Closed Bug 270878 Opened 21 years ago Closed 20 years ago

stack growth direction check gives wrong result

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
PowerPC
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 242518

People

(Reporter: sejo, Unassigned)

References

(
URL
)

Details

Attachments

(1 file)

Juergen Kreileder JS Arena patch
2.95 KB, patch
Details | Diff | Splinter Review
User-Agent: Links (2.1pre15; Linux 2.6.9 ppc; 211x63) Build Identifier: 1.7.3 once the program starts i get a assert error. However with biesi's help i isolated the problem to be something weirder :-) by compiling js/src/jscpucfg.c on my system teh stackgrowt direction is -1 (thus all right) but somehow the mozilla compile does check it to 1 Reproducible: Always Steps to Reproduce: 1.emerge mozilla 2. 3. Architecture: PPC G4 powerbook GCC: 3.4.3
Assignee: p_ch → general
Component: Bookmarks → JavaScript Engine
QA Contact: seamonkey.bookmarks → pschwartau
Hardware: Other → Macintosh
Summary: crash on startup → stack growth direction check gives wrong result
addition url for my configure flags: http://dev.gentoo.org/~sejo/files/configure_moz
Hi, this bug has been reported in Debian against "Galeon" as well, and the submitter was kind enough to write a patch, please see: <http://bugs.debian.org/285404> and: <http://bugzilla.gnome.org/show_bug.cgi?id=164262> I'll attach his patch ASAP.
My patch is for another problem, see the gnome bugzilla entry for details. The short story: There's some broken pointer arithmetic in the jsarena code. When arena->avail is close to the upper memory boundary, some pointer additions overflow, that makes some pointer comparisions do unexpected things and causes a crash later on. My patch fixes this problem by doing subtractions instead of additions (e.g. "_p > _a->limit - _nb" instead of "_p + _nb > _a->limit). Note that this problem probably is only reproducable with 64-bit kernels running 32-bit userland code. In that situations the pool is very close to the upper 32-bit memory boundary (0xfffffxxx) and easily overflows to 0x0000xxx. I've seen the problem with ppc64 kernels and ppc32 mozilla. 32-bit mozilla versions on x86-64 are likely to have the same problem (unless running it with the PER_LINUX32_3GB personality).
Put the patch in a new bug -- this bug is a dup of bug 242518. /be *** This bug has been marked as a duplicate of 242518 ***
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: