Closed Bug 719674 Opened 14 years ago Closed 14 years ago

JS Crash on heap with invalid memory being executed

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla12
Tracking Flags:
Tracking Status
firefox11 --- unaffected
firefox12 + fixed
firefox13 + fixed
firefox-esr10 --- unaffected

People

(Reporter: decoder, Assigned: bhackett1024)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [sg:critical] js-triage-needed)

Attachments

(3 files)

shell testcase, unpack, chdir and run main.js with options "-n -m -a"
3.06 KB, application/x-compressed-tar
Details
shell testcase (dbg), unpack, chdir and run main.js with options "-n -m -a"
2.34 KB, application/x-compressed-tar
Details
patch (47584f117727)
13.85 KB, patch
dvander
: review+
Details | Diff | Splinter Review
The attached test crashes on mozilla-central revision e5e66f40c35b (32 bit opt build, options -m -n -a). The test is one of a few that recently popped up that seem highly fragile while reducing. GDB Backtrace: Program received signal SIGSEGV, Segmentation fault. 0xf73cd15a in ?? () (gdb) bt #0 0xf73cd15a in ?? () #1 0x08328380 in ?? () #2 0x082fbff4 in ?? () Backtrace stopped: previous frame inner to this frame (corrupt stack?) (gdb) x /4i $pc => 0xf73cd15a: Cannot access memory at address 0xf73cd15a This does not crash in valgrind. S-s and sg:critical due to attempted execution of invalid memory.
Here's another, shorter test that works with the debug shell for better debugging.
Regression from bug 706914, when stubbing a LookupSwitch or TableSwitch, if the native code for the target was not found then the compartment's entire stack was switched over to the interpreter and execution continued. This is not valid to do --- ClearAllFrames must be followed by wiping out all JIT code in the compartment, and clearStackReferences must be followed by wiping out all of the script's code. Updated comments, and went through all uses of these functions to fix any other problems, which turned up issues in recompileForStepMode, and TI-triggered recompilation.
Assignee: general → bhackett1024
Attachment #590742 - Flags: review?(dvander)
Attachment #590742 - Flags: review?(dvander) → review+
https://hg.mozilla.org/mozilla-central/rev/6c5229914ef9
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla12
Blocks: 706914
Group: core-security
status-firefox-esr10: --- → unaffected
status-firefox11: --- → unaffected
status-firefox12: --- → fixed
status-firefox13: --- → fixed
tracking-firefox12: --- → +
tracking-firefox13: --- → +
Keywords: regression
Status: RESOLVED → VERIFIED
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: