Closed Bug 792510 Opened 7 years ago Closed 7 years ago

IonMonkey: Crash with Illegal instruction (SIGILL) with gczeal(4)

Categories

(Core :: JavaScript Engine, defect, major)

ARM
Linux
defect
Not set
major

Tracking

()

RESOLVED FIXED

People

(Reporter: decoder, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase)

Attachments

(1 file)

The following testcase crashes on mozilla-central revision e4757379b99a (run with --ion-eager):


gczeal(4);
function TestCase( n, d, e, a ) {
  this.bugnumber = "";
}
addNewTestCase("new Date(-1)", [-1]);
addNewTestCase("new Date(28799999)", [0]);
function addNewTestCase(DateCase, ResultArray) {
  new TestCase( Math.floor(ResultArray[0]/1000)*1000, Date.parse(DateCase.toString()));
}
Summary: Crash with Illegal instruction (SIGILL) with gczeal(4) → IonMonkey: Crash with Illegal instruction (SIGILL) with gczeal(4)
Valgrind shows:

disInstr(thumb): unhandled instruction: 0xFA62 0xF303
==19477== valgrind: Unrecognised instruction at address 0x1a9fad.
==19477==
==19477== Process terminating with default action of signal 4 (SIGILL)
==19477==  Illegal opcode at address 0x1A9FAD
==19477==    at 0x1A9FAC: mozilla::RotateBitsLeft32(unsigned int, unsigned char) (HashFunctions.h:65)
==19477==    by 0x1A9FD7: mozilla::detail::AddU32ToHash(unsigned int, unsigned int) (HashFunctions.h:112)
==19477==    by 0x1BE389: unsigned int mozilla::AddToHash<char>(unsigned int, char) (HashFunctions.h:163)
==19477==    by 0x1BAB25: unsigned int mozilla::detail::HashUntilZero<char>(char const*) (HashFunctions.h:277)
==19477==    by 0x1B4A75: mozilla::HashString(char const*) (HashFunctions.h:303)
==19477==    by 0x1B51A5: js::ScriptFilenameHasher::hash(char const*) (jsscript.h:1164)
==19477==    by 0x1C2345: js::detail::HashTable<js::ScriptFilenameEntry* const, js::HashSet<js::ScriptFilenameEntry*, js::ScriptFilenameHasher, js::SystemAllocPolicy>::SetOps, js::SystemAllocPolicy>::prepareHash(char const* const&) (HashTable.h:306)
==19477==    by 0x1C02D9: js::detail::HashTable<js::ScriptFilenameEntry* const, js::HashSet<js::ScriptFilenameEntry*, js::ScriptFilenameHasher, js::SystemAllocPolicy>::SetOps, js::SystemAllocPolicy>::lookupForAdd(char const* const&) const (HashTable.h:730)
==19477==    by 0x1BDB1D: js::HashSet<js::ScriptFilenameEntry*, js::ScriptFilenameHasher, js::SystemAllocPolicy>::lookupForAdd(char const* const&) const (HashTable.h:1322)
==19477==    by 0x1B6F2F: js::SaveScriptFilename(JSContext*, char const*) (jsscript.cpp:1314)
==19477==    by 0x1B7AD1: JSScript::fullyInitFromEmitter(JSContext*, JS::Handle<JSScript*>, js::frontend::BytecodeEmitter*) (jsscript.cpp:1648)
==19477==    by 0x284EA9: js::frontend::CompileScript(JSContext*, JS::Handle<JSObject*>, js::StackFrame*, JS::CompileOptions const&, unsigned short const*, unsigned int, JSString*, unsigned int) (BytecodeCompiler.cpp:243)


Assuming sec-critical due to illegal jump.
Marty says this is guaranteed to be a safe SIGILL in all cases, removing s-s.
Group: core-security
Straightforward, but not horribly pretty patch.
Attachment #662819 - Flags: review?(Jacob.Bramley)
Comment on attachment 662819 [details] [diff] [review]
/home/mrosenberg/patches/togglejumps should not be pool guards-r0.patch

david said he wants to review this asap so it can get into the next nightly
Attachment #662819 - Flags: review?(Jacob.Bramley) → review?(dvander)
Attachment #662819 - Flags: review?(dvander) → review+
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.