Closed Bug 808349 Opened 13 years ago Closed 13 years ago

Crash with mjitChunkLimit, verifyprebarriers

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla20

People

(Reporter: jruderman, Assigned: bhackett1024)

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(3 files)

testcase
495 bytes, text/html
Details
stack
9.71 KB, text/plain
Details
fix mjitChunkLimit()
831 bytes, patch
dvander
: review+
Details | Diff | Splinter Review
Attached file testcase
1. Install https://www.squarefree.com/extensions/domFuzzLite3.xpi 2. Load the testcase. Result: Crash in mjit-generated code (Why does the mozRequestAnimationFrame call matter? That seems to be all that prevents this testcase from running in the shell.)
Attached file stack
Marking sec-crit because these chunk limit things seem to end up with that rating, and crashing in mjit code sounds sketchy, until proven otherwise. Feel free to adjust as needed.
Keywords: sec-critical
Assignee: general → nihsanullah
status-firefox19: --- → affected
tracking-firefox19: --- → +
This is a sec-crit with a testcase, and it's marked tracking for 19. Naveed, could we get some traction here?
Crash Signature: [@ js::mjit::EnterMethodJIT]
(In reply to Robert Kaiser (:kairo@mozilla.com) from comment #3) > This is a sec-crit with a testcase, and it's marked tracking for 19. > Naveed, could we get some traction here? Ping? Also, this seems to be a js::mjit::EnterMethodJIT crash, and this signature is pretty common, so it's possible we see this security issue in the wild and not realize it at all.
Flags: needinfo?(nihsanullah)
Brian, judging by the test this looks like another chunk compilation edge-case bug. Is this something you could look at? Or maybe a better question is: is there anything we could do to mitigate chunked compilation bugs while we wait for baseline compilation?
Assignee: nihsanullah → general
Flags: needinfo?(nihsanullah) → needinfo?(bhackett1024)
(In reply to Jesse Ruderman from comment #0) > Created attachment 678078 [details] > testcase > > 1. Install https://www.squarefree.com/extensions/domFuzzLite3.xpi > 2. Load the testcase. > > Result: Crash in mjit-generated code > > (Why does the mozRequestAnimationFrame call matter? That seems to be all > that prevents this testcase from running in the shell.) mozRequestAnimationFrame set a flag which is used to preserve code on GCs. Without this flag the code would be GCed and the bug will not appear.
Comment on attachment 678078 [details] testcase Try to replace window.mozRequestAnimationFrame(function() {}); by gcPreserveCode(); (function(){})();
This is a bug in the mjitChunkLimit() test function. mjitChunkLimit() is only intended to be called if the JS_GC it does to clear out jitcode actually does clear out jitcode. It already checked for the effects of gcPreserveCode() which will prevent clearing jitcode in the shell, but not the animation information which will prevent clearing jitcode in the browser. The attached patch should fix this.
Attachment #689195 - Flags: review?(dvander)
Flags: needinfo?(bhackett1024)
Group: core-security
status-firefox19: affected → ---
tracking-firefox19: + → ---
Is this actually a sec-critical bug? Still says so in the keywords. I assume you cleared the core-security flag because it isn't?
Assignee: general → bhackett1024
Judging from the patch, this is a bug in a testing-only function.
Keywords: sec-critical
Attachment #689195 - Flags: review?(dvander) → review+
https://hg.mozilla.org/mozilla-central/rev/bce6a584bc0f
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla20
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: