Closed Bug 755759 Opened 12 years ago Closed 12 years ago

IonMonkey: Crash on Heap through __libc_free (ARM only)

Categories

(Core :: JavaScript Engine, defect)

Other Branch
ARM
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
Tracking Status
firefox-esr10 --- unaffected

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: crash, testcase)

Attachments

(1 file)

The following testcase crashes on ionmonkey revision 50177d59c0e1 (run with --ion -n -m --ion-eager):


var BUGNUMBER = '';
var summary = '';
var FAILED = " FAILED! ";
function TestCase(n, d, e, a)
TestCase.prototype.dump = function () {
    dump('\njstest: ' + this.path + ' ' +
         'reason: '      + toPrinted(this.reason) + '\n');
};
function inSection(x) {}
function reportFailure (msg) {}
function reportCompare (expected, actual, description) {
  var output = "";
  if (typeof document != "object" || !document.location.href.match(/jsreftest.html/)) {
    reportFailure (description + " : " + output);
  }
}
function compareSource(expect, actual, summary) {
  var expectP = expect.replace(/new (\w+)\s*\(\s*\)/mg, 'new $1');
  var actualP = actual.replace(/new (\w+)\s*\(\s*\)/mg, 'new $1');
  reportCompare(expectP, actualP, summary);
  try  {  }  catch(ex)  {  }
}
function f(x) { 
}
var actual = [].h5 >= 0;
reportCompare(expect, actual, "unknown directive in eval code wrongly dropped");
evaluate("\
function reportFailure (section, msg) {\
    msg = inSection(section)+'\\n'+msg;\
    var lines = msg.split ('\\n');\
    for (var i=0; i<lines.length; i++)\
        print (FAILED + lines[i]);\
}\
");
var expect = 'No Crash';
reportCompare(expect, (BUGNUMBER), summary);
actual = f + '';
compareSource(expect, actual, summary);


Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x40a0e1c0 in ?? ()
(gdb) bt
#0  0x40a0e1c0 in ?? ()
Cannot access memory at address 0xdeadbeef
#1  0x4028298c in __libc_free (mem=<value optimized out>) at malloc.c:3738
#2  0xffffff82 in ?? ()
#3  0xffffff82 in ?? ()
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
(gdb) x /i $pc
=> 0x40a0e1c0:  andsmi  r11, r1, r0, ror #4
(gdb) info reg r11 r1 r0
r11            0xdeadbeef       3735928559
r1             0x1      1
r0             0x1      1
(gdb)
ok, I think I have a patch that fixes this bug, checking to make sure it actually still reproduces with tip.
Unfortunately, my lack of ability to keep patches separate has lead to another completely unrelated fix getting rolled into this one.
Attachment #629091 - Flags: review?
Attachment #629091 - Flags: review? → review?(Jacob.Bramley)
Comment on attachment 629091 [details] [diff] [review]
/home/mrosenberg/patches/twoFixes-ish-r0.patch

Review of attachment 629091 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/ion/Ion.cpp
@@ +398,5 @@
>      cacheEntries_(0),
>      refcount_(0)
>  {
>  }
> +static const int DataAlignment = 4;

Why is this file-global? It's only used once.

@@ +414,5 @@
>  
>      // This should not overflow on x86, because the memory is already allocated
>      // *somewhere* and if their total overflowed there would be no memory left
>      // at all.
> +    size_t paddedSnapshotsSize = AlignBytes(snapshotsSize, DataAlignment);

Since DataAlignment is partially parameterized, don't all of those quantities need to be padded?

::: js/src/ion/arm/MacroAssembler-arm.cpp
@@ +2859,5 @@
>  
>  CodeOffsetJump
>  MacroAssemblerARMCompat::jumpWithPatch(RepatchLabel *label, Condition cond)
>  {
> +    //as_bkpt();

Remove it.
Attachment #629091 - Flags: review?(Jacob.Bramley) → review+
landed, seems stable: http://hg.mozilla.org/projects/ionmonkey/rev/aff52d7f5924
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Group: core-security
You need to log in before you can comment on or make changes to this bug.