Closed Bug 1094570 Opened 10 years ago Closed 10 years ago

crash in IonScript::unlinkFromRuntime

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla36
Tracking Flags:
Tracking Status
firefox33 --- unaffected
firefox34 --- unaffected
firefox35 + fixed
firefox36 + fixed
firefox-esr31 --- unaffected
b2g-v1.4 --- unaffected
b2g-v2.0 --- unaffected
b2g-v2.0M --- unaffected
b2g-v2.1 --- unaffected
b2g-v2.2 --- fixed

People

(Reporter: luke, Assigned: luke)

References

Details

(Keywords: regression)

Attachments

(2 files)

fix-ffi-stubs
4.01 KB, patch
h4writer
: review+
dveditz
: approval-mozilla-aurora+
dveditz
: sec-approval+
Details | Diff | Splinter Review
test case (to be landed separately from patch)
562 bytes, text/plain
Details
Attached patch fix-ffi-stubsSplinter Review
This crash is pretty reproducible if you load Aaaaa For the Awesome and switch to another game and wait for GC. It's a pretty bug and simple fix. crash-stats shows that a few hundred crashes with this signature in the last several weeks, many mentioning humble bundle in the comments/URL, so it'd definitely be good to uplift. s-s because it's a use-after-free.
Attachment #8517890 - Flags: review?(hv1989)
Attachment #8517891 - Attachment is patch: false
Looks like only Aurora is affected. Aaaaaa and the testcase don't reproduce on Beta because the way AsmJSModule and IonScript were linked was different.
status-firefox35: --- → affected
Comment on attachment 8517890 [details] [diff] [review] fix-ffi-stubs Approval Request Comment [Feature/regressing bug #]: 1054538 [User impact if declined]: pretty easy crashes on one humble bundle game [Describe test coverage new/current, TBPL]: m-c (soon) [Risks and why]: this is a pretty cause/fix, so the risk is pretty low
Attachment #8517890 - Flags: approval-mozilla-aurora?
Comment on attachment 8517890 [details] [diff] [review] fix-ffi-stubs Review of attachment 8517890 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/asmjs/AsmJSModule.h @@ +1420,5 @@ > return *(ExitDatum *)(globalData() + exitIndexToGlobalDataOffset(exitIndex)); > } > + bool exitIsOptimized(unsigned exitIndex) const { > + MOZ_ASSERT(isFinished()); > + ExitDatum &exitDatum = exitIndexToGlobalDatum(exitIndex); Not sure if the assert is needed. Since it also get tested in "exitIndexToGlobalDatum"
Attachment #8517890 - Flags: review?(hv1989) → review+
Comment on attachment 8517890 [details] [diff] [review] fix-ffi-stubs [Security approval request comment] How easily could an exploit be constructed based on the patch? Not easily; patch also contains refactoring. Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? No Which older supported branches are affected by this flaw? Aurora If not all supported branches, which bug introduced the flaw? 1054538 Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? Yes, patch applies cleanly. How likely is this patch to cause regressions; how much testing does it need? Not likely
Attachment #8517890 - Flags: sec-approval?
Comment on attachment 8517890 [details] [diff] [review] fix-ffi-stubs sec-approval+, a=dveditz for aurora
Attachment #8517890 - Flags: sec-approval?
Attachment #8517890 - Flags: sec-approval+
Attachment #8517890 - Flags: approval-mozilla-aurora?
Attachment #8517890 - Flags: approval-mozilla-aurora+
https://hg.mozilla.org/mozilla-central/rev/b4493970ffdc
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
status-firefox36: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla36
Group: core-security
Group: javascript-core-security
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: