Closed
Bug 632206
Opened 14 years ago
Closed 14 years ago
xml_elements writes past the end of the argument vector
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
People
(Reporter: gkw, Assigned: dmandelin)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: [ccbr][sg:critical?][softblocker][fixed-in-tracemonkey])
Attachments
(2 files)
|
670 bytes,
patch
|
luke
:
review+
|
Details | Diff | Splinter Review |
|
742 bytes,
patch
|
luke
:
review+
christian
:
approval1.9.2.20+
|
Details | Diff | Splinter Review |
x = <x/>
for (a = 0; a < 9; a++) {
x.elements()
}
crashes 64-bit js opt shell on TM changeset db8be4e3f373 with -j at js::ExecuteTree, but does not seem to crash on js debug shell.
s-s because this seems to be accessing a weird memory address at 0xfffb80010050e680
=====
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: 13 at address: 0x0000000000000000
0x000000010019c25b in js::ExecuteTree ()
(gdb) bt
#0 0x000000010019c25b in js::ExecuteTree ()
#1 0x00000001001be04f in js::RecordLoopEdge ()
#2 0x00000001001be45c in js::MonitorLoopEdge ()
#3 0x0000000100094d39 in js::Interpret ()
#4 0x00000001000998f8 in js::Execute ()
#5 0x0000000100016d57 in JS_ExecuteScript ()
#6 0x0000000100005020 in Process ()
#7 0x0000000100009295 in Shell ()
#8 0x00000001000097da in main ()
(gdb) x/i $pc
0x10019c25b <_ZN2jsL11ExecuteTreeEP9JSContextPNS_12TraceMonitorEPNS_12TreeFragmentERjPPNS_10VMSideExitES9_+859>: incl 0x13c(%rbx)
(gdb) x/b $rbx
0xfffb80010050e680: Cannot access memory at address 0xfffb80010050e680
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 53579:802d34381fe4
user: David Mandelin
date: Fri Sep 03 15:12:38 2010 -0700
summary: Bug 593497: blacklist using iteration count only if methodjit is enabled, r=dvander
|
||
Updated•14 years ago
|
Assignee: general → nnethercote
|
||
Comment 1•14 years ago
|
||
(In reply to comment #0)
>
> autoBisect shows this is probably related to the following changeset:
>
> The first bad revision is:
> changeset: 53579:802d34381fe4
> user: David Mandelin
> date: Fri Sep 03 15:12:38 2010 -0700
> summary: Bug 593497: blacklist using iteration count only if methodjit is
> enabled, r=dvander
There's a good chance that's not the real cause, but that it just exposed the latent bug. I'll take a look in the next day or two.
|
Assignee | |
Comment 2•14 years ago
|
||
I snuck a look at this one while waiting for ubuntu to install. Turns out it's not a tracer bug--rather, xml_elements() writes to vp[2] even when it only takes 1 arg. In this particular test case, that overwrites the save area for $rbx, which holds TreeFragment in ExecuteTree, thus we crash when we come back and try to access it. I think the store is just for rooting and thus is now unnecessary.
|
|
Assignee | |
Updated•14 years ago
|
blocking2.0: ? → final+
Whiteboard: [ccbr][sg:critical?] → [ccbr][sg:critical?][softblocker]
|
|
Assignee | |
Comment 3•14 years ago
|
||
(In reply to comment #2)
> xml_elements() writes to vp[2] even when it only
> takes 1 arg.
s/1 arg/0 args
|
|
||
Updated•14 years ago
|
Attachment #510480 -
Flags: review?(lw) → review+
|
|
||
Updated•14 years ago
|
blocking1.9.1: --- → ?
blocking1.9.2: --- → ?
|
|
Assignee | |
Comment 4•14 years ago
|
||
Whiteboard: [ccbr][sg:critical?][softblocker] → [ccbr][sg:critical?][softblocker][fixed-in-tracemonkey]
|
||
Comment 5•14 years ago
|
||
The patch doesn't look like it's 64-bit only. Does this affect all versions, and the 64-bit-only just happens to be due to the testcase?
|
|
||
Updated•14 years ago
|
blocking1.9.1: ? → needed
blocking1.9.2: ? → needed
status1.9.1:
--- → wanted
status1.9.2:
--- → wanted
|
|
Assignee | |
Comment 6•14 years ago
|
||
(In reply to comment #5)
> The patch doesn't look like it's 64-bit only. Does this affect all versions,
> and the 64-bit-only just happens to be due to the testcase?
Correct. The bug affects all versions, but it happens to cause a crash (in test cases uncovered so far) only on 64-bit with the tracer.
OS: Mac OS X → All
Hardware: x86 → All
Summary: TM: 64-bit Crash [@ js::ExecuteTree] → xml_elements writes past the end of the argument vector
|
||
Comment 7•14 years ago
|
||
cdleary-bot mozilla-central merge info:
http://hg.mozilla.org/mozilla-central/rev/3b23b4d5ed13
|
|
||
Updated•14 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
|
|
||
Comment 8•14 years ago
|
||
dmandelin: does this patch work for the 1.9.2 branch?
|
|
Assignee | |
Comment 9•14 years ago
|
||
Attachment #545787 -
Flags: review?(luke)
Attachment #545787 -
Flags: approval1.9.2.20?
|
|
||
Updated•14 years ago
|
Attachment #545787 -
Flags: review?(luke) → review+
|
||
Comment 10•14 years ago
|
||
Comment on attachment 545787 [details] [diff] [review]
Patch for 1.9.2
a=LegNeato for releases/mozilla-1.9.2
Attachment #545787 -
Flags: approval1.9.2.20? → approval1.9.2.20+
|
|
Assignee | |
Comment 11•14 years ago
|
||
|
|
||
Updated•13 years ago
|
Group: core-security
|
||
Comment 12•13 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
|
|
||
Updated•13 years ago
|
Status: RESOLVED → VERIFIED
|
|
||
Comment 13•12 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/e4x/bug632206.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•