Closed Bug 779125 Opened 13 years ago Closed 13 years ago

IonMonkey: Crash on heap near [@ EnterIon] with invalid read

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
Other Branch
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: decoder, Assigned: jandem)

References

Details

(Keywords: crash, testcase, Whiteboard: [jsbugmon:update][ion:p1:fx18])

Crash Data

Attachments

(1 file)

Patch
1.32 KB, patch
dvander
: review+
Details | Diff | Splinter Review
The following testcase crashes on ionmonkey revision 54f9ee5403f0 (run with --ion -n): for(var i = 0; i < 9; (i)) { x = ''.charAt(-1); }
Crash info: Program received signal SIGSEGV, Segmentation fault. 0x00007ffff7f63e50 in ?? () (gdb) bt #0 0x00007ffff7f63e50 in ?? () #1 0x00007ffff7f640ba in ?? () #2 0x00000000000000c1 in ?? () #3 0x00007ffff07070e9 in ?? () #4 0x0000000000000000 in ?? () (gdb) x /i $pc => 0x7ffff7f63e50: movzwl (%rbx,%rdx,2),%ebx (gdb) info reg rbx rdx ebx rbx 0x7ffff0823810 140737228453904 rdx 0xffffffff 4294967295 ebx 0xf0823810 -259901424 ==23264== Invalid read of size 2 ==23264== at 0x4032E50: ??? ==23264== by 0x8152A0: EnterIon(JSContext*, js::StackFrame*, void*) (Ion.cpp:1150) ==23264== by 0x815604: js::ion::SideCannon(JSContext*, js::StackFrame*, unsigned char*) (Ion.cpp:1194) ==23264== by 0x51DF3B: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (jsinterp.cpp:1535) ==23264== by 0x518C83: js::RunScript(JSContext*, JSScript*, js::StackFrame*) (jsinterp.cpp:321) ==23264== by 0x5198B7: js::ExecuteKernel(JSContext*, JSScript*, JSObject&, JS::Value const&, js::ExecuteType, js::StackFrame*, JS::Value*) (jsinterp.cpp:507) ==23264== by 0x519AFE: js::Execute(JSContext*, JSScript*, JSObject&, JS::Value*) (jsinterp.cpp:545) ==23264== by 0x44C1DF: JS_ExecuteScript (jsapi.cpp:5511) ==23264== by 0x408B98: Process(JSContext*, JSObject*, char const*, bool) (js.cpp:435) ==23264== by 0x413D3D: ProcessArgs(JSContext*, JSObject*, js::cli::OptionParser*) (js.cpp:4837) ==23264== by 0x413F85: Shell(JSContext*, js::cli::OptionParser*, char**) (js.cpp:4878) ==23264== by 0x4148EC: main (js.cpp:5083) ==23264== Address 0x20c72380e is not stack'd, malloc'd or (recently) free'd
Attached patch PatchSplinter Review
LBoundsCheck should do an unsigned comparison if both operands are constant.
Assignee: general → jdemooij
Status: NEW → ASSIGNED
Attachment #647536 - Flags: review?(dvander)
Attachment #647536 - Flags: review?(dvander) → review+
Whiteboard: [jsbugmon:update] → [jsbugmon:update][ion:p1:fx18]
https://hg.mozilla.org/projects/ionmonkey/rev/07e292dd5d3f
Group: core-security
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
A testcase for this bug was automatically identified at js/src/jit-test/tests/ion/bug779125.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: