Closed Bug 1648125 Opened 5 years ago Closed 5 years ago

AddressSanitizer: heap-use-after-free on address 0x6060001966a8 at js::SourceCompressionTask::runtimeMatches involving evalInWorker

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
All
Linux
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1647115

People

(Reporter: gkw, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: reporter-external, testcase, Whiteboard: [reporter-external] [client-bounty-form] [verif?])

Attachments

(3 files)

asan-stack-symbolized.txt
16.20 KB, text/plain
Details
testcase.zip
811 bytes, application/zip
Details
a.js
930 bytes, application/x-javascript
Details

Compile js shell with:
AR=ar sh ./configure --disable-profiling --enable-address-sanitizer --disable-jemalloc --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

Run with:
--fuzzing-safe --ion-offthread-compile=off --ion-eager --gc-zeal=2

on Xubuntu 20.04 LTS, GCC 9, 16GB RAM.

Testcase is intermittent, reproduce using m-c rev b1146cce5053.

The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/7a81a85d9881
user: Yoshi Cheng-Hao Huang
date: Wed Jun 17 07:37:40 2020 +0000
summary: Bug 1628204 - Part 1: Move append to compressionFinishedList inside runTask. r=jonco

Flags: sec-bounty?

Yoshi, let me know if you can reproduce this / if this is correct.

Flags: needinfo?(allstars.chh)
Attached file a.js

Same testcase but commenting here instead:

reduced.js loading a.js (attached) :

for (let i = 0; i < 999; i++) {
// SPLICE DDBEGIN
  eval("evalInWorker(\"\\load(\\\"a.js\\\");\")");
// SPLICE DDEND
}
//  js/src/tests/test262/shell.js

Feel free to move to JS/SpiderMonkey component.

ASan stack (same as attached text file in comment 0):

=================================================================
==399536==ERROR: AddressSanitizer: heap-use-after-free on address 0x6060001966a8 at pc 0x5585374ee40d bp 0x7fe0bfa7c1f0 sp 0x7fe0bfa7c1e8
READ of size 8 at 0x6060001966a8 thread T664
    #0 0x5585374ee40c in js::SourceCompressionTask::runtimeMatches(JSRuntime*) const /home/mini3lin/trees/mozilla-central/js/src/vm/HelperThreads.h:820:69
    #1 0x5585374ee40c in js::CancelOffThreadCompressions(JSRuntime*) /home/mini3lin/trees/mozilla-central/js/src/vm/HelperThreads.cpp:2277:25
    #2 0x55853785e57a in JSRuntime::destroyRuntime() /home/mini3lin/trees/mozilla-central/js/src/vm/Runtime.cpp:272:5
    #3 0x5585376456b4 in js::DestroyContext(JSContext*) /home/mini3lin/trees/mozilla-central/js/src/vm/JSContext.cpp:213:7
    #4 0x558536efde28 in WorkerMain(WorkerInput*)::$_7::operator()() const /home/mini3lin/trees/mozilla-central/js/src/shell/js.cpp:4124:5
    #5 0x558536efde28 in mozilla::ScopeExit<WorkerMain(WorkerInput*)::$_7>::~ScopeExit() /home/mini3lin/shell-cache/js-64-profDisabled-asan-linux-x86_64-b1146cce5053/objdir-js/dist/include/mozilla/ScopeExit.h:111:7
    #6 0x558536efde28 in WorkerMain(WorkerInput*) /home/mini3lin/trees/mozilla-central/js/src/shell/js.cpp:4186:1
    #7 0x558536f1c4e7 in void js::detail::ThreadTrampoline<void (&)(WorkerInput*), WorkerInput*&>::callMain<0ul>(std::integer_sequence<unsigned long, 0ul>) /home/mini3lin/trees/mozilla-central/js/src/threading/Thread.h:217:5
    #8 0x558536f1c4e7 in js::detail::ThreadTrampoline<void (&)(WorkerInput*), WorkerInput*&>::Start(void*) /home/mini3lin/trees/mozilla-central/js/src/threading/Thread.h:206:11
    #9 0x7fe116bf3608 in start_thread /build/glibc-YYA7BZ/glibc-2.31/nptl/pthread_create.c:477:8
    #10 0x7fe1167a0102 in clone /build/glibc-YYA7BZ/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

0x6060001966a8 is located 8 bytes inside of 56-byte region [0x6060001966a0,0x6060001966d8)
freed by thread T664 here:
    #0 0x558536e5d72d in free /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:123:3
    #1 0x5585374ee856 in js_free(void*) /home/mini3lin/shell-cache/js-64-profDisabled-asan-linux-x86_64-b1146cce5053/objdir-js/dist/include/js/Utility.h:432:3
    #2 0x5585374ee856 in void js_delete<js::SourceCompressionTask>(js::SourceCompressionTask const*) /home/mini3lin/shell-cache/js-64-profDisabled-asan-linux-x86_64-b1146cce5053/objdir-js/dist/include/js/Utility.h:573:5
    #3 0x5585374ee856 in JS::DeletePolicy<js::SourceCompressionTask>::operator()(js::SourceCompressionTask const*) /home/mini3lin/shell-cache/js-64-profDisabled-asan-linux-x86_64-b1146cce5053/objdir-js/dist/include/js/Utility.h:645:35
    #4 0x5585374ee856 in mozilla::UniquePtr<js::SourceCompressionTask, JS::DeletePolicy<js::SourceCompressionTask> >::reset(js::SourceCompressionTask*) /home/mini3lin/shell-cache/js-64-profDisabled-asan-linux-x86_64-b1146cce5053/objdir-js/dist/include/mozilla/UniquePtr.h:302:7
    #5 0x5585374ee856 in mozilla::UniquePtr<js::SourceCompressionTask, JS::DeletePolicy<js::SourceCompressionTask> >::~UniquePtr() /home/mini3lin/shell-cache/js-64-profDisabled-asan-linux-x86_64-b1146cce5053/objdir-js/dist/include/mozilla/UniquePtr.h:253:18
    #6 0x5585374ee856 in js::AttachFinishedCompressions(JSRuntime*, js::AutoLockHelperThreadState&) /home/mini3lin/trees/mozilla-central/js/src/vm/HelperThreads.cpp:2302:5
    #7 0x5585382ed555 in js::gc::GCRuntime::sweepCompressionTasks() /home/mini3lin/trees/mozilla-central/js/src/gc/GC.cpp:5077:3
    #8 0x55853831cb76 in js::GCParallelTask::runTask() /home/mini3lin/trees/mozilla-central/js/src/gc/GCParallelTask.cpp:146:3
    #9 0x5585382ee17f in js::GCParallelTask::runFromMainThread() /home/mini3lin/trees/mozilla-central/js/src/gc/GCParallelTask.cpp:120:3
    #10 0x5585382ee17f in js::gc::GCRuntime::joinTask(js::GCParallelTask&, js::gcstats::PhaseKind, js::AutoLockHelperThreadState&) /home/mini3lin/trees/mozilla-central/js/src/gc/GC.cpp:5157:10
    #11 0x5585382f2132 in AutoRunParallelTask::~AutoRunParallelTask() /home/mini3lin/trees/mozilla-central/js/src/gc/GC.cpp:3683:32
    #12 0x5585382f2132 in js::gc::GCRuntime::beginSweepingSweepGroup(JSFreeOp*, js::SliceBudget&) /home/mini3lin/trees/mozilla-central/js/src/gc/GC.cpp:5418:3
    #13 0x558538360cd7 in sweepaction::SweepActionSequence::run(js::gc::SweepAction::Args&) /home/mini3lin/trees/mozilla-central/js/src/gc/GC.cpp:6060:23
    #14 0x558538353655 in sweepaction::SweepActionForEach<js::gc::SweepGroupsIter, JSRuntime*>::run(js::gc::SweepAction::Args&) /home/mini3lin/trees/mozilla-central/js/src/gc/GC.cpp:6095:19
    #15 0x5585382fa19b in js::gc::GCRuntime::performSweepActions(js::SliceBudget&) /home/mini3lin/trees/mozilla-central/js/src/gc/GC.cpp:6227:48
    #16 0x5585383008d0 in js::gc::GCRuntime::incrementalSlice(js::SliceBudget&, mozilla::Maybe<JSGCInvocationKind> const&, JS::GCReason, js::gc::AutoGCSession&) /home/mini3lin/trees/mozilla-central/js/src/gc/GC.cpp:6760:11
    #17 0x55853830439f in js::gc::GCRuntime::gcCycle(bool, js::SliceBudget, mozilla::Maybe<JSGCInvocationKind> const&, JS::GCReason) /home/mini3lin/trees/mozilla-central/js/src/gc/GC.cpp:7170:3
    #18 0x558538308090 in js::gc::GCRuntime::collect(bool, js::SliceBudget, mozilla::Maybe<JSGCInvocationKind> const&, JS::GCReason) /home/mini3lin/trees/mozilla-central/js/src/gc/GC.cpp:7405:9
    #19 0x558538310187 in js::gc::GCRuntime::gc(JSGCInvocationKind, JS::GCReason) /home/mini3lin/trees/mozilla-central/js/src/gc/GC.cpp:7481:3
    #20 0x558538310187 in js::gc::GCRuntime::runDebugGC() /home/mini3lin/trees/mozilla-central/js/src/gc/GC.cpp:7998:5
    #21 0x558538321219 in js::gc::GCRuntime::gcIfNeededAtAllocation(JSContext*) /home/mini3lin/trees/mozilla-central/js/src/gc/Allocator.cpp:442:5
    #22 0x558538321219 in bool js::gc::GCRuntime::checkAllocatorState<(js::AllowGC)1>(JSContext*, js::gc::AllocKind) /home/mini3lin/trees/mozilla-central/js/src/gc/Allocator.cpp:404:10
    #23 0x558538321219 in JSString* js::AllocateStringImpl<JSString, (js::AllowGC)1>(JSContext*, js::gc::InitialHeap) /home/mini3lin/trees/mozilla-central/js/src/gc/Allocator.cpp:207:15
    #24 0x55853797bd49 in JSLinearString* js::AllocateString<JSLinearString, (js::AllowGC)1>(JSContext*, js::gc::InitialHeap) /home/mini3lin/trees/mozilla-central/js/src/gc/Allocator.h:61:32
    #25 0x55853797bd49 in JSLinearString* JSLinearString::new_<(js::AllowGC)1, unsigned char>(JSContext*, mozilla::UniquePtr<unsigned char [], JS::FreePolicy>, unsigned long, js::gc::InitialHeap) /home/mini3lin/trees/mozilla-central/js/src/vm/StringType-inl.h:272:11
    #26 0x55853797bd49 in JSLinearString* js::NewStringDontDeflate<(js::AllowGC)1, unsigned char>(JSContext*, mozilla::UniquePtr<unsigned char [], JS::FreePolicy>, unsigned long, js::gc::InitialHeap) /home/mini3lin/trees/mozilla-central/js/src/vm/StringType.cpp:1692:10
    #27 0x5585373770ad in JSLinearString* js::StringBuffer::finishStringInternal<unsigned char>(JSContext*) /home/mini3lin/trees/mozilla-central/js/src/util/StringBuffer.cpp:97:25
    #28 0x5585372b79f7 in FormatErrorMessage(JSContext*, JS::Handle<JSString*>, JS::Handle<JSString*>) /home/mini3lin/trees/mozilla-central/js/src/jsexn.cpp:421:15
    #29 0x5585372b4bf9 in ErrorReportToString(JSContext*, JS::Handle<JSObject*>, JSErrorReport*, JS::ErrorReportBuilder::SniffingBehavior) /home/mini3lin/trees/mozilla-central/js/src/jsexn.cpp:465:10
    #30 0x5585372b4bf9 in JS::ErrorReportBuilder::init(JSContext*, JS::ExceptionStack const&, JS::ErrorReportBuilder::SniffingBehavior) /home/mini3lin/trees/mozilla-central/js/src/jsexn.cpp:491:11
    #31 0x558536ea50b0 in js::shell::AutoReportException::~AutoReportException() /home/mini3lin/trees/mozilla-central/js/src/shell/js.cpp:9304:15
    #32 0x558536efd92d in WorkerMain(WorkerInput*) /home/mini3lin/trees/mozilla-central/js/src/shell/js.cpp:4182:3
    #33 0x558536f1c4e7 in void js::detail::ThreadTrampoline<void (&)(WorkerInput*), WorkerInput*&>::callMain<0ul>(std::integer_sequence<unsigned long, 0ul>) /home/mini3lin/trees/mozilla-central/js/src/threading/Thread.h:217:5
    #34 0x558536f1c4e7 in js::detail::ThreadTrampoline<void (&)(WorkerInput*), WorkerInput*&>::Start(void*) /home/mini3lin/trees/mozilla-central/js/src/threading/Thread.h:206:11
    #35 0x7fe116bf3608 in start_thread /build/glibc-YYA7BZ/glibc-2.31/nptl/pthread_create.c:477:8

previously allocated by thread T664 here:
    #0 0x558536e5d9ad in malloc /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:145:3
    #1 0x55853772b55b in js_arena_malloc(unsigned long, unsigned long) /home/mini3lin/shell-cache/js-64-profDisabled-asan-linux-x86_64-b1146cce5053/objdir-js/dist/include/js/Utility.h:385:10
    #2 0x55853772b55b in js_malloc(unsigned long) /home/mini3lin/shell-cache/js-64-profDisabled-asan-linux-x86_64-b1146cce5053/objdir-js/dist/include/js/Utility.h:389:10
    #3 0x55853772b55b in js::SourceCompressionTask* js_new<js::SourceCompressionTask, JSRuntime*, js::ScriptSource*>(JSRuntime*&&, js::ScriptSource*&&) /home/mini3lin/shell-cache/js-64-profDisabled-asan-linux-x86_64-b1146cce5053/objdir-js/dist/include/js/Utility.h:538:1
    #4 0x55853772b55b in js::detail::UniqueSelector<js::SourceCompressionTask>::SingleObject js::MakeUnique<js::SourceCompressionTask, JSRuntime*, js::ScriptSource*>(JSRuntime*&&, js::ScriptSource*&&) /home/mini3lin/shell-cache/js-64-profDisabled-asan-linux-x86_64-b1146cce5053/objdir-js/dist/include/js/UniquePtr.h:43:23
    #5 0x55853772b55b in js::ScriptSource::tryCompressOffThread(JSContext*) /home/mini3lin/trees/mozilla-central/js/src/vm/JSScript.cpp:2313:15
    #6 0x55853818164b in js::frontend::ScriptCompiler<mozilla::Utf8Unit>::compileScript(js::frontend::CompilationInfo&, js::frontend::SharedContext*) /home/mini3lin/trees/mozilla-central/js/src/frontend/BytecodeCompiler.cpp:504:48
    #7 0x55853810fd2b in JSScript* CreateGlobalScript<mozilla::Utf8Unit>(js::frontend::CompilationInfo&, js::frontend::GlobalSharedContext&, JS::SourceText<mozilla::Utf8Unit>&) /home/mini3lin/trees/mozilla-central/js/src/frontend/BytecodeCompiler.cpp:185:17
    #8 0x55853810fd2b in js::frontend::CompileGlobalScript(js::frontend::CompilationInfo&, js::frontend::GlobalSharedContext&, JS::SourceText<mozilla::Utf8Unit>&) /home/mini3lin/trees/mozilla-central/js/src/frontend/BytecodeCompiler.cpp:227:10
    #9 0x558537436653 in bool EvaluateSourceBuffer<mozilla::Utf8Unit>(JSContext*, js::ScopeKind, JS::Handle<JSObject*>, JS::ReadOnlyCompileOptions const&, JS::SourceText<mozilla::Utf8Unit>&, JS::MutableHandle<JS::Value>) /home/mini3lin/trees/mozilla-central/js/src/vm/CompilationAndEvaluation.cpp:491:14
    #10 0x558537436653 in JS::Evaluate(JSContext*, JS::ReadOnlyCompileOptions const&, JS::SourceText<mozilla::Utf8Unit>&, JS::MutableHandle<JS::Value>) /home/mini3lin/trees/mozilla-central/js/src/vm/CompilationAndEvaluation.cpp:505:10
    #11 0x55853743a001 in JS::EvaluateUtf8Path(JSContext*, JS::ReadOnlyCompileOptions const&, char const*, JS::MutableHandle<JS::Value>) /home/mini3lin/trees/mozilla-central/js/src/vm/CompilationAndEvaluation.cpp:553:10
    #12 0x558536ef869b in LoadScript(JSContext*, unsigned int, JS::Value*, bool) /home/mini3lin/trees/mozilla-central/js/src/shell/js.cpp:1756:17
    #13 0x55853709eec8 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /home/mini3lin/trees/mozilla-central/js/src/vm/Interpreter.cpp:484:13
    #14 0x55853709eec8 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /home/mini3lin/trees/mozilla-central/js/src/vm/Interpreter.cpp:576:12
    #15 0x5585385a8c9e in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /home/mini3lin/trees/mozilla-central/js/src/jit/BaselineIC.cpp:2992:10
    #16 0x3d301af99bc7  (<unknown module>)
    #17 0x62100094715f  (<unknown module>)
    #18 0x3d301af9749e  (<unknown module>)

Thread T664 created by T0 here:
    #0 0x558536e4815a in pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:209:3
    #1 0x55853736dc58 in js::Thread::create(void* (*)(void*), void*) /home/mini3lin/trees/mozilla-central/js/src/threading/posix/PosixThread.cpp:52:7
    #2 0x558536f1c393 in bool js::Thread::init<void (&)(WorkerInput*), WorkerInput*&>(void (&)(WorkerInput*), WorkerInput*&) /home/mini3lin/trees/mozilla-central/js/src/threading/Thread.h:90:12
    #3 0x558536ed4a2d in EvalInWorker(JSContext*, unsigned int, JS::Value*) /home/mini3lin/trees/mozilla-central/js/src/shell/js.cpp:4255:29
    #4 0x55853709eec8 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /home/mini3lin/trees/mozilla-central/js/src/vm/Interpreter.cpp:484:13
    #5 0x55853709eec8 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /home/mini3lin/trees/mozilla-central/js/src/vm/Interpreter.cpp:576:12
    #6 0x5585385a8c9e in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /home/mini3lin/trees/mozilla-central/js/src/jit/BaselineIC.cpp:2992:10
    #7 0x3d301ac69bc7  (<unknown module>)
    #8 0x621000cd8d5f  (<unknown module>)
    #9 0x3d301ac6749e  (<unknown module>)
    #10 0x558538e273e1 in EnterJit(JSContext*, js::RunState&, unsigned char*) /home/mini3lin/trees/mozilla-central/js/src/jit/Jit.cpp:105:5
    #11 0x558538e273e1 in js::jit::MaybeEnterJit(JSContext*, js::RunState&) /home/mini3lin/trees/mozilla-central/js/src/jit/Jit.cpp:196:10
    #12 0x55853706bd2e in js::RunScript(JSContext*, js::RunState&) /home/mini3lin/trees/mozilla-central/js/src/vm/Interpreter.cpp:441:32
    #13 0x5585370a5333 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) /home/mini3lin/trees/mozilla-central/js/src/vm/Interpreter.cpp:831:13
    #14 0x558537151aa9 in EvalKernel(JSContext*, JS::Handle<JS::Value>, EvalType, js::AbstractFramePtr, JS::Handle<JSObject*>, unsigned char*, JS::MutableHandle<JS::Value>) /home/mini3lin/trees/mozilla-central/js/src/builtin/Eval.cpp:357:10
    #15 0x5585371536d2 in js::DirectEval(JSContext*, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /home/mini3lin/trees/mozilla-central/js/src/builtin/Eval.cpp:486:10
    #16 0x5585385a8bcc in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /home/mini3lin/trees/mozilla-central/js/src/jit/BaselineIC.cpp:2978:10
    #17 0x3d301ac69bc7  (<unknown module>)
    #18 0x621000122217  (<unknown module>)
    #19 0x3d301ac6749e  (<unknown module>)

SUMMARY: AddressSanitizer: heap-use-after-free /home/mini3lin/trees/mozilla-central/js/src/vm/HelperThreads.h:820:69 in js::SourceCompressionTask::runtimeMatches(JSRuntime*) const
Shadow bytes around the buggy address:
  0x0c0c8002ac80: fa fa fa fa fa fa fa fa fa fa fa fa 00 00 00 00
  0x0c0c8002ac90: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0c8002aca0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c8002acb0: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
  0x0c0c8002acc0: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c0c8002acd0: fa fa fa fa fd[fd]fd fd fd fd fd fa fa fa fa fa
  0x0c0c8002ace0: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00
  0x0c0c8002acf0: 00 00 00 00 fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c8002ad00: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c0c8002ad10: fd fd fd fd fd fd fd fd fa fa fa fa 00 00 00 00
  0x0c0c8002ad20: 00 00 00 00 fa fa fa fa fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==399536==ABORTING
Status: NEW → RESOLVED
Closed: 5 years ago
Flags: needinfo?(allstars.chh)
Resolution: --- → DUPLICATE

I have a testcase for this, but bug 1647115 does not. Moreover, my bisection result came to the same regressing bug there.

Group: firefox-core-security → javascript-core-security
Component: Security → JavaScript Engine
Product: Firefox → Core

(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #7)

I have a testcase for this, but bug 1647115 does not. Moreover, my bisection result came to the same regressing bug there.

The bug already had a fix before this one was filed, we also detected it as an intermittent in WPT and also in Domino.

OS: Unspecified → Linux
Hardware: Unspecified → All
Version: unspecified → Trunk
Flags: sec-bounty? → sec-bounty-
Group: javascript-core-security
Type: task → defect
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: