Closed
Bug 762059
Opened 12 years ago
Closed 12 years ago
IonMonkey: ARM Crash on heap (0xdeadbeee) through [@ JSObject::getProperty]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla16
Tracking | Status | |
---|---|---|
firefox13 | - | unaffected |
firefox14 | - | unaffected |
firefox15 | - | unaffected |
firefox16 | - | unaffected |
firefox-esr10 | --- | unaffected |
People
(Reporter: decoder, Unassigned)
References
Details
(Keywords: crash, sec-critical, testcase, Whiteboard: js-triage-needed)
Crash Data
Attachments
(1 file)
8.52 KB,
patch
|
jbramley
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on ionmonkey-arm (private branch) revision (run with --ion -n -m --ion-eager): function TestCase(n, d, e, a) {} var SECTION = "11.7.1"; for ( power = 0; power < 33; power++ ) { shiftexp = Math.pow( 2, power ); for ( addexp = 0; addexp < 33; addexp++ ) { new TestCase( SECTION, LeftShift( shiftexp, addexp ), shiftexp << addexp ); } } function ToInt32( n ) {} function ToInt32BitString( n ) { var b = ""; var sign = ( n < 0 ) ? -1 : 1; b += ( sign == 1 ) ? "0" : "1"; for ( p = 30; p >=0; p-- ) { b += ( sign == 1 ) ? "0" : "1"; } return b; } function ToInt32Decimal( bin ) { if ( Number(bin.charAt(0)) == 0 ) { r = 0; } for ( var j = 0; j < 31; (function ( Math, n, Number) { return "baz"; } ) ( ) . abstract ++ ) { r += Math.pow( 2, j ) * Number(bin.charAt(31-j)); } } function LeftShift( s, a ) { s = ToInt32BitString( s ); return ToInt32(ToInt32Decimal(s)); }
Reporter | ||
Comment 1•12 years ago
|
||
HG Revision is 153a2db06024. It was missing because the instance lacked a mercurial installation ^_^.
Updated•12 years ago
|
Whiteboard: js-triage-needed
Comment 2•12 years ago
|
||
Small repercussion from a previous patch. I moved an increment down, and did not update a reference to it.
Updated•12 years ago
|
Attachment #631659 -
Flags: review?(Jacob.Bramley)
Comment 3•12 years ago
|
||
Comment on attachment 631659 [details] [diff] [review] /home/mrosenberg/patches/debug-r0.patch Review of attachment 631659 [details] [diff] [review]: ----------------------------------------------------------------- Most of the changes don't look directly related to this bug, though the patch looks good anyway, with one (easily-fixed) exception in the endianness code. ::: js/src/ion/shared/IonAssemblerBufferWithConstantPools.h @@ +453,5 @@ > int poolId = p - pools; > IonSpew(IonSpew_Pools, "Inserting entry (token %d) into pool %d", token, poolId); > + IonSpewStart(IonSpew_Pools, "data is: 0x"); > + for (int idx = 0; idx < p->immSize; idx++) { > +#if IS_LITTLE_ENDIAN I think it'd be clearer to make it loop the other way for the little-endian case: #if IS_LITTLE_ENDIAN for (int idx = p->immSize-1; idx >= 0; idx--) { #else for (int idx = 0; idx < p->immSize; idx++) { #endif (I think I would want to put the whole loop in the conditions because I don't like overlapping preprocessor and language-level scopes, but that might be rather verbose.) @@ +454,5 @@ > IonSpew(IonSpew_Pools, "Inserting entry (token %d) into pool %d", token, poolId); > + IonSpewStart(IonSpew_Pools, "data is: 0x"); > + for (int idx = 0; idx < p->immSize; idx++) { > +#if IS_LITTLE_ENDIAN > + static const int correction = 0x3; This is broken if p->immSize != 4.
Attachment #631659 -
Flags: review?(Jacob.Bramley) → review+
Updated•12 years ago
|
Keywords: sec-critical
Updated•12 years ago
|
status-firefox13:
--- → unaffected
status-firefox14:
--- → unaffected
status-firefox15:
--- → unaffected
tracking-firefox13:
--- → -
tracking-firefox14:
--- → -
tracking-firefox15:
--- → -
tracking-firefox16:
--- → ?
Updated•12 years ago
|
Updated•12 years ago
|
Summary: IonMonkey: Crash on heap (0xdeadbeee) through [@ JSObject::getProperty] → IonMonkey: ARM Crash on heap (0xdeadbeee) through [@ JSObject::getProperty]
Comment 4•12 years ago
|
||
landed + fixed: http://hg.mozilla.org/projects/ionmonkey/rev/720fc0437990
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Updated•12 years ago
|
status-firefox16:
--- → fixed
Comment 5•12 years ago
|
||
Oops I don't know if this got merged, but if it did please set status-firefox16 fixed or comment here.
Target Milestone: --- → mozilla16
Updated•12 years ago
|
status-firefox-esr10:
--- → unaffected
Updated•12 years ago
|
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•