Bug 867471 - Part 2: Compile rest parameter in Ion for sequential execution. (r=djvj)

This iteration took 9.919 seconds to run.
Attachment #753762 - Attachment is obsolete: true
Attached patch fixSplinter Review
Another stupid mistake.
Assignee: general → shu
Attachment #753933 - Flags: review?
Duplicate of this bug: 875789
Attachment #753933 - Flags: review? → review?(kvijayan)
Attachment #753933 - Flags: review?(kvijayan) → review+
https://hg.mozilla.org/mozilla-central/rev/4aa62afd5aa9
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla24
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
Assuming sec-high based on the invalid read.
Blocks: 867471
Group: core-security
Keywords: regression
You need to log in before you can comment on or make changes to this bug.