Closed
Bug 969309
Opened 11 years ago
Closed 10 years ago
Assertion failure: masm.currentOffset() - lastOsiPointOffset_ >= Assembler::patchWrite_NearCallSize(), at jit/shared/CodeGenerator-shared.cpp:423
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla42
People
(Reporter: decoder, Assigned: sstangl)
References
Details
(4 keywords, Whiteboard: [jsbugmon:][post-critsmash-triage][adv-main42+])
Attachments
(2 files)
|
903 bytes,
application/javascript
|
Details | |
|
994 bytes,
patch
|
h4writer
:
review+
|
Details | Diff | Splinter Review |
The attached testcase asserts on mozilla-central revision f550b112a19b (x86 ARM simulator build, run with --fuzzing-safe --ion-eager).
|
||
Comment 2•11 years ago
|
||
fwiw this does not reproduce on my local development build which has some pending fixes.
This assertion is not compiled when the assembler buffer patch, bug 760642, is applied so might be addressed there. I am look over this code so will keep it in mind.
|
||
Comment 3•11 years ago
|
||
This assertion is here to prevent random code execution to prevent patching the call instructions with the invalidation code.
patchWrite_NearCallSize() returns the size needed for making 2 consecutive calls in the generated code, such as the backward patching on a call does not affect the previous instruction execution, and leave enough space for the OSR jump.
If this assert raised, this means that the previous instruction is closer than expected. (less than 4 bytes on ARM).
|
||
Comment 4•11 years ago
|
||
right. "less than 4 bytes", that is basically impossible. Also the fact that this only reproduces a handful of times in 100 runs (I have yet to actually reproduce it) makes me believe that the assertion is just indicating that something else has gone wrong.
Flags: needinfo?(mrosenberg)
|
|
||
Comment 5•11 years ago
|
||
This seems pretty bogus. When we run out of memory, we stop adding instructions to the assembly buffer. So, when people query the assembly buffer for how much stuff is in it, it keeps giving the same answer, which then makes this check a bit sad. For the most part we're doing the right thing with this OOM, but the post-oom world isn't as sane as assertions want it to be. I can paper over this by just not asserting if the buffer believes it has run out of memory, or I can try something else. We can probably also safely ignore this.
Flags: needinfo?(jdemooij)
|
||
Comment 6•11 years ago
|
||
> We can probably also safely ignore this.
You're saying this is not a security bug and we should WONTFIX it?
|
Reporter | |
Updated•11 years ago
|
status-firefox30:
--- → affected
|
|
Reporter | |
Updated•11 years ago
|
Assignee: general → nobody
|
|
||
Comment 8•11 years ago
|
||
Yeah, that is my opinion. If someone thinks this warrants papering over, I can do that, but it looks incredibly tame and unlucky.
Flags: needinfo?(mrosenberg)
|
|
||
Updated•11 years ago
|
Keywords: csectype-oom,
sec-low
|
||
Comment 9•11 years ago
|
||
(In reply to Marty Rosenberg [:mjrosenb] from comment #8)
> Yeah, that is my opinion. If someone thinks this warrants papering over, I
> can do that, but it looks incredibly tame and unlucky.
I think it'd be good to do that (only assert if non-OOM), to make it easier for the fuzzers to find real, non-OOM problems.
Flags: needinfo?(jdemooij) → needinfo?(mrosenberg)
|
|
Reporter | |
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,bisect]
|
|
Reporter | |
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]
|
|
Reporter | |
Comment 10•11 years ago
|
||
JSBugMon: Cannot process bug: Error: Failed to compile specified revision f550b112a19b (maybe try another?)
|
|
Reporter | |
Updated•11 years ago
|
Whiteboard: [jsbugmon:bisect] → [jsbugmon:]
|
|
Reporter | |
Comment 11•11 years ago
|
||
JSBugMon: Bisection requested, failed due to error: Error: Failed to compile specified revision f550b112a19b (maybe try another?)
|
Assignee | |
Comment 12•10 years ago
|
||
Testcase hasn't reproduced for a year, but might as well, since the error still theoretically exists.
Flags: needinfo?(marty.rosenberg)
Attachment #8627917 -
Flags: review?(hv1989)
|
|
Assignee | |
Updated•10 years ago
|
Assignee: nobody → sstangl
|
||
Comment 13•10 years ago
|
||
Comment on attachment 8627917 [details] [diff] [review]
0001-Bug-969309-Avoid-write-patch-check-on-OOM.-r.patch
Review of attachment 8627917 [details] [diff] [review]:
-----------------------------------------------------------------
Indeed good to not assert for known invalid state!
Attachment #8627917 -
Flags: review?(hv1989) → review+
|
|
Assignee | |
Comment 14•10 years ago
|
||
Apparently I landed this last week, but the auto-comment bot doesn't function on s-s bugs.
https://hg.mozilla.org/mozilla-central/rev/63e4d75cc007
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
|
||
Updated•10 years ago
|
|
||
Updated•9 years ago
|
Group: core-security → core-security-release
|
||
Updated•9 years ago
|
Whiteboard: [jsbugmon:] → [jsbugmon:][post-critsmash-triage]
|
||
Updated•9 years ago
|
Whiteboard: [jsbugmon:][post-critsmash-triage] → [jsbugmon:][post-critsmash-triage][adv-main42+]
|
|
||
Updated•9 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•