Crash [@ js::jit::Simulator::decodeSpecialCondition]

VERIFIED FIXED in Firefox 31

Status

()

defect
--
critical
VERIFIED FIXED
5 years ago
5 years ago

People

(Reporter: decoder, Assigned: mjrosenb)

Tracking

(Blocks 1 bug, {crash, testcase})

Trunk
mozilla32
ARM
Linux
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite ?

Firefox Tracking Flags

(firefox31 fixed, firefox32 verified, firefox33 fixed, b2g-v1.4 ?, b2g-v2.0 fixed, b2g-v2.1 fixed)

Details

(crash signature)

Attachments

(2 attachments)

Posted file Testcase for shell
The attached testcase crashes on mozilla-central revision 2f8af55d6e9a (run with --fuzzing-safe --ion-eager --ion-check-range-analysis).
Marked s-s because this seems to fail during instruction decoding and this could indicate another issue with the assembler buffer or some other corruption.
Flags: needinfo?(mrosenberg)
Keywords: sec-high
Group: javascript-core-security
HA-HA! Not s-s, defensive coding ftw!
the illegal instruction it executed was the pool header, which is guaranteed to not be a legal instruction, and produce a sigill before executing anything we don't control as tightly.
Attachment #8425259 - Flags: review?(dtc-moz)
Flags: needinfo?(mrosenberg)
Group: core-security, javascript-core-security
Also, this may fix a bunch of other fuzzbugs that have been found recently.
(In reply to Marty Rosenberg [:mjrosenb] from comment #3)
> Also, this may fix a bunch of other fuzzbugs that have been found recently.

If that's the case, can we add testcases to this patch since it's non-s-s?
Comment on attachment 8425259 [details] [diff] [review]
MoreAccurateToggles-r0.patch

Looks good, thank you.
Attachment #8425259 - Flags: review?(dtc-moz) → review+
https://hg.mozilla.org/mozilla-central/rev/1b76d9de2612
Assignee: nobody → mrosenberg
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla32
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
Comment on attachment 8425259 [details] [diff] [review]
MoreAccurateToggles-r0.patch

[Approval Request Comment]
Bug caused by (feature/regressing bug #): Long standing issue.

User impact if declined: Crashes. Would like to get this uplift to 31 as it is an ESR. There are fixes and tests for related issues pending and this bug might block these.

Testing completed (on m-c, etc.): Locally, and on m-c.

Risk to taking this patch (and alternatives if risky): low.

String or IDL/UUID changes made by this patch: n/a
Attachment #8425259 - Flags: approval-mozilla-beta?
Attachment #8425259 - Flags: approval-mozilla-aurora?
Comment on attachment 8425259 [details] [diff] [review]
MoreAccurateToggles-r0.patch

Rejecting for aurora, already in 32.
Attachment #8425259 - Flags: approval-mozilla-beta?
Attachment #8425259 - Flags: approval-mozilla-beta+
Attachment #8425259 - Flags: approval-mozilla-aurora?
Attachment #8425259 - Flags: approval-mozilla-aurora-
JSBugMon: This bug has been automatically verified fixed on Fx32
https://hg.mozilla.org/releases/mozilla-beta/rev/38bcf45f4222

Is this something we might expect to improve stability on B2G v1.4 (based off Gecko 30)?
status-b2g-v1.4: --- → ?
Flags: needinfo?(mrosenberg)
Keywords: sec-high
It certainly can't hurt.
Flags: needinfo?(mrosenberg)
Comment on attachment 8425259 [details] [diff] [review]
MoreAccurateToggles-r0.patch

[Approval Request Comment]
Bug caused by (feature/regressing bug #): Long standing issue.
User impact if declined: Crashes. May improve v1.4 stability.
Testing completed: Landed on v2.0 with no known issues for 3 weeks now.
Risk to taking this patch (and alternatives if risky): Low.
String or UUID changes made by this patch: None.
Attachment #8425259 - Flags: approval-mozilla-b2g30?
Comment on attachment 8425259 [details] [diff] [review]
MoreAccurateToggles-r0.patch

Nervous about taking JS fixes in 1.4
Attachment #8425259 - Flags: approval-mozilla-b2g30?
(In reply to Marty Rosenberg [:mjrosenb] from comment #3)
> Also, this may fix a bunch of other fuzzbugs that have been found recently.

(In reply to Preeti Raghunath(:Preeti) from comment #15)
> Comment on attachment 8425259 [details] [diff] [review]
> MoreAccurateToggles-r0.patch
> 
> Nervous about taking JS fixes in 1.4

Are you really sure? This fix for an arguably non-s-s bug fixes a bunch of fuzzbugs found, so by not taking it, you might have more js crashes in 1.4, so please consider the risk/reward ratio carefully here.
Depends on: 1029652
No longer depends on: 1029652
Flags: in-testsuite?
You need to log in before you can comment on or make changes to this bug.