Closed
Bug 1010269
Opened 10 years ago
Closed 10 years ago
Crash [@ js::jit::Simulator::decodeSpecialCondition]
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
VERIFIED
FIXED
mozilla32
People
(Reporter: decoder, Assigned: mjrosenb)
Details
(Keywords: crash, testcase)
Crash Data
Attachments
(2 files)
2.30 KB,
application/javascript
|
Details | |
2.46 KB,
patch
|
dougc
:
review+
Sylvestre
:
approval-mozilla-aurora-
Sylvestre
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
The attached testcase crashes on mozilla-central revision 2f8af55d6e9a (run with --fuzzing-safe --ion-eager --ion-check-range-analysis).
Reporter | ||
Comment 1•10 years ago
|
||
Marked s-s because this seems to fail during instruction decoding and this could indicate another issue with the assembler buffer or some other corruption.
Updated•10 years ago
|
Flags: needinfo?(mrosenberg)
Updated•10 years ago
|
Group: javascript-core-security
Assignee | ||
Comment 2•10 years ago
|
||
HA-HA! Not s-s, defensive coding ftw! the illegal instruction it executed was the pool header, which is guaranteed to not be a legal instruction, and produce a sigill before executing anything we don't control as tightly.
Attachment #8425259 -
Flags: review?(dtc-moz)
Flags: needinfo?(mrosenberg)
Assignee | ||
Updated•10 years ago
|
Group: core-security, javascript-core-security
Assignee | ||
Comment 3•10 years ago
|
||
Also, this may fix a bunch of other fuzzbugs that have been found recently.
Comment 4•10 years ago
|
||
(In reply to Marty Rosenberg [:mjrosenb] from comment #3) > Also, this may fix a bunch of other fuzzbugs that have been found recently. If that's the case, can we add testcases to this patch since it's non-s-s?
Comment 5•10 years ago
|
||
Comment on attachment 8425259 [details] [diff] [review] MoreAccurateToggles-r0.patch Looks good, thank you.
Attachment #8425259 -
Flags: review?(dtc-moz) → review+
Assignee | ||
Comment 6•10 years ago
|
||
landed: https://hg.mozilla.org/integration/mozilla-inbound/rev/1b76d9de2612
Comment 7•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/1b76d9de2612
Assignee: nobody → mrosenberg
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla32
Reporter | ||
Updated•10 years ago
|
Status: RESOLVED → VERIFIED
Reporter | ||
Comment 8•10 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Comment 9•10 years ago
|
||
Comment on attachment 8425259 [details] [diff] [review] MoreAccurateToggles-r0.patch [Approval Request Comment] Bug caused by (feature/regressing bug #): Long standing issue. User impact if declined: Crashes. Would like to get this uplift to 31 as it is an ESR. There are fixes and tests for related issues pending and this bug might block these. Testing completed (on m-c, etc.): Locally, and on m-c. Risk to taking this patch (and alternatives if risky): low. String or IDL/UUID changes made by this patch: n/a
Attachment #8425259 -
Flags: approval-mozilla-beta?
Attachment #8425259 -
Flags: approval-mozilla-aurora?
Updated•10 years ago
|
Comment 10•10 years ago
|
||
Comment on attachment 8425259 [details] [diff] [review] MoreAccurateToggles-r0.patch Rejecting for aurora, already in 32.
Attachment #8425259 -
Flags: approval-mozilla-beta?
Attachment #8425259 -
Flags: approval-mozilla-beta+
Attachment #8425259 -
Flags: approval-mozilla-aurora?
Attachment #8425259 -
Flags: approval-mozilla-aurora-
Reporter | ||
Updated•10 years ago
|
Reporter | ||
Comment 11•10 years ago
|
||
JSBugMon: This bug has been automatically verified fixed on Fx32
Comment 12•10 years ago
|
||
https://hg.mozilla.org/releases/mozilla-beta/rev/38bcf45f4222 Is this something we might expect to improve stability on B2G v1.4 (based off Gecko 30)?
status-b2g-v1.4:
--- → ?
status-b2g-v2.0:
--- → fixed
status-b2g-v2.1:
--- → fixed
Flags: needinfo?(mrosenberg)
Keywords: sec-high
Comment 14•10 years ago
|
||
Comment on attachment 8425259 [details] [diff] [review] MoreAccurateToggles-r0.patch [Approval Request Comment] Bug caused by (feature/regressing bug #): Long standing issue. User impact if declined: Crashes. May improve v1.4 stability. Testing completed: Landed on v2.0 with no known issues for 3 weeks now. Risk to taking this patch (and alternatives if risky): Low. String or UUID changes made by this patch: None.
Attachment #8425259 -
Flags: approval-mozilla-b2g30?
Comment 15•10 years ago
|
||
Comment on attachment 8425259 [details] [diff] [review] MoreAccurateToggles-r0.patch Nervous about taking JS fixes in 1.4
Attachment #8425259 -
Flags: approval-mozilla-b2g30?
Comment 16•10 years ago
|
||
(In reply to Marty Rosenberg [:mjrosenb] from comment #3) > Also, this may fix a bunch of other fuzzbugs that have been found recently. (In reply to Preeti Raghunath(:Preeti) from comment #15) > Comment on attachment 8425259 [details] [diff] [review] > MoreAccurateToggles-r0.patch > > Nervous about taking JS fixes in 1.4 Are you really sure? This fix for an arguably non-s-s bug fixes a bunch of fuzzbugs found, so by not taking it, you might have more js crashes in 1.4, so please consider the risk/reward ratio carefully here.
You need to log in
before you can comment on or make changes to this bug.
Description
•