Closed
Bug 1356434
Opened 7 years ago
Closed 7 years ago
Crash in js::NativeObject::setSlot
Categories
(Core :: JavaScript: GC, defect)
Tracking
()
People
(Reporter: lizzard, Unassigned)
Details
(Keywords: crash, sec-high, testcase-wanted)
Crash Data
This bug was filed from the Socorro interface and is report bp-3bf6aa6d-7e85-44c1-a2e2-107502170409. ============================================================= This is showing up in crash-stats mostly for ESR but there are also crashes from 52.0.2 and a few from beta 53. The patches from bug 1305779 and its duplicate bug 1302432 seem to have fixed most but not all of of the crashes with this signature.
Reporter | ||
Comment 1•7 years ago
|
||
jimb, shu, possibly of interest since you worked on the related bugs. I'm not sure exactly which component to put this into.
Flags: needinfo?(shu)
Flags: needinfo?(jimb)
Reporter | ||
Updated•7 years ago
|
status-firefox52:
--- → wontfix
status-firefox53:
--- → wontfix
status-firefox54:
--- → affected
status-firefox-esr52:
--- → affected
Updated•7 years ago
|
Group: core-security → javascript-core-security
Updated•7 years ago
|
Keywords: testcase-wanted
Comment 2•7 years ago
|
||
I see some _EXEC and _WRITE violations that could be exploitable. Seems like a pretty generic function: these could be different bugs represented by the same signature.
Keywords: sec-high
Comment 3•7 years ago
|
||
That crash report and the lack of other information means this isn't an actionable bug for me, unfortunately.
Flags: needinfo?(shu)
Reporter | ||
Comment 4•7 years ago
|
||
Wontfix for 54 since it's releasing tomorrow. No crash reports yet from 55 or 56 so I'm not sure if they're affected.
Comment 5•7 years ago
|
||
(In reply to Shu-yu Guo [:shu] from comment #3) > That crash report and the lack of other information means this isn't an > actionable bug for me, unfortunately. Why? Can you elaborate? Can you help us find a new owner?
Flags: needinfo?(shu)
Comment 6•7 years ago
|
||
I don't think this bug is actionable. The stack shown doesn't make any sense: StructGCPolicy::trace is never going to call UpdateShapeTypeAndValue. The stack is truncated. The stack contains two frames that don't even have debug information. It's doubtful those are even functions that were actually called. I think we just have to close this as INCOMPLETE.
Flags: needinfo?(shu)
Flags: needinfo?(jimb)
Updated•7 years ago
|
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → INCOMPLETE
Updated•5 years ago
|
Updated•4 years ago
|
Group: javascript-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•