Apparently you can just `c` continue past the `libmozglue.so` segfault and the shell will load just fine. OK. The real crash info is here (saving mostly for my future reference). Note that this was retyped by hand, but I've tried to be careful. ``` 0x00000055557daa24 in ?? () (gdb) x/8i $pc-12 0x55557daa18: add x10, x10, #0x4ff 0x55557daa1c: mov w11, #0x5ee // #1518 0x55557daa20: str x10, [x9] => 0x55557daa24: str w11, [x8] 0x55557daa28: bl 0x5555620540 <abort@plt> 0x55557daa2c: sub sp, sp, #0x40 0x55557daa30: stp x22, x21, [sp, #16] 0x55557daa34: stp x20, x19, [sp, #32] (gdb) i r x7 0xff7f7f7f7f7f7f7f x8 0x0 x9 0x7fb7a66a68 x10 0x5555ff14ff x11 0x5ee (gdb) bt #0 0x00000055557daa24 in ?? () #1 0x00000055558f3328 in ?? () #2 0x0000005555b8c40c in ?? () #3 0x0000005555b85fbc in ?? () #4 0x0000005555affdac in ?? () #5 0x0000007f76e28f5c in ?? () #6 0x0000007fb7216000 in ?? () Backtrace stopped: not enough register or memory available to unwind further ```
Bug 1529034 Comment 29 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
Apparently you can just `c` continue past the `libmozglue.so` segfault and the shell will load just fine. OK. The real crash info is here (saving mostly for my future reference). Note that this was retyped by hand, but I've tried to be careful. ``` 0x00000055557daa24 in ?? () (gdb) x/9i $pc-16 0x55557daa14: mov x8, xzr 0x55557daa18: add x10, x10, #0x4ff 0x55557daa1c: mov w11, #0x5ee // #1518 0x55557daa20: str x10, [x9] => 0x55557daa24: str w11, [x8] 0x55557daa28: bl 0x5555620540 <abort@plt> 0x55557daa2c: sub sp, sp, #0x40 0x55557daa30: stp x22, x21, [sp, #16] 0x55557daa34: stp x20, x19, [sp, #32] (gdb) i r x7 0xff7f7f7f7f7f7f7f x8 0x0 x9 0x7fb7a66a68 x10 0x5555ff14ff x11 0x5ee (gdb) bt #0 0x00000055557daa24 in ?? () #1 0x00000055558f3328 in ?? () #2 0x0000005555b8c40c in ?? () #3 0x0000005555b85fbc in ?? () #4 0x0000005555affdac in ?? () #5 0x0000007f76e28f5c in ?? () #6 0x0000007fb7216000 in ?? () Backtrace stopped: not enough register or memory available to unwind further ``` So we're setting a register to zero and then immediately writing to it.
Apparently you can just `c` continue past the `libmozglue.so` segfault and the shell will load just fine. OK. The real crash info is here (saving mostly for my future reference). Note that this was retyped by hand, but I've tried to be careful. ``` 0x00000055557daa24 in ?? () (gdb) x/9i $pc-16 0x55557daa14: mov x8, xzr 0x55557daa18: add x10, x10, #0x4ff 0x55557daa1c: mov w11, #0x5ee // #1518 0x55557daa20: str x10, [x9] => 0x55557daa24: str w11, [x8] 0x55557daa28: bl 0x5555620540 <abort@plt> 0x55557daa2c: sub sp, sp, #0x40 0x55557daa30: stp x22, x21, [sp, #16] 0x55557daa34: stp x20, x19, [sp, #32] (gdb) i r x7 0xff7f7f7f7f7f7f7f x8 0x0 x9 0x7fb7a66a68 x10 0x5555ff14ff x11 0x5ee (gdb) bt #0 0x00000055557daa24 in ?? () #1 0x00000055558f3328 in ?? () #2 0x0000005555b8c40c in ?? () #3 0x0000005555b85fbc in ?? () #4 0x0000005555affdac in ?? () #5 0x0000007f76e28f5c in ?? () #6 0x0000007fb7216000 in ?? () Backtrace stopped: not enough register or memory available to unwind further ``` So we're setting a register to zero and then immediately using that as a memory address.
Apparently you can just `c` continue past the `libmozglue.so` segfault and the shell will load just fine. OK. The real crash info is here (saving mostly for my future reference). Note that this was retyped by hand, but I've tried to be careful. ``` 0x00000055557daa24 in ?? () (gdb) x/9i $pc-16 0x55557daa14: mov x8, xzr 0x55557daa18: add x10, x10, #0x4ff 0x55557daa1c: mov w11, #0x5ee // #1518 0x55557daa20: str x10, [x9] => 0x55557daa24: str w11, [x8] 0x55557daa28: bl 0x5555620540 <abort@plt> 0x55557daa2c: sub sp, sp, #0x40 0x55557daa30: stp x22, x21, [sp, #16] 0x55557daa34: stp x20, x19, [sp, #32] (gdb) i r x7 0xff7f7f7f7f7f7f7f x8 0x0 x9 0x7fb7a66a68 x10 0x5555ff14ff x11 0x5ee (gdb) bt #0 0x00000055557daa24 in ?? () #1 0x00000055558f3328 in ?? () #2 0x0000005555b8c40c in ?? () #3 0x0000005555b85fbc in ?? () #4 0x0000005555affdac in ?? () #5 0x0000007f76e28f5c in ?? () #6 0x0000007fb7216000 in ?? () Backtrace stopped: not enough register or memory available to unwind further ``` So we're setting a register to zero and then immediately using that as a memory address. Right before we're trying to abort() the function anyway. Hum.
Apparently you can just `c` continue past the `libmozglue.so` segfault and the shell will load just fine. OK. The real crash info is here (saving mostly for my future reference). Note that this was retyped by hand, but I've tried to be careful. ``` 0x00000055557daa24 in ?? () (gdb) x/9i $pc-16 0x55557daa14: mov x8, xzr 0x55557daa18: add x10, x10, #0x4ff 0x55557daa1c: mov w11, #0x5ee // #1518 0x55557daa20: str x10, [x9] => 0x55557daa24: str w11, [x8] 0x55557daa28: bl 0x5555620540 <abort@plt> 0x55557daa2c: sub sp, sp, #0x40 0x55557daa30: stp x22, x21, [sp, #16] 0x55557daa34: stp x20, x19, [sp, #32] (gdb) i r x7 0xff7f7f7f7f7f7f7f x8 0x0 x9 0x7fb7a66a68 x10 0x5555ff14ff x11 0x5ee (gdb) bt #0 0x00000055557daa24 in ?? () #1 0x00000055558f3328 in ?? () #2 0x0000005555b8c40c in ?? () #3 0x0000005555b85fbc in ?? () #4 0x0000005555affdac in ?? () #5 0x0000007f76e28f5c in ?? () #6 0x0000007fb7216000 in ?? () Backtrace stopped: not enough register or memory available to unwind further ``` So we're setting a register to zero and then immediately using that as a memory address. Right before we're trying to abort() the process anyway. Hum.
This message was in error; I attempted to `c` continue past the segfault in the `libmozglue.so` linking.
Apparently you can just `c` continue past the `libmozglue.so` segfault and the shell will load just fine. OK. The real crash info is here (saving mostly for my future reference). Note that this was retyped by hand, but I've tried to be careful. ``` 0x00000055557daa24 in ?? () (gdb) x/9i $pc-16 0x55557daa14: mov x8, xzr 0x55557daa18: add x10, x10, #0x4ff 0x55557daa1c: mov w11, #0x5ee // #1518 0x55557daa20: str x10, [x9] => 0x55557daa24: str w11, [x8] 0x55557daa28: bl 0x5555620540 <abort@plt> 0x55557daa2c: sub sp, sp, #0x40 0x55557daa30: stp x22, x21, [sp, #16] 0x55557daa34: stp x20, x19, [sp, #32] (gdb) i r x7 0xff7f7f7f7f7f7f7f x8 0x0 x9 0x7fb7a66a68 x10 0x5555ff14ff x11 0x5ee (gdb) bt #0 0x00000055557daa24 in ?? () #1 0x00000055558f3328 in ?? () #2 0x0000005555b8c40c in ?? () #3 0x0000005555b85fbc in ?? () #4 0x0000005555affdac in ?? () #5 0x0000007f76e28f5c in ?? () #6 0x0000007fb7216000 in ?? () Backtrace stopped: not enough register or memory available to unwind further ``` I don't know whether this is *the* right segfault, but I did at least verify via `print()` that it occurs after the script has begun execution. It looks like we set `x8` to zero and then immediately dereference it.