Closed
Bug 807156
Opened 12 years ago
Closed 12 years ago
Crash at illegal address with Bus Error
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla20
| Tracking | Status | |
|---|---|---|
| firefox17 | --- | unaffected |
| firefox18 | - | affected |
| firefox19 | - | affected |
| firefox20 | --- | fixed |
| firefox-esr10 | --- | unaffected |
People
(Reporter: decoder, Assigned: mjrosenb)
References
Details
(Keywords: testcase, Whiteboard: [jsbugmon:ignore][ion:p1])
Attachments
(1 file)
|
1.13 KB,
patch
|
djvj
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 71290adea0c1 (run with --ion-eager):
function assertEqArray(actual, expected) {
for (var i = 0; i < actual.length; ++i) {
if (actual[i] != expected[i]) {}
}
}
assertEqArray(
/(?:(?:a*?(")(c)")?)*/.exec('"c"'), [ '"c"', '"', "c" ]
);
|
Reporter | |
Comment 1•12 years ago
|
||
No trace available here, the crash seems to happen already when the pc is on an illegal position. Marking sec-critical. The actual crash is a bus error also in the emulation VM, so it's not a qemu userspace problem: qemu: unhandled CPU exception 0x7 - aborting R00=00000002 R01=f5c0d050 R02=f5c0d050 R03=f5c11150 R04=f5d00230 R05=ffffff85 R06=00000000 R07=f5d00230 R08=00000001 R09=ffffff81 R10=00000002 R11=00000000 R12=f5c16508 R13=f6fdde1c R14=f5c16508 R15=f5af07c4 PSR=20070010 --C- A usr32 qemu: uncaught target signal 6 (Aborted) - core dumped Aborted
Keywords: sec-critical
Whiteboard: [jsbugmon:ignore]
|
Assignee | |
Comment 2•12 years ago
|
||
Additional info: this is with a debug build, not too sure if that was mentioned elsewhere, but I am bad at looking. running this on real hardware results in a Trace/breakpoint trap rather than a SIGBUS. Quickly looking at the actual location of the crash shows that it is one of the runtime asserts that we add to ensure that the stack is aligned.
|
||
Updated•12 years ago
|
Whiteboard: [jsbugmon:ignore] → [jsbugmon:ignore][ion:p1]
|
|
Reporter | |
Updated•12 years ago
|
Assignee: general → mrosenberg
If this is an Ion bug it will only affect Firefox 18 and higher.
Status: NEW → ASSIGNED
status-firefox18:
--- → affected
|
|
Assignee | |
Comment 4•12 years ago
|
||
It looks like it'll be fine if the stack isn't aligned.
Attachment #678677 -
Flags: review?(kvijayan)
|
||
Updated•12 years ago
|
Attachment #678677 -
Flags: review?(kvijayan) → review+
|
|
Assignee | |
Comment 5•12 years ago
|
||
Landed: https://hg.mozilla.org/integration/mozilla-inbound/rev/3136d5ea2399
|
||
Updated•12 years ago
|
status-firefox19:
--- → affected
|
||
Updated•12 years ago
|
status-firefox-esr10:
--- → unaffected
status-firefox17:
--- → unaffected
tracking-firefox18:
--- → +
tracking-firefox19:
--- → +
|
||
Comment 6•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/3136d5ea2399
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla19
|
||
Comment 7•12 years ago
|
||
(In reply to Marty Rosenberg [:mjrosenb] from comment #5) > Landed: https://hg.mozilla.org/integration/mozilla-inbound/rev/3136d5ea2399 Please uplift the patch once we are comfortable with the bake-time/testing on m-c.Thanks !
|
|
||
Comment 8•12 years ago
|
||
Marty, I guess we had enough baking time for this now, did we get enough testing out of this on 19/20 that we can possibly uplift to 18 (Beta)?
|
|
Assignee | |
Comment 9•12 years ago
|
||
my bad. This was only half the patch. I never qrefreshed the setter case, so that never actually landed. Here is the second half of it https://hg.mozilla.org/integration/mozilla-inbound/rev/ff5582c77a06 Since the patch is just removing a check, I can't imagine that this introduces any bugs whatsoever.
|
||
Comment 10•12 years ago
|
||
So this is essentially bogus debug-only assertion that you just fixed by removing? In that case we can probably remove the security-sensitive flag on it and bug 810996.
|
|
Assignee | |
Comment 12•12 years ago
|
||
yes. I was initially afraid that the assert wasn't actually bogus, and bad things would happen without it, but it was unlikely to begin with, and testing seems to have confirmed that.
Group: core-security
|
||
Comment 13•12 years ago
|
||
(In reply to Marty Rosenberg [:mjrosenb] from comment #9) > my bad. This was only half the patch. I never qrefreshed the setter case, > so that never actually landed. > Here is the second half of it > https://hg.mozilla.org/integration/mozilla-inbound/rev/ff5582c77a06 > Since the patch is just removing a check, I can't imagine that this > introduces any bugs whatsoever. https://hg.mozilla.org/mozilla-central/rev/ff5582c77a06 This part is fixed on mozilla20 only; the first part mozilla20 and mozilla19.
status-firefox20:
--- → fixed
Target Milestone: mozilla19 → mozilla20
|
|
||
Updated•12 years ago
|
Keywords: crash,
sec-critical
You need to log in
before you can comment on or make changes to this bug.
Description
•