Closed
Bug 755759
Opened 12 years ago
Closed 12 years ago
IonMonkey: Crash on Heap through __libc_free (ARM only)
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
firefox-esr10 | --- | unaffected |
People
(Reporter: decoder, Unassigned)
References
Details
(Keywords: crash, testcase)
Attachments
(1 file)
5.86 KB,
patch
|
jbramley
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on ionmonkey revision 50177d59c0e1 (run with --ion -n -m --ion-eager): var BUGNUMBER = ''; var summary = ''; var FAILED = " FAILED! "; function TestCase(n, d, e, a) TestCase.prototype.dump = function () { dump('\njstest: ' + this.path + ' ' + 'reason: ' + toPrinted(this.reason) + '\n'); }; function inSection(x) {} function reportFailure (msg) {} function reportCompare (expected, actual, description) { var output = ""; if (typeof document != "object" || !document.location.href.match(/jsreftest.html/)) { reportFailure (description + " : " + output); } } function compareSource(expect, actual, summary) { var expectP = expect.replace(/new (\w+)\s*\(\s*\)/mg, 'new $1'); var actualP = actual.replace(/new (\w+)\s*\(\s*\)/mg, 'new $1'); reportCompare(expectP, actualP, summary); try { } catch(ex) { } } function f(x) { } var actual = [].h5 >= 0; reportCompare(expect, actual, "unknown directive in eval code wrongly dropped"); evaluate("\ function reportFailure (section, msg) {\ msg = inSection(section)+'\\n'+msg;\ var lines = msg.split ('\\n');\ for (var i=0; i<lines.length; i++)\ print (FAILED + lines[i]);\ }\ "); var expect = 'No Crash'; reportCompare(expect, (BUGNUMBER), summary); actual = f + ''; compareSource(expect, actual, summary); Backtrace: Program received signal SIGSEGV, Segmentation fault. 0x40a0e1c0 in ?? () (gdb) bt #0 0x40a0e1c0 in ?? () Cannot access memory at address 0xdeadbeef #1 0x4028298c in __libc_free (mem=<value optimized out>) at malloc.c:3738 #2 0xffffff82 in ?? () #3 0xffffff82 in ?? () Backtrace stopped: previous frame identical to this frame (corrupt stack?) (gdb) x /i $pc => 0x40a0e1c0: andsmi r11, r1, r0, ror #4 (gdb) info reg r11 r1 r0 r11 0xdeadbeef 3735928559 r1 0x1 1 r0 0x1 1 (gdb)
Comment 1•12 years ago
|
||
ok, I think I have a patch that fixes this bug, checking to make sure it actually still reproduces with tip.
Comment 2•12 years ago
|
||
Unfortunately, my lack of ability to keep patches separate has lead to another completely unrelated fix getting rolled into this one.
Attachment #629091 -
Flags: review?
Updated•12 years ago
|
Attachment #629091 -
Flags: review? → review?(Jacob.Bramley)
Comment 3•12 years ago
|
||
Comment on attachment 629091 [details] [diff] [review] /home/mrosenberg/patches/twoFixes-ish-r0.patch Review of attachment 629091 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/ion/Ion.cpp @@ +398,5 @@ > cacheEntries_(0), > refcount_(0) > { > } > +static const int DataAlignment = 4; Why is this file-global? It's only used once. @@ +414,5 @@ > > // This should not overflow on x86, because the memory is already allocated > // *somewhere* and if their total overflowed there would be no memory left > // at all. > + size_t paddedSnapshotsSize = AlignBytes(snapshotsSize, DataAlignment); Since DataAlignment is partially parameterized, don't all of those quantities need to be padded? ::: js/src/ion/arm/MacroAssembler-arm.cpp @@ +2859,5 @@ > > CodeOffsetJump > MacroAssemblerARMCompat::jumpWithPatch(RepatchLabel *label, Condition cond) > { > + //as_bkpt(); Remove it.
Attachment #629091 -
Flags: review?(Jacob.Bramley) → review+
Comment 4•12 years ago
|
||
landed, seems stable: http://hg.mozilla.org/projects/ionmonkey/rev/aff52d7f5924
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Updated•12 years ago
|
status-firefox-esr10:
--- → unaffected
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•