Closed
Bug 1085308
Opened 10 years ago
Closed 10 years ago
Crash [@ getClass] with poisoned address
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1066659
Tracking | Status | |
---|---|---|
firefox36 | --- | affected |
People
(Reporter: decoder, Unassigned)
Details
(Keywords: crash, csectype-uaf, testcase, Whiteboard: [jsbugmon:ignore])
Crash Data
Attachments
(1 file)
577 bytes,
text/plain
|
Details |
The following testcase crashes on mozilla-central revision 33c0181c4a25 (run with --fuzzing-safe --ion-eager --ion-regalloc=backtracking --arm-sim-icache-checks): function reportCompare (expected, actual, description) { var expected_t = typeof expected; var actual_t = typeof actual; var output = ""; output += "Type mismatch, expected type " + expected_t + ", actual type " + actual_t + " "; if (expected != actual) { output += "Expected value '" + toPrinted(expected) + printStatus ("Expected value '" + toPrinted(expected) + "' matched actual value '" + toPrinted(actual) + "'"); } } gczeal(9, 2) var summary = 'this.JSON should not be enumerable'; test(); function test() { for (var i in this) { actual = i; } try { reportCompare(arguments && this ? new Object() : fin2!==1, summary); } catch(exc1) {} } test();
Reporter | ||
Comment 1•10 years ago
|
||
Reporter | ||
Comment 2•10 years ago
|
||
Test requires a non-debug (optimized) ARM simulator build and is intermittent (but reproduces > 50% of the time). Crash trace: Program received signal SIGSEGV, Segmentation fault. 0x0847916f in getClass (this=(const JSObject * const) 0xf5900000 Cannot access memory at address 0x2b2b2b2b) at js/src/vm/RegExpStatics.cpp:120 120 } #0 0x0847916f in getClass (this=(const JSObject * const) 0xf5900000 Cannot access memory at address 0x2b2b2b2b) at js/src/vm/RegExpStatics.cpp:120 #1 is<js::StringObject> (this=(const JSObject * const) 0xf5900000 Cannot access memory at address 0x2b2b2b2b) at js/src/jsobj.h:756 #2 ToPrimitive (vp=$jsval(-nan(0xfff88f5900000)), cx=0x92c9af0) at js/src/jsobjinlines.h:500 #3 js::LooselyEqual (cx=0x92c9af0, lval=..., rval=..., result=0xf34febdc) at js/src/vm/Interpreter.cpp:732 #4 0x08342ac8 in js::jit::LooselyEqual<false> (cx=0x92c9af0, lhs=$jsval(-nan(0xfff88f5900000)), rhs=$jsval(-nan(0xfff85f3120c40)), res=0xf34febdc) at js/src/jit/VMFunctions.cpp:236 #5 0x0833ac09 in js::jit::Simulator::softwareInterrupt (this=0x92c9098, instr=0x9359d84) at js/src/jit/arm/Simulator-arm.cpp:2173 #6 0x08337fec in js::jit::Simulator::instructionDecode (this=this@entry=0x92c9098, instr=instr@entry=0x9359d84) at js/src/jit/arm/Simulator-arm.cpp:4162 #7 0x08348934 in js::jit::Simulator::execute<false> (this=0x92c9098) at js/src/jit/arm/Simulator-arm.cpp:4215 eax 0x2b2b2b2b 724249387 => 0x847916f <js::LooselyEqual(JSContext*, JS::Value const&, JS::Value const&, bool*)+255>: mov (%eax),%ebp Marked s-s and sec-critical because this crashes at 0x2b2b2b2b and is GC-related (assuming use-after-free).
status-firefox36:
--- → affected
Keywords: csectype-uaf,
sec-critical
Whiteboard: [jsbugmon:update,bisect]
Reporter | ||
Comment 3•10 years ago
|
||
Cc and needinfo for terrence and jonco, please pass this on to someone else if you are the wrong people to look at this :) Thanks!
Flags: needinfo?(terrence)
Flags: needinfo?(jcoppeard)
Comment 4•10 years ago
|
||
I reproed this in the arm simulator: it seems to be identical to bug 1066659.
Flags: needinfo?(terrence)
Flags: needinfo?(jcoppeard)
Flags: needinfo?(bhackett1024)
Reporter | ||
Updated•10 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]
Reporter | ||
Comment 5•10 years ago
|
||
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
Reporter | ||
Updated•10 years ago
|
Whiteboard: [jsbugmon:bisect] → [jsbugmon:]
Reporter | ||
Updated•10 years ago
|
Whiteboard: [jsbugmon:] → [jsbugmon:bisectfix]
Reporter | ||
Comment 6•10 years ago
|
||
Didn't see that this is intermittent, putting on the ignore list for JSBugMon for now.
Whiteboard: [jsbugmon:bisectfix] → [jsbugmon:ignore]
Comment 7•10 years ago
|
||
The patch in bug 1066659 fixes this crash for me.
Updated•10 years ago
|
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(bhackett1024)
Resolution: --- → DUPLICATE
Updated•10 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•