If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Crash [@ ??] with regular expression in for-loop

RESOLVED DUPLICATE of bug 1139368

Status

()

Core
JavaScript Engine
--
critical
RESOLVED DUPLICATE of bug 1139368
3 years ago
11 months ago

People

(Reporter: decoder, Unassigned)

Tracking

(Blocks: 1 bug, 4 keywords)

Trunk
x86
Linux
crash, regression, sec-high, testcase
Points:
---

Firefox Tracking Flags

(firefox39 affected)

Details

(Whiteboard: [fuzzblocker] [jsbugmon:update], crash signature)

(Reporter)

Description

3 years ago
The following testcase crashes on mozilla-central revision 43fb1f92e8d4 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --enable-debug, run with --ion-offthread-compile=off --ion-eager):

var o = {}
function f(o) {
  for (var i = /x/g; i < 100; i++)
    o.bar();
}
f(o);
f();



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0xf67397e2 in ?? ()
#0  0xf67397e2 in ?? ()
eax	0x9784800	158877696
ebx	0x0	0
ecx	0xffffff82	-126
edx	0xffffff88	-120
esi	0xdeadbeef	-559038737
edi	0xdeadbeef	-559038737
ebp	0x0	0
esp	0xffffbadc	4294949596
eip	0xf67397e2	4134770658
=> 0xf67397e2:	mov    0x0(%ebp),%eax
   0xf67397e5:	mov    0xc(%eax),%eax


This looks like a null-crash but marking s-s because there are no symbols and it's hard to tell what's going on. Also marking fuzzblocker because the test is fairly simple.
(Reporter)

Updated

3 years ago
Whiteboard: [jsbugmon:update,bisect][fuzzblocker] → [fuzzblocker] [jsbugmon:update]
(Reporter)

Comment 1

3 years ago
JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20150303001933" and the hash "074919869975".
The "bad" changeset has the timestamp "20150303003949" and the hash "1fb224ec0020".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=074919869975&tochange=1fb224ec0020
(Reporter)

Comment 2

3 years ago
Needinfo from jandem based on comment1. I think we have another bug on file with the same bisection, but I can't seem to find it right now.
(Reporter)

Updated

3 years ago
Flags: needinfo?(jdemooij)
(Reporter)

Comment 3

3 years ago
Ah found it, likely a dup to bug 1139368?
(In reply to Christian Holler (:decoder) from comment #3)
> Ah found it, likely a dup to bug 1139368?

Yes.
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Flags: needinfo?(jdemooij)
Resolution: --- → DUPLICATE
Duplicate of bug: 1139368

Updated

2 years ago
Group: core-security → core-security-release

Updated

11 months ago
Group: core-security-release
Keywords: sec-high
You need to log in before you can comment on or make changes to this bug.