Closed Bug 1583291 Opened 5 years ago Closed 5 years ago

invalid shift in js/src/vm/Interpreter-inl.h:919:30

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla71
Tracking Flags:
Tracking Status
firefox71 --- fixed

People

(Reporter: tsmith, Assigned: Waldo)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-undefined)

Attachments

(1 file)

Bug 1583291 - Implement the left-shift operator in a manner that doesn't invoke C++ undefined behavior when the shift result would overflow int32_t. r=froydnj
47 bytes, text/x-phabricator-request
Details | Review

This is triggered with an UBSan build. To enable this check add the following to your mozconfig:

ac_add_options --enable-address-sanitizer
ac_add_options --enable-undefined-sanitizer="shift"
ac_add_options --disable-jemalloc

This can be triggered by visiting many different sites:

js/src/vm/Interpreter-inl.h:919:30: runtime error: left shift of 1346621622 by 4 places cannot be represented in type 'int32_t' (aka 'int')
    #0 0x7f0674ffe2ef in BitLsh js/src/vm/Interpreter-inl.h:919:30
    #1 0x7f0674ffe2ef in Interpret(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:2493
    #2 0x7f0674fcc4d9 in js::RunScript(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:424:10
    #3 0x7f0675003884 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) js/src/vm/Interpreter.cpp:567:13
    #4 0x7f06750048a9 in InternalCall(JSContext*, js::AnyInvokeArgs const&) js/src/vm/Interpreter.cpp:594:10
    #5 0x7f06761b188d in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) js/src/jit/BaselineIC.cpp:3229:10
    #6 0x2e2b2a18a797  (<unknown module>)

js/src/vm/Interpreter-inl.h:919:30: runtime error: left shift of negative value -2128831035
    #0 0x7fe8b2db62ef in BitLsh js/src/vm/Interpreter-inl.h:919:30
    #1 0x7fe8b2db62ef in Interpret(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:2493
    #2 0x7fe8b2d844d9 in js::RunScript(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:424:10
    #3 0x7fe8b2dbb884 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) js/src/vm/Interpreter.cpp:567:13
    #4 0x7fe8b2dbc8a9 in InternalCall(JSContext*, js::AnyInvokeArgs const&) js/src/vm/Interpreter.cpp:594:10
    #5 0x7fe8b3f6988d in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) js/src/jit/BaselineIC.cpp:3229:10
    #6 0x3c681d543797  (<unknown module>)

Pushed by jwalden@mit.edu:
https://hg.mozilla.org/integration/autoland/rev/3350ec100237
Implement the left-shift operator in a manner that doesn't invoke C++ undefined behavior when the shift result would overflow int32_t.  r=froydnj

https://hg.mozilla.org/mozilla-central/rev/3350ec100237

Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox71: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla71
Assignee: nobody → jwalden
You need to log in before you can comment on or make changes to this bug.