Closed Bug 763112 Opened 12 years ago Closed 12 years ago

IonMonkey: Crash on Heap trying to execute invalid address through [@ js::Invoke]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
Other Branch
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED DUPLICATE of bug 762936

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: crash, sec-critical, testcase, Whiteboard: [jsbugmon:update,ignore])

Crash Data

Attachments

(1 file)

Testcase for shell
1.02 KB, text/javascript
Details
Attached file Testcase for shell 
The attached testcase crashes on ionmonkey revision 5cfb73435e06 (run with --ion -n -m --ion-eager).
Crash trace:


==31127== Jump to the invalid address stated on the next line
==31127==    at 0x200: ???
==31127==    by 0x815965E: js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) (jsinterp.cpp:367)
==31127==    by 0x84CF185: js::ion::InvokeFunction(JSContext*, JSFunction*, unsigned int, JS::Value*, JS::Value*) (VMFunctions.cpp:65)
==31127==    by 0x9CCB3D4: ???
==31127==  Address 0x200 is not stack'd, malloc'd or (recently) free'd
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 3dc37e74fdf0).
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
Fixed by bug 762936?
Appears so.
Group: core-security
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
Will add the test in bug 763440 which should cover this.
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: