IonMonkey: ARM Crash on invalid address near [@ js_NoSuchMethodClass]

RESOLVED FIXED

Status

()

Core
JavaScript Engine
--
major
RESOLVED FIXED
6 years ago
3 years ago

People

(Reporter: decoder, Assigned: mjrosenb)

Tracking

(Blocks: 2 bugs, {crash, sec-critical, testcase})

Other Branch
ARM
Linux
crash, sec-critical, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox14 unaffected, firefox15 unaffected, firefox16 unaffected, firefox-esr10 unaffected)

Details

(crash signature)

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
The following testcase crashes on ionmonkey-arm (private branch) revision 153a2db06024 (run with --ion -n -m --ion-eager):


function f(N) {
  for (var i = 0; i != N; ++i) {
    var obj0 = {}, obj1 = {}, obj2 = {};
    obj1['a'+i] = 0;
    obj2['b'+i] = 0;
    obj2['b'+(i+1)] = 1;
    for (var repeat = 0;repeat != 2; ++repeat) {
      var count = 0;
      for (var j in obj1) {
        for (var k in obj2) {
          switch (count) {
            case 0: 
          }
          -- count;
        }
      }
    }
  }
}
var array = [function() { f(10); }, ];
for (var i = 0; i != array.length; ++i)
  array[i]();
(Reporter)

Comment 1

6 years ago
GDB trace:


Program received signal SIGSEGV, Segmentation fault.
0xeafffffe in ?? ()
(gdb) bt
#0  0xeafffffe in ?? ()
#1  0x005a3438 in js_NoSuchMethodClass ()
#2  0x005a3438 in js_NoSuchMethodClass ()
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
Summary: IonMonkey: Crash on invalid address near [@ js_NoSuchMethodClass] → IonMonkey: ARM Crash on invalid address near [@ js_NoSuchMethodClass]
(Assignee)

Comment 2

6 years ago
Created attachment 634127 [details] [diff] [review]
/home/mrosenberg/patches/nukeOpt-r0.patch

My bad, I forgot that the subtracts that I had in this code were being used both for modifying the inputs as well as doing bounds checks.
Attachment #634127 - Flags: review?(sstangl)

Updated

6 years ago
Attachment #634127 - Flags: review?(sstangl) → review+
Keywords: sec-critical
status-firefox14: --- → unaffected
status-firefox15: --- → unaffected
status-firefox16: --- → unaffected
tracking-firefox16: --- → +
status-firefox16: unaffected → affected
Assignee: general → mrosenberg
status-firefox-esr10: --- → unaffected
(Assignee)

Comment 3

6 years ago
landed: http://hg.mozilla.org/projects/ionmonkey/rev/b3464c3b7dfc
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
status-firefox16: affected → unaffected
tracking-firefox16: + → ---
Group: core-security
You need to log in before you can comment on or make changes to this bug.