Closed
Bug 451322
Opened 16 years ago
Closed 16 years ago
TM: LirBufWriter does not NULL check
Categories
(Core :: JavaScript Engine, defect, P2)
Tracking
()
VERIFIED
FIXED
People
(Reporter: dvander, Assigned: dvander)
Details
(Keywords: verified1.9.1, Whiteboard: [sg:critical?] post 1.9.0)
Attachments
(4 files, 1 obsolete file)
6.91 KB,
patch
|
gal
:
review+
|
Details | Diff | Splinter Review |
192 bytes,
patch
|
Details | Diff | Splinter Review | |
1.40 KB,
patch
|
rreitmai
:
review+
|
Details | Diff | Splinter Review |
2.51 KB,
text/plain
|
Details |
ensureRoom() can return false and LirBufWriter does not check this. When out of memory occurs things start crashing. This could be problematic on mobile.
Updated•16 years ago
|
Assignee: general → danderson
Priority: -- → P3
Comment 1•16 years ago
|
||
blocking1.9.1+, needs a beta vector, P2, per triage w/ Brendan, Andreas, and danderson.
Flags: blocking1.9.1+
Priority: P3 → P2
Comment 2•16 years ago
|
||
dvander thinks this might lead to memory corruption, so marking security-sensitive.
Group: core-security
Assignee | ||
Comment 3•16 years ago
|
||
LIR.cpp now checks ensureRoom() failures and returns the beginning of the buffer for safety. We no longer start recorders if the LIR buffer can't get at least one page. In MonitorRecording we check if the LIR buffer is out of memory, and we check the assembler state in a few more places. The assembler checks its own state a little more aggressively since it asserted in a few places.
Attachment #345649 -
Flags: review?(gal)
Assignee | ||
Comment 4•16 years ago
|
||
test case that crashes without the above patch. this particular crash is not exploitable. I can't determine if nanojit's (somewhat messy) buffer handling could be exploited in out of memory conditions. Given how easy it is to hit that (24MB code cache), I asked Jesse for security sensitivity just in case.
Updated•16 years ago
|
Attachment #345649 -
Flags: review?(gal) → review+
Assignee | ||
Comment 5•16 years ago
|
||
Fixes some error handling in nanojit
Attachment #346119 -
Flags: review?(rreitmai)
Comment 6•16 years ago
|
||
re: nanojit fixes Is there any reason why you don't want to call Assembler.error() and instead have beginAssembly() return a value? I'd rather keep the begin/assemble/end function free of return-values and provide a single consistent means to check for errors (i.e. error() )
Assignee | ||
Comment 7•16 years ago
|
||
No reason in particular, here's the same patch without the bool return.
Attachment #346119 -
Attachment is obsolete: true
Attachment #346153 -
Flags: review?(rreitmai)
Attachment #346119 -
Flags: review?(rreitmai)
Updated•16 years ago
|
Attachment #346153 -
Flags: review?(rreitmai) → review+
Assignee | ||
Comment 8•16 years ago
|
||
Pushed changeset http://hg.mozilla.org/tracemonkey/rev/a9db6bedd33d - still need to work out allocation failures during recording though.
Comment 9•16 years ago
|
||
see https://bugzilla.mozilla.org/show_bug.cgi?id=461073 for nj mem issues.
Assignee | ||
Comment 10•16 years ago
|
||
Marking this particular bug as fixed. We still have issues with LIR running out during recording, for example, lowering the code cache and running crypto-md5 will assert in a filter somewhere. I'll defer to bug 461073
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Comment 11•16 years ago
|
||
Updated•16 years ago
|
Flags: in-testsuite+
Flags: in-litmus-
Updated•16 years ago
|
Keywords: fixed1.9.1
Comment 14•15 years ago
|
||
note js1_5/Regress/regress-451322.js is now asserting Assertion failed: "Unknown branch type in nPatchBranch": 0 due to bug 468782/http://hg.mozilla.org/tracemonkey/rev/ece63b96379b on tracemonkey and mozilla-central. jason, see the test in comment 11.
Comment 15•15 years ago
|
||
Investigating.
Updated•15 years ago
|
Flags: wanted1.9.0.x-
Flags: wanted1.8.1.x-
Whiteboard: [sg:critical?] post 1.9.0
Updated•15 years ago
|
Group: core-security
Comment 16•14 years ago
|
||
test checked into 1.9.0, 1.9.1, 1.9.2, tracemonkey. 1.9.3 will get picked up in the next merge. This timed out on tracemonkey debug builds. I'll mark it skip later today.
Comment 17•14 years ago
|
||
js1_5/Regress/regress-451322.js marked skip. http://hg.mozilla.org/releases/mozilla-1.9.2/rev/fac742496b10 http://hg.mozilla.org/tracemonkey/rev/6c3f2e826dec
You need to log in
before you can comment on or make changes to this bug.
Description
•