Closed
Bug 763112
Opened 12 years ago
Closed 12 years ago
IonMonkey: Crash on Heap trying to execute invalid address through [@ js::Invoke]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 762936
People
(Reporter: decoder, Unassigned)
References
Details
(Keywords: crash, sec-critical, testcase, Whiteboard: [jsbugmon:update,ignore])
Crash Data
Attachments
(1 file)
1.02 KB,
text/javascript
|
Details |
The attached testcase crashes on ionmonkey revision 5cfb73435e06 (run with --ion -n -m --ion-eager).
Reporter | ||
Comment 1•12 years ago
|
||
Crash trace: ==31127== Jump to the invalid address stated on the next line ==31127== at 0x200: ??? ==31127== by 0x815965E: js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) (jsinterp.cpp:367) ==31127== by 0x84CF185: js::ion::InvokeFunction(JSContext*, JSFunction*, unsigned int, JS::Value*, JS::Value*) (VMFunctions.cpp:65) ==31127== by 0x9CCB3D4: ??? ==31127== Address 0x200 is not stack'd, malloc'd or (recently) free'd
Updated•12 years ago
|
Keywords: sec-critical
Reporter | ||
Comment 2•12 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 3dc37e74fdf0).
Reporter | ||
Updated•12 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
Reporter | ||
Comment 3•12 years ago
|
||
Fixed by bug 762936?
Comment 4•12 years ago
|
||
Appears so.
Group: core-security
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
Reporter | ||
Comment 5•11 years ago
|
||
Will add the test in bug 763440 which should cover this.
Flags: in-testsuite-
You need to log in
before you can comment on or make changes to this bug.
Description
•