Open Bug 1876632 Opened 4 months ago Updated 15 days ago

arm64 freebsd ASLR TryToALignChunk and MapAlignedPagesRandom

Categories

(Core :: JavaScript: GC, defect, P3)

Product:
Core
Component:
JavaScript: GC
Version:
Firefox 122
Type:
defect

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: jsm, Unassigned)

References

(Blocks 1 open bug)

Details

User Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:122.0) Gecko/20100101 Firefox/122.0

Steps to reproduce:

Run firefox with patch from https://bugzilla.mozilla.org/show_bug.cgi?id=1871969 (so that one bug is out of the world) on arm64 FreeBSD. with ASLR enabled.

Actual results:

segfault MapAlignedPagesRandom manages to reach the end of its loop without a valid region. Cause might be "Ok the difference in my understanding between arm64 and arm64/aarch64 on AMD64 the address pointer is always a valid firefoz jit region i.e 47th bit and above are never set. This is not true for arm64 so MapAlignedPagesRandom returns null when the last attempts are not in a validRange. Furthermore I cannot confirm that linuxes randomizes mmap'ed virtual addresses, so TryToAlignChunk works better there." https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=271081#c26 FreeBSD mmap has a MAP_ALIGNED(n) flag that might be handy https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=271081#c25

Expected results:

It should return a valid region.

The Bugbug bot thinks this bug should belong to the 'Core::JavaScript Engine: JIT' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → JavaScript Engine: JIT
Product: Firefox → Core
Blocks: GC.stability
Severity: -- → S4
Component: JavaScript Engine: JIT → JavaScript: GC
Priority: -- → P3
See Also: → 1896604
You need to log in before you can comment on or make changes to this bug.