Bug 1529034 Comment 29 Edit History

Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.

Original comment by

Sean Stangl [:sstangl]

on 2019-03-01 13:33:48 PST

Apparently you can just `c` continue past the `libmozglue.so` segfault and the shell will load just fine. OK.

The real crash info is here (saving mostly for my future reference). Note that this was retyped by hand, but I've tried to be careful.

```
0x00000055557daa24 in ?? ()

(gdb) x/8i $pc-12
   0x55557daa18:  add x10, x10, #0x4ff
   0x55557daa1c:  mov w11, #0x5ee // #1518
   0x55557daa20:  str x10, [x9]
=> 0x55557daa24:  str w11, [x8]
   0x55557daa28:  bl  0x5555620540 <abort@plt>
   0x55557daa2c:  sub sp, sp, #0x40
   0x55557daa30:  stp x22, x21, [sp, #16]
   0x55557daa34:  stp x20, x19, [sp, #32]

(gdb) i r
x7  0xff7f7f7f7f7f7f7f
x8  0x0
x9  0x7fb7a66a68
x10 0x5555ff14ff
x11 0x5ee

(gdb) bt
#0  0x00000055557daa24 in ?? ()
#1  0x00000055558f3328 in ?? ()
#2  0x0000005555b8c40c in ?? ()
#3  0x0000005555b85fbc in ?? ()
#4  0x0000005555affdac in ?? ()
#5  0x0000007f76e28f5c in ?? ()
#6  0x0000007fb7216000 in ?? ()
Backtrace stopped: not enough register or memory available to unwind further
```

Revision 1 by

Sean Stangl [:sstangl]

on 2019-03-01 13:35:29 PST

Apparently you can just `c` continue past the `libmozglue.so` segfault and the shell will load just fine. OK.

The real crash info is here (saving mostly for my future reference). Note that this was retyped by hand, but I've tried to be careful.

```
0x00000055557daa24 in ?? ()

(gdb) x/9i $pc-16
   0x55557daa14:  mov x8, xzr
   0x55557daa18:  add x10, x10, #0x4ff
   0x55557daa1c:  mov w11, #0x5ee // #1518
   0x55557daa20:  str x10, [x9]
=> 0x55557daa24:  str w11, [x8]
   0x55557daa28:  bl  0x5555620540 <abort@plt>
   0x55557daa2c:  sub sp, sp, #0x40
   0x55557daa30:  stp x22, x21, [sp, #16]
   0x55557daa34:  stp x20, x19, [sp, #32]

(gdb) i r
x7  0xff7f7f7f7f7f7f7f
x8  0x0
x9  0x7fb7a66a68
x10 0x5555ff14ff
x11 0x5ee

(gdb) bt
#0  0x00000055557daa24 in ?? ()
#1  0x00000055558f3328 in ?? ()
#2  0x0000005555b8c40c in ?? ()
#3  0x0000005555b85fbc in ?? ()
#4  0x0000005555affdac in ?? ()
#5  0x0000007f76e28f5c in ?? ()
#6  0x0000007fb7216000 in ?? ()
Backtrace stopped: not enough register or memory available to unwind further
```

So we're setting a register to zero and then immediately writing to it.

Revision 2 by

Sean Stangl [:sstangl]

on 2019-03-01 13:35:51 PST

Apparently you can just `c` continue past the `libmozglue.so` segfault and the shell will load just fine. OK.

The real crash info is here (saving mostly for my future reference). Note that this was retyped by hand, but I've tried to be careful.

```
0x00000055557daa24 in ?? ()

(gdb) x/9i $pc-16
   0x55557daa14:  mov x8, xzr
   0x55557daa18:  add x10, x10, #0x4ff
   0x55557daa1c:  mov w11, #0x5ee // #1518
   0x55557daa20:  str x10, [x9]
=> 0x55557daa24:  str w11, [x8]
   0x55557daa28:  bl  0x5555620540 <abort@plt>
   0x55557daa2c:  sub sp, sp, #0x40
   0x55557daa30:  stp x22, x21, [sp, #16]
   0x55557daa34:  stp x20, x19, [sp, #32]

(gdb) i r
x7  0xff7f7f7f7f7f7f7f
x8  0x0
x9  0x7fb7a66a68
x10 0x5555ff14ff
x11 0x5ee

(gdb) bt
#0  0x00000055557daa24 in ?? ()
#1  0x00000055558f3328 in ?? ()
#2  0x0000005555b8c40c in ?? ()
#3  0x0000005555b85fbc in ?? ()
#4  0x0000005555affdac in ?? ()
#5  0x0000007f76e28f5c in ?? ()
#6  0x0000007fb7216000 in ?? ()
Backtrace stopped: not enough register or memory available to unwind further
```

So we're setting a register to zero and then immediately using that as a memory address.

Revision 3 by

Sean Stangl [:sstangl]

on 2019-03-01 13:37:39 PST

Apparently you can just `c` continue past the `libmozglue.so` segfault and the shell will load just fine. OK.

The real crash info is here (saving mostly for my future reference). Note that this was retyped by hand, but I've tried to be careful.

```
0x00000055557daa24 in ?? ()

(gdb) x/9i $pc-16
   0x55557daa14:  mov x8, xzr
   0x55557daa18:  add x10, x10, #0x4ff
   0x55557daa1c:  mov w11, #0x5ee // #1518
   0x55557daa20:  str x10, [x9]
=> 0x55557daa24:  str w11, [x8]
   0x55557daa28:  bl  0x5555620540 <abort@plt>
   0x55557daa2c:  sub sp, sp, #0x40
   0x55557daa30:  stp x22, x21, [sp, #16]
   0x55557daa34:  stp x20, x19, [sp, #32]

(gdb) i r
x7  0xff7f7f7f7f7f7f7f
x8  0x0
x9  0x7fb7a66a68
x10 0x5555ff14ff
x11 0x5ee

(gdb) bt
#0  0x00000055557daa24 in ?? ()
#1  0x00000055558f3328 in ?? ()
#2  0x0000005555b8c40c in ?? ()
#3  0x0000005555b85fbc in ?? ()
#4  0x0000005555affdac in ?? ()
#5  0x0000007f76e28f5c in ?? ()
#6  0x0000007fb7216000 in ?? ()
Backtrace stopped: not enough register or memory available to unwind further
```

So we're setting a register to zero and then immediately using that as a memory address. Right before we're trying to abort() the function anyway. Hum.

Revision 4 by

Sean Stangl [:sstangl]

on 2019-03-01 13:37:49 PST

Apparently you can just `c` continue past the `libmozglue.so` segfault and the shell will load just fine. OK.

The real crash info is here (saving mostly for my future reference). Note that this was retyped by hand, but I've tried to be careful.

```
0x00000055557daa24 in ?? ()

(gdb) x/9i $pc-16
   0x55557daa14:  mov x8, xzr
   0x55557daa18:  add x10, x10, #0x4ff
   0x55557daa1c:  mov w11, #0x5ee // #1518
   0x55557daa20:  str x10, [x9]
=> 0x55557daa24:  str w11, [x8]
   0x55557daa28:  bl  0x5555620540 <abort@plt>
   0x55557daa2c:  sub sp, sp, #0x40
   0x55557daa30:  stp x22, x21, [sp, #16]
   0x55557daa34:  stp x20, x19, [sp, #32]

(gdb) i r
x7  0xff7f7f7f7f7f7f7f
x8  0x0
x9  0x7fb7a66a68
x10 0x5555ff14ff
x11 0x5ee

(gdb) bt
#0  0x00000055557daa24 in ?? ()
#1  0x00000055558f3328 in ?? ()
#2  0x0000005555b8c40c in ?? ()
#3  0x0000005555b85fbc in ?? ()
#4  0x0000005555affdac in ?? ()
#5  0x0000007f76e28f5c in ?? ()
#6  0x0000007fb7216000 in ?? ()
Backtrace stopped: not enough register or memory available to unwind further
```

So we're setting a register to zero and then immediately using that as a memory address. Right before we're trying to abort() the process anyway. Hum.

Revision 5 by

Sean Stangl [:sstangl]

on 2019-03-01 13:39:49 PST

This message was in error; I attempted to `c` continue past the segfault in the `libmozglue.so` linking.

Revision 6 by

Sean Stangl [:sstangl]

on 2019-03-01 13:55:00 PST

Apparently you can just `c` continue past the `libmozglue.so` segfault and the shell will load just fine. OK.

The real crash info is here (saving mostly for my future reference). Note that this was retyped by hand, but I've tried to be careful.

```
0x00000055557daa24 in ?? ()

(gdb) x/9i $pc-16
   0x55557daa14:  mov x8, xzr
   0x55557daa18:  add x10, x10, #0x4ff
   0x55557daa1c:  mov w11, #0x5ee // #1518
   0x55557daa20:  str x10, [x9]
=> 0x55557daa24:  str w11, [x8]
   0x55557daa28:  bl  0x5555620540 <abort@plt>
   0x55557daa2c:  sub sp, sp, #0x40
   0x55557daa30:  stp x22, x21, [sp, #16]
   0x55557daa34:  stp x20, x19, [sp, #32]

(gdb) i r
x7  0xff7f7f7f7f7f7f7f
x8  0x0
x9  0x7fb7a66a68
x10 0x5555ff14ff
x11 0x5ee

(gdb) bt
#0  0x00000055557daa24 in ?? ()
#1  0x00000055558f3328 in ?? ()
#2  0x0000005555b8c40c in ?? ()
#3  0x0000005555b85fbc in ?? ()
#4  0x0000005555affdac in ?? ()
#5  0x0000007f76e28f5c in ?? ()
#6  0x0000007fb7216000 in ?? ()
Backtrace stopped: not enough register or memory available to unwind further
```

I don't know whether this is *the* right segfault, but I did at least verify via `print()` that it occurs after the script has begun execution. It looks like we set `x8` to zero and then immediately dereference it.

Back to Bug 1529034 Comment 29

Bugzilla

Quick Search

Bug 1529034 Comment 29 Edit History