I haven't reproduced this myself, and I don't have a suitable test environment set up at the moment. The attached patch was written and tested by a colleague (Steve Capper), with the following explanation:
The function expects arguments 0 (this), 1 (aSource) and 2 (aReferrer)
to be in r0, r1, r2 and arguments 3 (aStartTime) and 4 (aDestination)
to be on the stack.
Due to a counting bug in copy_dword, we get aDestination passed in
r3 rather than the stack, leading to data corruption and a crash.
This patch adjusts the logic in copy_dword s.t. any failed attempts
to fit a parameter in registers prevents further parameters being
placed in registers.
I have tested this patch on Iceweasel 30.0 (FireFox 30.0) on Jessie,
and it appears to be stable.
Created attachment 8469247 arm-xpcom. patch
firefox-
This issue was reported on the Debian project: https:/ /bugs.debian. org/cgi- bin/bugreport. cgi?bug= 756426
I haven't reproduced this myself, and I don't have a suitable test environment set up at the moment. The attached patch was written and tested by a colleague (Steve Capper), with the following explanation:
======= ======= ======= ======= ======= ======= ======= ======= ======= ===
NS_InvokeByIndex extracts arguments to an XPCOM method and places them
either in registers or on the stack as defined by the ARM calling
convention.
Unfortunately there is a bug when we have a 64-bit quantity passed
to the fourth argument, such as:
NS_IMETHODIMP :AddDownload( nsIURI* aSource, nsIURI* aReferrer,
PRTime aStartTime, nsIURI* aDestination)
History:
The function expects arguments 0 (this), 1 (aSource) and 2 (aReferrer)
to be in r0, r1, r2 and arguments 3 (aStartTime) and 4 (aDestination)
to be on the stack.
Due to a counting bug in copy_dword, we get aDestination passed in
r3 rather than the stack, leading to data corruption and a crash.
This patch adjusts the logic in copy_dword s.t. any failed attempts
to fit a parameter in registers prevents further parameters being
placed in registers.
I have tested this patch on Iceweasel 30.0 (FireFox 30.0) on Jessie,
and it appears to be stable.