Closed
Bug 293839
Opened 19 years ago
Closed 19 years ago
Crash @ js_AllocStack via Script()
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
DUPLICATE
of bug 291213
People
(Reporter: bc, Assigned: brendan)
Details
(Keywords: crash, Whiteboard: [keep private until bug 290908 is fixed])
Attachments
(1 file)
769 bytes,
text/html
|
Details |
Modifying testcase 3 from bug 290908 to use: var MALICIOUS_CODE = 'Components.stack'; var scriptCode = "arguments.callee.__parent__.eval('" + MALICIOUS_CODE + "');'';"; will crash Firefox 1.0.4/Trunk, Seamonkey 1.7.8/Trunk NTDLL! 7c901230() js_AllocStack(JSContext * 0x02fb1d08, unsigned int 3, void * * 0x0012e5d0) line 394 + 39 bytes nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJSClass * const 0x031109d8, nsXPCWrappedJS * 0x03112c48, unsigned short 5, const nsXPTMethodInfo * 0x03111cb8, nsXPTCMiniVariant * 0x0012e694) line 1133 + 37 bytes nsXPCWrappedJS::CallMethod(nsXPCWrappedJS * const 0x03112c48, unsigned short 5, const nsXPTMethodInfo * 0x03111cb8, nsXPTCMiniVariant * 0x0012e694) line 450 PrepareAndDispatch(nsXPTCStubBase * 0x03112c48, unsigned int 5, unsigned int * 0x0012e744, unsigned int * 0x0012e734) line 117 + 31 bytes SharedStub() line 147 nsContentTreeOwner::SetStatus(nsContentTreeOwner * const 0x02fb1984, unsigned int 3, const unsigned short * 0x0033ea64 empty_buffer) line 385 nsWebShell::OnLeaveLink(nsWebShell * const 0x02fb1254) line 602 + 39 bytes nsGenericElement::LeaveLink(nsPresContext * 0x034f7eb8) line 3330 nsGenericHTMLElement::HandleDOMEventForAnchors(nsPresContext * 0x034f7eb8, nsEvent * 0x0012e9f0, nsIDOMEvent * * 0x00000000, unsigned int 1, nsEventStatus * 0x0012ea40) line 1632 + 15 bytes nsHTMLAnchorElement::HandleDOMEvent(nsPresContext * 0x034f7eb8, nsEvent * 0x0012e9f0, nsIDOMEvent * * 0x00000000, unsigned int 1, nsEventStatus * 0x0012ea40) line 287 nsEventStateManager::DispatchMouseEvent(nsGUIEvent * 0x0012f1a4, unsigned int 332, nsIContent * 0x03502b20, nsIContent * 0x03454d10) line 2518 nsEventStateManager::NotifyMouseOut(nsGUIEvent * 0x0012f1a4, nsIContent * 0x03454d10) line 2587 nsEventStateManager::NotifyMouseOver(nsGUIEvent * 0x0012f1a4, nsIContent * 0x03454d10) line 2633 nsEventStateManager::GenerateMouseEnterExit(nsGUIEvent * 0x0012f1a4) line 2672 nsEventStateManager::PreHandleEvent(nsEventStateManager * const 0x033fe028, nsPresContext * 0x034f7eb8, nsEvent * 0x0012f1a4, nsIFrame * 0x0351a3f4, nsEventStatus * 0x0012ef60, nsIView * 0x034a7818) line 479 PresShell::HandleEventInternal(nsEvent * 0x0012f1a4, nsIView * 0x034a7818, unsigned int 1, nsEventStatus * 0x0012ef60) line 6311 + 61 bytes PresShell::HandleEvent(PresShell * const 0x033e6c14, nsIView * 0x034a7818, nsGUIEvent * 0x0012f1a4, nsEventStatus * 0x0012ef60, int 0, int & 1) line 6163 + 25 bytes nsViewManager::HandleEvent(nsView * 0x03517348, nsGUIEvent * 0x0012f1a4, int 0) line 2502 nsViewManager::DispatchEvent(nsViewManager * const 0x033fdd10, nsGUIEvent * 0x0012f1a4, nsEventStatus * 0x0012f080) line 2224 + 20 bytes HandleEvent(nsGUIEvent * 0x0012f1a4) line 174 nsWindow::DispatchEvent(nsWindow * const 0x034ac86c, nsGUIEvent * 0x0012f1a4, nsEventStatus & nsEventStatus_eIgnore) line 1180 + 10 bytes nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012f1a4) line 1201 nsWindow::DispatchMouseEvent(unsigned int 300, unsigned int 0, nsPoint * 0x00000000) line 5904 + 21 bytes ChildWindow::DispatchMouseEvent(unsigned int 300, unsigned int 0, nsPoint * 0x00000000) line 6159 nsWindow::ProcessMessage(unsigned int 512, unsigned int 0, long 30343326, long * 0x0012f6a8) line 4533 + 28 bytes nsWindow::WindowProc(HWND__ * 0x0499028e, unsigned int 512, unsigned int 0, long 30343326) line 1472 + 27 bytes USER32! 77d48734() USER32! 77d48816() USER32! 77d489cd() USER32! 77d48a10() nsAppShell::Run(nsAppShell * const 0x02181478) line 135 nsAppStartup::Run(nsAppStartup * const 0x021813d8) line 145 XRE_main(int 1, char * * 0x01a56fd8, const nsXREAppData * 0x011fa01c kAppData) line 2012 + 35 bytes main(int 1, char * * 0x01a56fd8) line 60 + 18 bytes mainCRTStartup() line 338 + 17 bytes
Reporter | ||
Updated•19 years ago
|
Whiteboard: [keep private until bug 290908 is fixed]
Reporter | ||
Comment 1•19 years ago
|
||
Stack: NTDLL! 7c901230() js_AllocStack(JSContext * 0x02fb1d08, unsigned int 3, void * * 0x0012e5d0) line 394 + 39 bytes nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJSClass * const 0x031109d8, nsXPCWrappedJS * 0x03112c48, unsigned short 5, const nsXPTMethodInfo * 0x03111cb8, nsXPTCMiniVariant * 0x0012e694) line 1133 + 37 bytes nsXPCWrappedJS::CallMethod(nsXPCWrappedJS * const 0x03112c48, unsigned short 5, const nsXPTMethodInfo * 0x03111cb8, nsXPTCMiniVariant * 0x0012e694) line 450 PrepareAndDispatch(nsXPTCStubBase * 0x03112c48, unsigned int 5, unsigned int * 0x0012e744, unsigned int * 0x0012e734) line 117 + 31 bytes SharedStub() line 147 nsContentTreeOwner::SetStatus(nsContentTreeOwner * const 0x02fb1984, unsigned int 3, const unsigned short * 0x0033ea64 empty_buffer) line 385 nsWebShell::OnLeaveLink(nsWebShell * const 0x02fb1254) line 602 + 39 bytes nsGenericElement::LeaveLink(nsPresContext * 0x034f7eb8) line 3330 nsGenericHTMLElement::HandleDOMEventForAnchors(nsPresContext * 0x034f7eb8, nsEvent * 0x0012e9f0, nsIDOMEvent * * 0x00000000, unsigned int 1, nsEventStatus * 0x0012ea40) line 1632 + 15 bytes nsHTMLAnchorElement::HandleDOMEvent(nsPresContext * 0x034f7eb8, nsEvent * 0x0012e9f0, nsIDOMEvent * * 0x00000000, unsigned int 1, nsEventStatus * 0x0012ea40) line 287 nsEventStateManager::DispatchMouseEvent(nsGUIEvent * 0x0012f1a4, unsigned int 332, nsIContent * 0x03502b20, nsIContent * 0x03454d10) line 2518 nsEventStateManager::NotifyMouseOut(nsGUIEvent * 0x0012f1a4, nsIContent * 0x03454d10) line 2587 nsEventStateManager::NotifyMouseOver(nsGUIEvent * 0x0012f1a4, nsIContent * 0x03454d10) line 2633 nsEventStateManager::GenerateMouseEnterExit(nsGUIEvent * 0x0012f1a4) line 2672 nsEventStateManager::PreHandleEvent(nsEventStateManager * const 0x033fe028, nsPresContext * 0x034f7eb8, nsEvent * 0x0012f1a4, nsIFrame * 0x0351a3f4, nsEventStatus * 0x0012ef60, nsIView * 0x034a7818) line 479 PresShell::HandleEventInternal(nsEvent * 0x0012f1a4, nsIView * 0x034a7818, unsigned int 1, nsEventStatus * 0x0012ef60) line 6311 + 61 bytes PresShell::HandleEvent(PresShell * const 0x033e6c14, nsIView * 0x034a7818, nsGUIEvent * 0x0012f1a4, nsEventStatus * 0x0012ef60, int 0, int & 1) line 6163 + 25 bytes nsViewManager::HandleEvent(nsView * 0x03517348, nsGUIEvent * 0x0012f1a4, int 0) line 2502 nsViewManager::DispatchEvent(nsViewManager * const 0x033fdd10, nsGUIEvent * 0x0012f1a4, nsEventStatus * 0x0012f080) line 2224 + 20 bytes HandleEvent(nsGUIEvent * 0x0012f1a4) line 174 nsWindow::DispatchEvent(nsWindow * const 0x034ac86c, nsGUIEvent * 0x0012f1a4, nsEventStatus & nsEventStatus_eIgnore) line 1180 + 10 bytes nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012f1a4) line 1201 nsWindow::DispatchMouseEvent(unsigned int 300, unsigned int 0, nsPoint * 0x00000000) line 5904 + 21 bytes ChildWindow::DispatchMouseEvent(unsigned int 300, unsigned int 0, nsPoint * 0x00000000) line 6159 nsWindow::ProcessMessage(unsigned int 512, unsigned int 0, long 30343326, long * 0x0012f6a8) line 4533 + 28 bytes nsWindow::WindowProc(HWND__ * 0x0499028e, unsigned int 512, unsigned int 0, long 30343326) line 1472 + 27 bytes USER32! 77d48734() USER32! 77d48816() USER32! 77d489cd() USER32! 77d48a10() nsAppShell::Run(nsAppShell * const 0x02181478) line 135 nsAppStartup::Run(nsAppStartup * const 0x021813d8) line 145 XRE_main(int 1, char * * 0x01a56fd8, const nsXREAppData * 0x011fa01c kAppData) line 2012 + 35 bytes main(int 1, char * * 0x01a56fd8) line 60 + 18 bytes mainCRTStartup() line 338 + 17 bytes K
Assignee | ||
Comment 2•19 years ago
|
||
I crash in args_resolve for this variation of the testcase, as did dbaron for another variation. See bug 291213. I think this is a dup, but I'm not sure why Bob sees such a bogus stack. Did js_AllocRawStack trash its stack when it was in the midst of returning? /be
Assignee | ||
Comment 3•19 years ago
|
||
Optimistically asserting DUP status; pls. verify. /be *** This bug has been marked as a duplicate of 291213 ***
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → DUPLICATE
Reporter | ||
Comment 4•19 years ago
|
||
The patch in Bug 291213 Comment 3 fixes this crash in both Firefox 1.0.4 branch and Seamonkey 1.7.8 branch on winxp. Verified dupe.
Status: RESOLVED → VERIFIED
Updated•19 years ago
|
Group: security
You need to log in
before you can comment on or make changes to this bug.
Description
•