875748 - Crash [@ js::types::TypeObject::readBarrier] with ParallelArray

Status: VERIFIED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision df526497d949 (run with --ion-eager):


testFilter(range(0, 1024), function(hits, ... toSource) {});
function range(n, m) {
  var result = [];
  for (var i = n; i < m; i++)
    result.push(i);
  return result;
}
try {} catch (e) {}
function assertParallelArrayModesEq(modes, acc, opFunction, expect) {
  cmpFunction = function(e1, e2) { e1 instanceof Array;  e2 instanceof ParallelArray; }
  modes.forEach(function (mode) {
    var result = opFunction({ mode: mode, expect: expect });
    cmpFunction(acc, result);
  });
    var measurements = [];
}
function compareAgainstArray(jsarray, opname, func, expect) {
  var expected = jsarray[opname].apply(jsarray, [func]);
  var parray = new ParallelArray(jsarray);
  assertParallelArrayModesEq(["seq", "par", "par"], expected, function(m) {
    var result = parray[opname].apply(parray, [func, m]);
  }, expect);
}
function testFilter(jsarray, func) {
  compareAgainstArray(jsarray, "filter", func);
  assertParallelArrayModesEq(["seq", "par", "par"], expected, function(m) {});
}

Comment 1

[Christian Holler (:decoder)]

Attachment: [crash-signature] Machine-readable crash signature

Comment 2

[Christian Holler (:decoder)]

Crash trace:


Program received signal SIGSEGV, Segmentation fault.
js::types::TypeObject::readBarrier (type=<optimized out>) at ../jsinferinlines.h:1698
1698        if (zone->needsBarrier()) {
#0  js::types::TypeObject::readBarrier (type=<optimized out>) at ../jsinferinlines.h:1698
#1  0x00000000004e9968 in typeObject (this=<synthetic pointer>) at ../jsinferinlines.h:1348
#2  js::types::TypeString (type=...) at js/src/jsinfer.cpp:206
#3  0x00000000004eb76a in TypeObjectString (type=0x7ffff6567078) at js/src/jsinfer.cpp:214
#4  TypeObject (unknown=true, function=<optimized out>, proto=..., clasp=0x1805f40, this=<optimized out>) at ../jsinferinlines.h:1573
#5  js::types::TypeCompartment::newTypeObject (this=<optimized out>, cx=0x185d730, clasp=0x1805f40, proto=..., unknown=true) at js/src/jsinfer.cpp:2455
#6  0x00000000004fe2c5 in JSCompartment::getNewType (this=0x1880ba0, cx=0x185d730, clasp=0x1805f40, proto_=..., fun_=0x0) at js/src/jsinfer.cpp:6215
#7  0x000000000054b74d in js::NewObjectWithGivenProto (cx=0x185d730, clasp=0x1805f40, proto_=..., parent_=<optimized out>, allocKind=js::gc::FINALIZE_OBJECT2, newKind=js::SingletonObject) at js/src/jsobj.cpp:1300
rax     0xf655d700      -1125900068989184
rip     0x45be22 <js::types::TypeObject::readBarrier(js::types::TypeObject*)+50>
=> 0x45be22 <js::types::TypeObject::readBarrier(js::types::TypeObject*)+50>:    cmpb   $0x0,(%rax)


Crashes only in a debug build for me. S-s because the memory being read here points to a bad address.

Comment 3

[Christian Holler (:decoder)]

JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   132612:b2216a10f95b
user:        Shu-yu Guo
date:        Tue May 21 23:52:45 2013 -0700
summary:     Bug 867471 - Part 2: Compile rest parameter in Ion for sequential execution. (r=djvj)

This iteration took 9.919 seconds to run.

Comment 4

[Christian Holler (:decoder)]

Attachment: [crash-signature] Machine-readable crash signature

Comment 5

[Shu-yu Guo [:shu]]

Attachment: fix

Another stupid mistake.

Comment 7

[Shu-yu Guo [:shu]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/4aa62afd5aa9

Comment 8

[Phil Ringnalda (:philor)]

https://hg.mozilla.org/mozilla-central/rev/4aa62afd5aa9

Comment 9

[Christian Holler (:decoder)]

JSBugMon: This bug has been automatically verified fixed.

Comment 10

[Christian Holler (:decoder)]

Assuming sec-high based on the invalid read.

Comment 11

[Paul Silaghi, QA [:pauly]]

Based on comment 9