Closed Bug 765266 Opened 12 years ago Closed 12 years ago

IonMonkey: ARM Crash on invalid address near [@ js_NoSuchMethodClass]

Categories

(Core :: JavaScript Engine, defect)

Other Branch
ARM
Linux
defect
Not set
major

Tracking

()

RESOLVED FIXED
Tracking Status
firefox14 --- unaffected
firefox15 --- unaffected
firefox16 --- unaffected
firefox-esr10 --- unaffected

People

(Reporter: decoder, Assigned: mjrosenb)

References

Details

(Keywords: crash, sec-critical, testcase)

Crash Data

Attachments

(1 file)

The following testcase crashes on ionmonkey-arm (private branch) revision 153a2db06024 (run with --ion -n -m --ion-eager):


function f(N) {
  for (var i = 0; i != N; ++i) {
    var obj0 = {}, obj1 = {}, obj2 = {};
    obj1['a'+i] = 0;
    obj2['b'+i] = 0;
    obj2['b'+(i+1)] = 1;
    for (var repeat = 0;repeat != 2; ++repeat) {
      var count = 0;
      for (var j in obj1) {
        for (var k in obj2) {
          switch (count) {
            case 0: 
          }
          -- count;
        }
      }
    }
  }
}
var array = [function() { f(10); }, ];
for (var i = 0; i != array.length; ++i)
  array[i]();
GDB trace:


Program received signal SIGSEGV, Segmentation fault.
0xeafffffe in ?? ()
(gdb) bt
#0  0xeafffffe in ?? ()
#1  0x005a3438 in js_NoSuchMethodClass ()
#2  0x005a3438 in js_NoSuchMethodClass ()
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
Summary: IonMonkey: Crash on invalid address near [@ js_NoSuchMethodClass] → IonMonkey: ARM Crash on invalid address near [@ js_NoSuchMethodClass]
My bad, I forgot that the subtracts that I had in this code were being used both for modifying the inputs as well as doing bounds checks.
Attachment #634127 - Flags: review?(sstangl)
Attachment #634127 - Flags: review?(sstangl) → review+
Assignee: general → mrosenberg
landed: http://hg.mozilla.org/projects/ionmonkey/rev/b3464c3b7dfc
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Group: core-security
You need to log in before you can comment on or make changes to this bug.