Closed
Bug 865031
Opened 12 years ago
Closed 11 years ago
IonMonkey: Crash [@ ObjectType] with regalloc backtracking
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: decoder, Assigned: bhackett1024)
References
Details
(Keywords: crash, sec-audit, testcase)
Crash Data
The following testcase crashes on mozilla-central revision aa620f3fc2f7 (run with --ion-regalloc=backtracking --ion-eager):
test("");
function test(a) {
for (var x = 0 ; x < 100; x++)
eval("(function (...arguments) {})");
}
|
Reporter | |
Comment 1•12 years ago
|
||
Crash trace:
Program received signal SIGSEGV, Segmentation fault.
ObjectType (obj=(js::RawObject) 0x8914b8c Cannot access memory at address 0x290073) at ../jsinferinlines.h:197
197 if (obj->hasSingletonType())
(gdb) bt
#0 ObjectType (obj=(js::RawObject) 0x8914b8c Cannot access memory at address 0x290073) at ../jsinferinlines.h:197
#1 js::types::GetValueType (cx=0x88ca630, val=...) at ../jsinferinlines.h:223
#2 0x0812e428 in js::types::TypeMonitorResult (cx=0x88ca630, script=0xf7428120, pc=0x88c975c "9", rval=...) at /srv/repos/mozilla-central/js/src/jsinfer.cpp:5783
#3 0x0868639d in Monitor (rval=..., pc=0x88c975c "9", script=<optimized out>, cx=0x88ca630) at ../jsinferinlines.h:958
#4 js::ion::DoTypeMonitorFallback (cx=0x88ca630, frame=0xffffc1fc, stub=0x88dfa58, value=$jsval(-nan(0xfff8708914b8c)), res=$jsval(-nan(0xfff8200000000))) at /srv/repos/mozilla-central/js/src/ion/BaselineIC.cpp:1160
#5 0xf7fcf819 in ?? ()
#6 0xf7fc89c5 in ?? ()
(gdb) x /i $pc
=> 0x81248e5 <js::types::GetValueType(JSContext*, JS::Value const&)+117>: mov 0x8(%ecx),%esi
(gdb) info reg ecx
ecx 0x7b0020 8060960
I'm filing this s-s although this requires the non-default option --ion-regalloc=backtracking because the test involves "...arguments", which recently caused another security problem. I want to make sure this is not some underlying bug that could be triggered without regalloc backtracking. If this is not the case, then the bug can be unhidden. Note that this is 32 bit only.
Blocks: 826741
|
||
Comment 2•12 years ago
|
||
> I want to make sure this is not some underlying bug that could be
> triggered without regalloc backtracking. If this is not the case,
> then the bug can be unhidden.
Are you working on making sure or do you mean someone else should? (and if the latter, who?)
Flags: needinfo?(choller)
|
|
Reporter | |
Comment 3•12 years ago
|
||
I cannot ensure this, a JS dev has to take a look. Since this is a regalloc bug, Brian Hackett will look at it.
Flags: needinfo?(choller)
|
|
||
Updated•12 years ago
|
Assignee: general → bhackett1024
|
|
||
Updated•12 years ago
|
Keywords: sec-audit
Summary: IonMonkey: Crash [@ ObjectType] → IonMonkey: Crash [@ ObjectType] with regalloc backtracking
|
Assignee | |
Comment 4•12 years ago
|
||
This WFM, can you still reproduce? Some fixes to the backtracking allocator went in yesterday.
|
|
Reporter | |
Comment 5•11 years ago
|
||
Confirmed that this is WFM.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → WORKSFORME
|
||
Updated•10 years ago
|
Group: core-security → core-security-release
|
|
||
Updated•7 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•