Closed
Bug 1065362
Opened 10 years ago
Closed 10 years ago
Crash [@ getClass] with poisoned crash pattern
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1066659
Tracking | Status | |
---|---|---|
firefox35 | --- | affected |
People
(Reporter: decoder, Unassigned)
Details
(4 keywords, Whiteboard: [jsbugmon:update,bisect])
Crash Data
The following testcase crashes on mozilla-central revision 152ef25e89ae (run with --fuzzing-safe --no-threads --ion-regalloc=backtracking --ion-eager): gczeal(2,1); function printStatus (msg) {} function reportCompare (expected, actual) { printStatus(typeof expected); printStatus("x" + typeof actual); expected != actual; } var obj2 = {}; var patterns = new Array(); patterns[0] = ''; patterns[1] = 0; test(); function test() { for (i in patterns) reportCompare (this ? new Date() : 'y', obj2 + ''); }
Reporter | ||
Comment 1•10 years ago
|
||
This looks pretty bad: Program received signal SIGSEGV, Segmentation fault. 0x0866551e in getClass (this=<optimized out>) at js/src/vm/RegExpObject.cpp:971 971 } #0 0x0866551e in getClass (this=<optimized out>) at js/src/vm/RegExpObject.cpp:971 #1 is<js::StringObject> (this=<optimized out>) at js/src/jsobj.h:1165 #2 js::ToPrimitive (cx=cx@entry=0x95c5378, vp=$jsval(-nan(0xfff88f6b00000))) at js/src/jsobjinlines.h:861 #3 0x08665a03 in js::LooselyEqual (cx=0x95c5378, lval=..., rval=..., result=0xf6afed5c) at js/src/vm/Interpreter.cpp:730 #4 0x084998e7 in js::jit::LooselyEqual<false> (cx=cx@entry=0x95c5378, lhs=lhs@entry=$jsval(-nan(0xfff88f6b00000)), rhs=rhs@entry=$jsval(-nan(0xfff85f6712860)), res=res@entry=0xf6afed5c) at js/src/jit/VMFunctions.cpp:238 #5 0x08484cc0 in js::jit::Simulator::softwareInterrupt (this=0x95c4920, instr=0x96413fc) at js/src/jit/arm/Simulator-arm.cpp:2162 #6 0x08481b0d in js::jit::Simulator::instructionDecode (this=this@entry=0x95c4920, instr=instr@entry=0x96413fc) at js/src/jit/arm/Simulator-arm.cpp:4043 #7 0x084a25f4 in js::jit::Simulator::execute<false> (this=0x95c4920) at js/src/jit/arm/Simulator-arm.cpp:4096 eax 0x2b2b2b2b 724249387 => 0x866551e <js::ToPrimitive(JSContext*, JS::MutableHandleValue)+78>: mov (%eax),%ecx Judging from the crash pattern, I assume this is some form of use-after-free?
status-firefox35:
--- → affected
Keywords: csectype-uaf,
sec-critical
Whiteboard: [jsbugmon:update,bisect]
Comment 2•10 years ago
|
||
Christian, can you do a bisection on this?
Reporter | ||
Comment 3•10 years ago
|
||
Actually I suspect this is the same bug as 1066659, needinfo from Hannes to confirm that.
Flags: needinfo?(hv1989)
Comment 4•10 years ago
|
||
Same regression range: changeset: 183175:8c234572141a user: Terrence Cole <terrence@mozilla.com> date: Mon May 05 17:10:29 2014 -0700 summary: Bug 989414 - Always allocate lambda objects in the nursery; r=jonco
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(hv1989)
Resolution: --- → DUPLICATE
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•