Closed
Bug 765266
Opened 11 years ago
Closed 11 years ago
IonMonkey: ARM Crash on invalid address near [@ js_NoSuchMethodClass]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| firefox14 | --- | unaffected |
| firefox15 | --- | unaffected |
| firefox16 | --- | unaffected |
| firefox-esr10 | --- | unaffected |
People
(Reporter: decoder, Assigned: mjrosenb)
References
Details
(Keywords: crash, sec-critical, testcase)
Crash Data
Attachments
(1 file)
|
1.43 KB,
patch
|
sstangl
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on ionmonkey-arm (private branch) revision 153a2db06024 (run with --ion -n -m --ion-eager):
function f(N) {
for (var i = 0; i != N; ++i) {
var obj0 = {}, obj1 = {}, obj2 = {};
obj1['a'+i] = 0;
obj2['b'+i] = 0;
obj2['b'+(i+1)] = 1;
for (var repeat = 0;repeat != 2; ++repeat) {
var count = 0;
for (var j in obj1) {
for (var k in obj2) {
switch (count) {
case 0:
}
-- count;
}
}
}
}
}
var array = [function() { f(10); }, ];
for (var i = 0; i != array.length; ++i)
array[i]();
|
Reporter | |
Comment 1•11 years ago
|
||
GDB trace: Program received signal SIGSEGV, Segmentation fault. 0xeafffffe in ?? () (gdb) bt #0 0xeafffffe in ?? () #1 0x005a3438 in js_NoSuchMethodClass () #2 0x005a3438 in js_NoSuchMethodClass () Backtrace stopped: previous frame identical to this frame (corrupt stack?)
|
||
Updated•11 years ago
|
Summary: IonMonkey: Crash on invalid address near [@ js_NoSuchMethodClass] → IonMonkey: ARM Crash on invalid address near [@ js_NoSuchMethodClass]
|
Assignee | |
Comment 2•11 years ago
|
||
My bad, I forgot that the subtracts that I had in this code were being used both for modifying the inputs as well as doing bounds checks.
Attachment #634127 -
Flags: review?(sstangl)
|
||
Updated•11 years ago
|
Attachment #634127 -
Flags: review?(sstangl) → review+
|
||
Updated•11 years ago
|
Keywords: sec-critical
|
||
Updated•11 years ago
|
status-firefox14:
--- → unaffected
status-firefox15:
--- → unaffected
status-firefox16:
--- → unaffected
tracking-firefox16:
--- → +
|
|
||
Updated•11 years ago
|
|
|
||
Updated•11 years ago
|
Assignee: general → mrosenberg
|
|
||
Updated•11 years ago
|
status-firefox-esr10:
--- → unaffected
|
|
Assignee | |
Comment 3•11 years ago
|
||
landed: http://hg.mozilla.org/projects/ionmonkey/rev/b3464c3b7dfc
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
|
|
||
Updated•11 years ago
|
tracking-firefox16:
+ → ---
|
|
||
Updated•8 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•