Closed Bug 493290 Opened 15 years ago Closed 15 years ago

Data from Faulting Address controls Branch Selection starting at js3250!js_DeepBail+0xd1

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
1.9.1 Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 492487

People

(Reporter: cbook, Unassigned)

References

(
URL
)

Details

(Keywords: crash, Whiteboard: [sg:dupe 492487]) 

Steps to reproduce:
-> Load http://search.yahoo.com/search?p=Driver+Training+%28Behind+the+Wheel%29+&fr=yfp-t-501&toggle=1&cop=mss&ei=UTF-8
--> Crash

Crashes 1.9.1 opt/debug builds Mozilla/5.0 (Windows; U; Windows NT 5.1;
en-US; rv:1.9.1b5pre) Gecko/20090515 Shiretoko/3.5b5pre - trunk seems fine.

Marking as security bug for now, because: Exploitability Classification: UNKNOWN

(f0c.8e4): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=0527d878 ecx=071d1d5c edx=00e72c50 esi=0012bb90 edi=00000026
eip=005e2ce1 esp=0012b85c ebp=0012b86c iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246

js3250!js_DeepBail+0xd1:
005e2ce1 83b80002000000  cmp     dword ptr [eax+200h],0 ds:0023:00000200=????????

ChildEBP RetAddr
0012b86c 004c3680 js3250!js_DeepBail+0xd1
0012b878 004c431c js3250!js_LeaveTrace+0x20
0012b884 004c42ad js3250!js_GetTopStackFrame+0xc
0012b894 004c4cec js3250!PopulateReportBlame+0xd
0012b8dc 004b414b js3250!js_ReportErrorNumberVA+0x4c
0012b908 0057c994 js3250!JS_ReportErrorFlagsAndNumberUC+0x2b
0012b928 0057da65 js3250!ReportRegExpErrorHelper+0x54
0012b948 0057d16e js3250!ProcessOp+0x245
0012b9a8 0057cc55 js3250!ParseRegExp+0x39e
0012b9c4 0057b6d7 js3250!CompileRegExpToAST+0x1c5
0012ba64 0057fb99 js3250!js_NewRegExp+0x47
0012baa4 00589d78 js3250!js_NewRegExpOpt+0x249
0012bb04 0058a74e js3250!regexp_compile_sub+0x4d8
0012bb40 05fb7eeb js3250!RegExp_tn2+0x7e
WARNING: Frame IP not in any known module. Following frames may be wrong.
0012bb84 7c91005d 0x5fb7eeb
0012e158 005ddfae ntdll!RtlFreeHeap+0x130
0012e1a4 0050cbb0 js3250!js_MonitorLoopEdge+0x2de
0012e860 00503cff js3250!js_Interpret+0x6810
0012e940 004f4e55 js3250!js_Invoke+0x99f
0012e978 0051658c js3250!js_fun_call+0x1b5
quit:
Flags: blocking1.9.1?
I don't get a crash with TM tip. Can anyone reproduce this?
I can on 1.9.1, but not tracemonkey on mac.
This is like a GC hazard in the native invocation path which was recently fixed.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
Flags: blocking1.9.1?
Whiteboard: [sg:dupe 492487]
Group: core-security
Flags: wanted1.9.0.x-
You need to log in before you can comment on or make changes to this bug.