Closed
Bug 1094570
Opened 10 years ago
Closed 10 years ago
crash in IonScript::unlinkFromRuntime
Categories
(Core :: JavaScript Engine: JIT, defect)
Core
JavaScript Engine: JIT
Tracking
()
RESOLVED
FIXED
mozilla36
Tracking | Status | |
---|---|---|
firefox33 | --- | unaffected |
firefox34 | --- | unaffected |
firefox35 | + | fixed |
firefox36 | + | fixed |
firefox-esr31 | --- | unaffected |
b2g-v1.4 | --- | unaffected |
b2g-v2.0 | --- | unaffected |
b2g-v2.0M | --- | unaffected |
b2g-v2.1 | --- | unaffected |
b2g-v2.2 | --- | fixed |
People
(Reporter: luke, Assigned: luke)
References
Details
(Keywords: regression)
Attachments
(2 files)
4.01 KB,
patch
|
h4writer
:
review+
dveditz
:
approval-mozilla-aurora+
dveditz
:
sec-approval+
|
Details | Diff | Splinter Review |
562 bytes,
text/plain
|
Details |
This crash is pretty reproducible if you load Aaaaa For the Awesome and switch to another game and wait for GC. It's a pretty bug and simple fix. crash-stats shows that a few hundred crashes with this signature in the last several weeks, many mentioning humble bundle in the comments/URL, so it'd definitely be good to uplift. s-s because it's a use-after-free.
Attachment #8517890 -
Flags: review?(hv1989)
Assignee | ||
Comment 1•10 years ago
|
||
Assignee | ||
Updated•10 years ago
|
Attachment #8517891 -
Attachment is patch: false
Assignee | ||
Comment 2•10 years ago
|
||
Looks like only Aurora is affected. Aaaaaa and the testcase don't reproduce on Beta because the way AsmJSModule and IonScript were linked was different.
status-firefox35:
--- → affected
Assignee | ||
Comment 3•10 years ago
|
||
Comment on attachment 8517890 [details] [diff] [review]
fix-ffi-stubs
Approval Request Comment
[Feature/regressing bug #]: 1054538
[User impact if declined]: pretty easy crashes on one humble bundle game
[Describe test coverage new/current, TBPL]: m-c (soon)
[Risks and why]: this is a pretty cause/fix, so the risk is pretty low
Attachment #8517890 -
Flags: approval-mozilla-aurora?
Comment 4•10 years ago
|
||
Comment on attachment 8517890 [details] [diff] [review]
fix-ffi-stubs
Review of attachment 8517890 [details] [diff] [review]:
-----------------------------------------------------------------
::: js/src/asmjs/AsmJSModule.h
@@ +1420,5 @@
> return *(ExitDatum *)(globalData() + exitIndexToGlobalDataOffset(exitIndex));
> }
> + bool exitIsOptimized(unsigned exitIndex) const {
> + MOZ_ASSERT(isFinished());
> + ExitDatum &exitDatum = exitIndexToGlobalDatum(exitIndex);
Not sure if the assert is needed. Since it also get tested in "exitIndexToGlobalDatum"
Attachment #8517890 -
Flags: review?(hv1989) → review+
Assignee | ||
Comment 5•10 years ago
|
||
Comment on attachment 8517890 [details] [diff] [review]
fix-ffi-stubs
[Security approval request comment]
How easily could an exploit be constructed based on the patch?
Not easily; patch also contains refactoring.
Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
No
Which older supported branches are affected by this flaw?
Aurora
If not all supported branches, which bug introduced the flaw?
1054538
Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
Yes, patch applies cleanly.
How likely is this patch to cause regressions; how much testing does it need?
Not likely
Attachment #8517890 -
Flags: sec-approval?
Updated•10 years ago
|
Updated•10 years ago
|
Blocks: 1054538
status-b2g-v1.4:
--- → unaffected
status-b2g-v2.0:
--- → unaffected
status-b2g-v2.1:
--- → unaffected
status-b2g-v2.2:
--- → affected
status-firefox33:
--- → unaffected
status-firefox34:
--- → unaffected
status-firefox-esr31:
--- → unaffected
Keywords: regression
Comment 6•10 years ago
|
||
Comment on attachment 8517890 [details] [diff] [review]
fix-ffi-stubs
sec-approval+, a=dveditz for aurora
Attachment #8517890 -
Flags: sec-approval?
Attachment #8517890 -
Flags: sec-approval+
Attachment #8517890 -
Flags: approval-mozilla-aurora?
Attachment #8517890 -
Flags: approval-mozilla-aurora+
Assignee | ||
Comment 7•10 years ago
|
||
Comment 8•10 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla36
Comment 9•10 years ago
|
||
Updated•10 years ago
|
Group: core-security
Updated•10 years ago
|
Group: javascript-core-security
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•