Closed Bug 925312 Opened 11 years ago Closed 11 years ago

Threadsafe opt-only Crash [@ ArrayJoinKernel]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla27
Tracking Flags:
Tracking Status
firefox24 --- unaffected
firefox25 --- unaffected
firefox26 --- unaffected
firefox27 --- fixed
firefox-esr24 --- unaffected
b2g18 --- unaffected
b2g-v1.1hd --- unaffected
b2g-v1.2 --- unaffected

People

(Reporter: decoder, Assigned: jandem)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:][qa-])

Crash Data

Attachments

(2 files, 1 obsolete file)

[crash-signature] Machine-readable crash signature
512 bytes, text/plain
Details
Patch v2
987 bytes, patch
terrence
: review+
Details | Diff | Splinter Review 
The following testcase crashes on mozilla-central revision aa986b6ce882 (threadsafe build, run with --ion-eager):


Array(1024).join(Array(476655))
Crash trace:

Program received signal SIGSEGV, Segmentation fault.
ArrayJoinKernel<false, StringSeparatorOp> (sb=..., length=1024, obj=(JSObject * const) 0xf6f314a0 [object Array], sepOp=..., cx=0x9079390) at js/src/jsarray.cpp:1049
1049                if (++i != length && !sepOp(cx, sb))
#0  ArrayJoinKernel<false, StringSeparatorOp> (sb=..., length=1024, obj=(JSObject * const) 0xf6f314a0 [object Array], sepOp=..., cx=0x9079390) at js/src/jsarray.cpp:1049
#1  ArrayJoin<false> (args=<synthetic pointer>, cx=0x9079390) at js/src/jsarray.cpp:1124
#2  array_join (vp=0xffffc8a4, argc=1, cx=0x9079390) at js/src/jsarray.cpp:1190
#3  array_join (cx=0x9079390, argc=1, vp=0xffffc8a4) at js/src/jsarray.cpp:1185
#4  0xf729c151 in ?? ()
#5  0x083210b6 in EnterIon (data=..., cx=0x9079390) at js/src/jit/Ion.cpp:2057
#6  js::jit::Cannon (cx=0x9079390, state=...) at js/src/jit/Ion.cpp:2137
#7  0x08090f2c in js::RunScript (cx=0x9079390, state=...) at js/src/vm/Interpreter.cpp:399
eax     0x0     0
ebx     0x903dff4       151248884
ecx     0x3a2f7 238327
edx     0xa2ffe008      -1560289272
esi     0x9079390       151491472
edi     0xe2fff008      -486543352
ebp     0x1     1
esp     0xffffc760      4294952800
eip     0x818faf8 <array_join(JSContext*, unsigned int, JS::Value*)+920>
=> 0x818faf8 <array_join(JSContext*, unsigned int, JS::Value*)+920>:    mov    (%edi,%eax,4),%ebp
   0x818fafb <array_join(JSContext*, unsigned int, JS::Value*)+923>:    mov    %ebp,(%edx,%eax,4)


This just crashes in a threadsafe optimized 32 bit build. I tried using a debug (or debug+opt) build and it did not reproduce, neither did it reproduce in a non-threadsafe optimized 32 bit build. In all of these cases I got an "InternalError: allocation size overflow" instead of a crash.
Whiteboard: [jsbugmon:update,bisect]
Attached patch Patch (obsolete) — Splinter Review 
I can't reproduce this locally but I'm pretty sure this should fix it. We were using a RootedString for the separator instead of a Rooted<JSStableString*> so the conservative scanner could destroy it, thereby invalidating our jschar * pointer.

This patch uses a JSStableString and restructures the code a bit so that StringSeparatorOp can use a StableCharPtr instead of jschar *.

decoder: would be great if you could verify this fixes the crash :)
Assignee: general → jdemooij
Status: NEW → ASSIGNED
Attachment #815364 - Flags: review?(terrence)
Blocks: 918808
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
(In reply to Jan de Mooij [:jandem] from comment #3)
> Created attachment 815364 [details] [diff] [review]
> Patch
> 
> I can't reproduce this locally but I'm pretty sure this should fix it. We
> were using a RootedString for the separator instead of a
> Rooted<JSStableString*> so the conservative scanner could destroy it,
> thereby invalidating our jschar * pointer.

I agree, that's probably what's going on.

> This patch uses a JSStableString and restructures the code a bit so that
> StringSeparatorOp can use a StableCharPtr instead of jschar *.

That's going to force an extra malloc for most string joins. Since this problem is going to go away as soon as we turn on exact rooting, would you be okay with just throwing an Anchor at it?
Whiteboard: [jsbugmon:bisect] → [jsbugmon:]
(In reply to Jan de Mooij [:jandem] from comment #3)
> 
> decoder: would be great if you could verify this fixes the crash :)

Yep, this fixes the issue :)
Attached patch Patch v2Splinter Review 
Use an Anchor.
Attachment #815364 - Attachment is obsolete: true
Attachment #815364 - Flags: review?(terrence)
Attachment #815784 - Flags: review?(terrence)
Comment on attachment 815784 [details] [diff] [review]
Patch v2

Review of attachment 815784 [details] [diff] [review]:
-----------------------------------------------------------------

Thanks! r=me
Attachment #815784 - Flags: review?(terrence) → review+
https://hg.mozilla.org/mozilla-central/rev/40fbd6880056

Test?
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
status-firefox27: --- → fixed
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla27
I don't think this can be tested reliably at all.
Flags: in-testsuite? → in-testsuite-
Whiteboard: [jsbugmon:] → [jsbugmon:][qa-]
:jandem

Do you know if this affects b2g18? The code was refactored in bug 918808 from array_join_sub to ArrayJoin

http://mxr.mozilla.org/mozilla-b2g18/source/js/src/jsarray.cpp#1476
status-b2g18: --- → ?
Adding needinfo.
Flags: needinfo?(jdemooij)
(In reply to David Chan [:dchan] from comment #12)
> :jandem
> 
> Do you know if this affects b2g18? The code was refactored in bug 918808
> from array_join_sub to ArrayJoin

No this was a regression from bug 918808 and only affected m-c (Firefox 27).
Flags: needinfo?(jdemooij)
Group: core-security
status-firefox-esr24: --- → unaffected
Keywords: regression
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: