Note: There are a few cases of duplicates in user autocompletion which are being worked on.

JS Crash on heap with invalid memory being executed

VERIFIED FIXED in Firefox 12

Status

()

Core
JavaScript Engine
--
critical
VERIFIED FIXED
6 years ago
4 years ago

People

(Reporter: decoder, Assigned: bhackett)

Tracking

(Blocks: 1 bug, {crash, regression, testcase})

Trunk
mozilla12
x86
Linux
crash, regression, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite -

Firefox Tracking Flags

(firefox11 unaffected, firefox12+ fixed, firefox13+ fixed, firefox-esr10 unaffected)

Details

(Whiteboard: [sg:critical] js-triage-needed)

Attachments

(3 attachments)

(Reporter)

Description

6 years ago
Created attachment 590070 [details]
shell testcase, unpack, chdir and run main.js with options "-n -m -a"

The attached test crashes on mozilla-central revision e5e66f40c35b (32 bit opt build, options -m -n -a). The test is one of a few that recently popped up that seem highly fragile while reducing.

GDB Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0xf73cd15a in ?? ()
(gdb) bt
#0  0xf73cd15a in ?? ()
#1  0x08328380 in ?? ()
#2  0x082fbff4 in ?? ()
Backtrace stopped: previous frame inner to this frame (corrupt stack?)
(gdb) x /4i $pc
=> 0xf73cd15a:  Cannot access memory at address 0xf73cd15a

This does not crash in valgrind. S-s and sg:critical due to attempted execution of invalid memory.
(Reporter)

Comment 1

6 years ago
Created attachment 590283 [details]
shell testcase (dbg), unpack, chdir and run main.js with options "-n -m -a"

Here's another, shorter test that works with the debug shell for better debugging.
(Assignee)

Comment 2

6 years ago
Created attachment 590742 [details] [diff] [review]
patch (47584f117727)

Regression from bug 706914, when stubbing a LookupSwitch or TableSwitch, if the native code for the target was not found then the compartment's entire stack was switched over to the interpreter and execution continued.  This is not valid to do --- ClearAllFrames must be followed by wiping out all JIT code in the compartment, and clearStackReferences must be followed by wiping out all of the script's code.  Updated comments, and went through all uses of these functions to fix any other problems, which turned up issues in recompileForStepMode, and TI-triggered recompilation.
Assignee: general → bhackett1024
Attachment #590742 - Flags: review?(dvander)
Attachment #590742 - Flags: review?(dvander) → review+
(Assignee)

Comment 3

6 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/6c5229914ef9
(Assignee)

Comment 4

6 years ago
https://hg.mozilla.org/mozilla-central/rev/6c5229914ef9
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED

Updated

6 years ago
Target Milestone: --- → mozilla12
Blocks: 706914
Group: core-security
status-firefox-esr10: --- → unaffected
status-firefox11: --- → unaffected
status-firefox12: --- → fixed
status-firefox13: --- → fixed
tracking-firefox12: --- → +
tracking-firefox13: --- → +
Keywords: regression
(Reporter)

Updated

5 years ago
Status: RESOLVED → VERIFIED
(Reporter)

Updated

4 years ago
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.