Closed Bug 1168375 Opened 10 years ago Closed 10 years ago

Crash at js::ObjectGroup::compartment JSObject::compartment js::GCMarker::processMarkStackTop js::GCMarker::drainMarkStack js::gc::GCRuntime::drainMarkStack

Tracking

()

Status:

RESOLVED FIXED

Milestone:

mozilla41

Tracking Flags:

Tracking

Status

firefox42

---

unaffected

firefox-esr38

---

unaffected

People

(Reporter: cbook, Unassigned)

References

(
URL
)

Details

(Keywords: crash, sec-high, Whiteboard: fixed by bug 1167860 )

Attachments

(1 file)

bughunter stack 10 years ago Carsten Book [:Tomcat] 185.07 KB, text/plain		Details

Carsten Book [:Tomcat]

Reporter

Description

•

10 years ago

Attached file bughunter stack — Details

Bughunter found a high exploitable crash in js::ObjectGroup::compartment JSObject::compartment js::GCMarker::processMarkStackTop js::GCMarker::drainMarkStack js::gc::GCRuntime::drainMarkStack on http://www.eea.europa.eu/themes/water/interactive/bathing/state-of-bathing-waters so far not able to reproduce but still trying.

Jon Coppeard (:jonco)

Comment 1

•

10 years ago

Possible duplicate of bug 1167860.

Andrew McCreight [:mccr8]

Comment 2

•

10 years ago

It looks like we're spinning a nested event loop during nsXMLHttpRequest::Send(). Is that expected?

Flags: needinfo?(amarchesini)

Keywords: sec-high

Andrea Marchesini [:baku]

Comment 3

•

10 years ago

If it's a sync XHR yes. Or if it's a worker XHR, yes again.

Flags: needinfo?(amarchesini)

Andrew McCreight [:mccr8]

Updated

•

10 years ago

Comment 4

•

10 years ago

Can you try reproducing this now that bug 1167860 has been fixed? Or if you can't reproduce it at all, maybe we should just close this as incomplete.

Flags: needinfo?(cbook)

Carsten Book [:Tomcat]

Reporter

Comment 5

•

10 years ago

(In reply to Andrew McCreight [:mccr8] from comment #4) > Can you try reproducing this now that bug 1167860 has been fixed? Or if you > can't reproduce it at all, maybe we should just close this as incomplete. yes working on it

Flags: needinfo?(cbook)

Carsten Book [:Tomcat]

Reporter

Comment 6

•

10 years ago

seems this is now fixed by bug 1167860 (thanks jonco)

Status: NEW → RESOLVED

Closed: 10 years ago

Resolution: --- → FIXED

BMO Automation

Updated

•

10 years ago

Group: core-security → core-security-release

Daniel Veditz [:dveditz]

Updated

•

10 years ago

Group: core-security-release

status-firefox42: --- → unaffected

status-firefox-esr38: --- → unaffected

Depends on: 1167860

Whiteboard: fixed by bug 1167860

Target Milestone: --- → mozilla41

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Crash at js::ObjectGroup::compartment JSObject::compartment js::GCMarker::processMarkStackTop js::GCMarker::drainMarkStack js::gc::GCRuntime::drainMarkStack

Categories

(Core :: JavaScript Engine, defect)

Tracking

()

People

(Reporter: cbook, Unassigned)

References

(
URL
)

Details

(Keywords: crash, sec-high, Whiteboard: fixed by bug 1167860 )

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Comment 1

Comment 2

Comment 3

Updated

Comment 4

Comment 5

Comment 6

Updated

Updated

Attachment

General

Description

File Name

Content Type