Closed Bug 1356434 Opened 7 years ago Closed 7 years ago

Crash in js::NativeObject::setSlot

Categories

(Core :: JavaScript: GC, defect)

x86
Windows XP
defect
Not set
critical

Tracking

()

RESOLVED INCOMPLETE
Tracking Status
firefox52 --- wontfix
firefox-esr52 --- wontfix
firefox53 --- wontfix
firefox54 --- wontfix
firefox55 --- wontfix
firefox56 --- wontfix

People

(Reporter: lizzard, Unassigned)

Details

(Keywords: crash, sec-high, testcase-wanted)

Crash Data

This bug was filed from the Socorro interface and is 
report bp-3bf6aa6d-7e85-44c1-a2e2-107502170409.
=============================================================

This is showing up in crash-stats mostly for ESR but there are also crashes from 52.0.2 and a few from beta 53. The patches from bug 1305779 and its duplicate bug 1302432 seem to have fixed most but not all of of the crashes with this signature.
jimb, shu, possibly of interest since you worked on the related bugs. I'm not sure exactly which component to put this into.
Flags: needinfo?(shu)
Flags: needinfo?(jimb)
Group: core-security → javascript-core-security
I see some _EXEC and _WRITE violations that could be exploitable. Seems like a pretty generic function: these could be different bugs represented by the same signature.
Keywords: sec-high
That crash report and the lack of other information means this isn't an actionable bug for me, unfortunately.
Flags: needinfo?(shu)
Wontfix for 54 since it's releasing tomorrow. No crash reports yet from 55 or 56 so I'm not sure if they're affected.
(In reply to Shu-yu Guo [:shu] from comment #3)
> That crash report and the lack of other information means this isn't an
> actionable bug for me, unfortunately.

Why? Can you elaborate?
Can you help us find a new owner?
Flags: needinfo?(shu)
I don't think this bug is actionable. The stack shown doesn't make any sense: StructGCPolicy::trace is never going to call UpdateShapeTypeAndValue. The stack is truncated. The stack contains two frames that don't even have debug information. It's doubtful those are even functions that were actually called.

I think we just have to close this as INCOMPLETE.
Flags: needinfo?(shu)
Flags: needinfo?(jimb)
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → INCOMPLETE
Group: javascript-core-security
You need to log in before you can comment on or make changes to this bug.