Closed
Bug 999759
Opened 10 years ago
Closed 10 years ago
Crash [@ js::jit::IonBailoutIterator::IonBailoutIterator]
Categories
(Core :: JavaScript Engine: JIT, defect, P1)
Tracking
()
VERIFIED
FIXED
mozilla32
People
(Reporter: gkw, Assigned: mjrosenb)
References
Details
(5 keywords, Whiteboard: [jsbugmon:])
Crash Data
Attachments
(1 file)
1.57 KB,
text/plain
|
Details |
function f(f, inputs) { for (var j = 0; j < inputs.length; ++j) { for (var k = 0; k < inputs.length; ++k) { try { f(inputs[j], inputs[k]); } catch (e) {} } } } s = newGlobal() s["f"] = this["f"].bind(this) evalcx("\ function f1() {\ __defineSetter__(\"e\", function(x) {\ this[\"__proto__\"] = x\ })\ }\ f(f1, [0]);\ e = Proxy.createFunction((function() {\ return {\ has: function() {}\ }\ })()\ , function(){}\ );\ f2 = (function() {});\ setJitCompilerOption('ion.usecount.trigger', 0);\ f3 = (function(x, y) {\ return ((-y * ((((!(x >>> 0)) >>> 0) + \ (((Math.fround(Math.fround(Math.fround(x))) >>> 0) << \ (y | 0)) | 0)) | 0)) >>> 0) * \ Math.pow(((x | 0) | 0), f2(x, +(d(l(0xf, -E)))))\ });\ f(f3, [-0, Math.PI, -Number])\ ", s) crashes js opt shell on m-c changeset c962bde5ac0b with --baseline-eager --ion-parallel-compile=off --ion-gvn=pessimistic --ion-check-range-analysis at js::jit::IonBailoutIterator::IonBailoutIterator on an ARM ODROID board with Ubuntu 14.04. My configure flags are: AR=ar sh /home/odroid/trees/mozilla-central/js/src/configure --enable-optimize --disable-debug --enable-profiling --enable-gczeal --enable-debug-symbols --disable-tests --enable-more-deterministic --with-ccache --enable-threadsafe <other NSPR options> Valgrind shows an invalid read of size 4: ==8340== Invalid read of size 4 ==8340== at 0x1699E4: js::jit::IonBailoutIterator::IonBailoutIterator(js::jit::JitActivationIterator const&, js::jit::BailoutStack*) (Bailouts-arm.cpp:82) ==8340== by 0xCF5EB: js::jit::Bailout(js::jit::BailoutStack*, js::jit::BaselineBailoutInfo**) (Bailouts.cpp:79) ==8340== by 0x4841537: ??? ==8340== Address 0xffffffb0 is not stack'd, malloc'd or (recently) free'd ==8340== ==8340== ==8340== Process terminating with default action of signal 11 (SIGSEGV) ==8340== Access not within mapped region at address 0xFFFFFFB0 ==8340== at 0x1699E4: js::jit::IonBailoutIterator::IonBailoutIterator(js::jit::JitActivationIterator const&, js::jit::BailoutStack*) (Bailouts-arm.cpp:82) ==8340== by 0xCF5EB: js::jit::Bailout(js::jit::BailoutStack*, js::jit::BaselineBailoutInfo**) (Bailouts.cpp:79) ==8340== by 0x4841537: ??? s-s and setting sec-critical initially because this looks like a scary ARM crash (plus an invalid read from Valgrind). Setting needinfo? from our ARM gurus.
Flags: needinfo?(mrosenberg)
Flags: needinfo?(dtc-moz)
Assignee | ||
Comment 1•10 years ago
|
||
ok, I was able o reproduce this, looking into it.
Reporter | ||
Comment 2•10 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/21879e298728 user: Marty Rosenberg date: Fri Mar 07 11:25:38 2014 -0500 summary: Bug 973874: Ensure that all offsets that we take into the assembly buffer are created by the instruction we want to branch to (r=dougc)
Blocks: 973874
Reporter | ||
Comment 3•10 years ago
|
||
Setting flags according to landing of bug 973874.
status-firefox29:
--- → unaffected
status-firefox30:
--- → affected
status-firefox31:
--- → affected
Updated•10 years ago
|
tracking-firefox30:
--- → +
tracking-firefox31:
--- → +
Updated•10 years ago
|
Updated•10 years ago
|
Group: javascript-core-security
Updated•10 years ago
|
status-firefox32:
--- → affected
tracking-firefox32:
--- → +
Reporter | ||
Comment 5•10 years ago
|
||
I can still reproduce on m-c rev b66e279688a1.
Flags: needinfo?(gary)
Assignee | ||
Comment 6•10 years ago
|
||
Looks like one of the patches in my queue fixes this. my guess would be 996715.
Flags: needinfo?(mrosenberg)
Comment 7•10 years ago
|
||
Any further determination of which patch fixes this so we can get uplift and verification?
Flags: needinfo?(mrosenberg)
Comment 8•10 years ago
|
||
We've run out of FF30 betas to try this out on, have to carry forward to target FF31 unless there is a clean, low-risk backout available to land before Monday's RC.
Updated•10 years ago
|
Whiteboard: [jsbugmon:update]
Updated•10 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:]
Comment 9•10 years ago
|
||
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
Comment 10•10 years ago
|
||
Retrying this with the gvn option added to JSBugMon :)
Whiteboard: [jsbugmon:] → [jsbugmon:update]
Updated•10 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:]
Comment 11•10 years ago
|
||
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
Updated•10 years ago
|
Reporter | ||
Comment 13•10 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/9d8a5c8d8328 user: Marty Rosenberg date: Tue May 27 09:40:35 2014 -0400 summary: bug 996715: Remove the code that bails when determining if the second instruction in a chunk is a branch. (r=dougc) Indeed, Marty is right as per comment 6, fixed by bug 996715.
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(mrosenberg)
Flags: needinfo?(gary)
Flags: needinfo?(dtc-moz)
Resolution: --- → FIXED
Updated•10 years ago
|
status-b2g-v1.2:
--- → fixed
status-b2g-v1.3:
--- → fixed
status-b2g-v1.3T:
--- → fixed
status-b2g-v1.4:
--- → fixed
status-b2g-v2.0:
--- → fixed
status-b2g-v2.1:
--- → fixed
status-firefox-esr24:
--- → fixed
Depends on: 996715
Target Milestone: --- → mozilla32
Comment 14•10 years ago
|
||
trying to apply this to SeaMonkey 2.26.1 (Gecko 29) resulted in patch conflicts, and due to the nature of this patchset it seems like I won't be able to take it.
status-seamonkey2.26:
--- → wontfix
Updated•10 years ago
|
Group: javascript-core-security
Comment 15•10 years ago
|
||
Reproduced the original issue using revision c962bde5ac0b. Used the poc code and the flags from comment #0: Runtime call with unaligned stack! ==26297== Invalid write of size 4 ==26297== at 0x8294E19: js::jit::Simulator::softwareInterrupt(js::jit::SimInstruction*) (Simulator-arm.cpp:2125) ==26297== by 0x82932BB: js::jit::Simulator::instructionDecode(js::jit::SimInstruction*) (Simulator-arm.cpp:4036) Verified using the following builds: - firefox33 using revision 7883d8e9f210 [Passed with no crashes, Valgrind didn't report any issues] - firefox32 using revision 0874ec920408 [Passed with no crashes, Valgrind didn't report any issues] - firefox31 using revision 6befadcaa685 [Passed with no crashes, Valgrind didn't report any issues] - firefox31 using revision e6aee77687d3 [Passed with no crashes, Valgrind didn't report any issues] - firefox-esr24 using revision 31b0c1ff3c0b [Passed with no crashes, Valgrind didn't report any issues]
Status: RESOLVED → VERIFIED
QA Whiteboard: [qa!]
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•