Closed Bug 1306913 Opened 8 years ago Closed 8 years ago

MOZ_ASSERT crashes in ShellOpenAsmJSCacheEntryForWrite() while running jit-tests

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
Unspecified
FreeBSD
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla52
Tracking Flags:
Tracking Status
firefox52 --- fixed

People

(Reporter: jbeich, Unassigned)

References

Details

(Keywords: regression)

Attachments

(2 files)

Bug 1306913 - Allow MOZ_ASSERT to check contents before disabling PROT_READ.
(deleted), text/x-review-board-request
luke
: review+
Details
simplified test case
(deleted), text/plain
Details
After bug 900669 comment 78 many tests started to fail but nowadays the list is short js/src/jit-test/tests/asm.js/testCaching.js --wasm-always-baseline js/src/jit-test/tests/asm.js/testCaching.js js/src/jit-test/tests/asm.js/testCloning.js --wasm-always-baseline js/src/jit-test/tests/asm.js/testCloning.js js/src/jit-test/tests/asm.js/testBullet.js --wasm-always-baseline js/src/jit-test/tests/asm.js/testBullet.js js/src/jit-test/tests/asm.js/testHeapAccess.js --wasm-always-baseline js/src/jit-test/tests/asm.js/testHeapAccess.js js/src/jit-test/tests/asm.js/testSource.js --wasm-always-baseline js/src/jit-test/tests/asm.js/testSource.js js/src/jit-test/tests/asm.js/testStackWalking.js --wasm-always-baseline js/src/jit-test/tests/asm.js/testStackWalking.js js/src/jit-test/tests/latin1/asm.js which points at * thread #1: tid = 101293, 0x0000000000438c1f js`ShellOpenAsmJSCacheEntryForWrite(global=<unavailable>, installed=<unavailable>, begin=<unavailable>, end=<unavailable>, serializedSize=5216, memoryOut=0x00007fffffffbab0, handleOut=0x0000000802ba5c6a) + 255 at js.cpp:6850, stop reason = signal SIGSEGV: address access protected (fault address: 0x801d37000) frame #0: 0x0000000000438c1f js`ShellOpenAsmJSCacheEntryForWrite(global=<unavailable>, installed=<unavailable>, begin=<unavailable>, end=<unavailable>, serializedSize=5216, memoryOut=0x00007fffffffbab0, handleOut=0x0000000802ba5c6a) + 255 at js.cpp:6850 6847 6848 // The embedding added the cookie so strip it off of the buffer returned to 6849 // the JS engine. The asmJSCacheCookie will be written on close, below. -> 6850 MOZ_ASSERT(*(uint32_t*)memory == 0); 6851 *memoryOut = (uint8_t*)memory + sizeof(uint32_t); 6852 *handleOut = fd.forget(); 6853 return JS::AsmJSCache_Success;
Summary: MOZ_ASSERT crashes in ShellOpenAsmJSCacheEntryForWrite() → MOZ_ASSERT crashes in ShellOpenAsmJSCacheEntryForWrite() while running jit-tests
Comment on attachment 8796886 [details] Bug 1306913 - Allow MOZ_ASSERT to check contents before disabling PROT_READ. https://reviewboard.mozilla.org/r/82592/#review81404 Oh wow, that's a pretty silly bug, thanks! I guess FreeBSD is the only OS to prevent reads when only PROT_WRITE?
Attachment #8796886 - Flags: review?(luke) → review+
Attached file simplified test case (deleted) —
(In reply to Luke Wagner [:luke] from comment #2) > FreeBSD is the only OS to prevent reads when only PROT_WRITE? No, write() to stdout succeeds but dereferencing crashes. This also happens at least on DragonFly and OpenBSD. -fsanitize=address shows something but not enough without symbols.
Attachment #8797275 - Attachment mime type: text/x-csrc → text/plain
Pushed by cbook@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/5a0c00314737 Allow MOZ_ASSERT to check contents before disabling PROT_READ. r=luke
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/5a0c00314737
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox52: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla52
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: