Closed
Bug 1690683
Opened 5 years ago
Closed 5 years ago
Crash [@ ??] with invalid read involving asm.js
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
VERIFIED
FIXED
87 Branch
| Tracking | Status | |
|---|---|---|
| firefox-esr78 | --- | unaffected |
| firefox85 | --- | unaffected |
| firefox86 | --- | unaffected |
| firefox87 | --- | verified |
People
(Reporter: decoder, Unassigned)
References
(Regression)
Details
(Keywords: crash, regression, testcase, Whiteboard: [bugmon:update,bisect][fuzzblocker])
Crash Data
Attachments
(1 file)
|
161 bytes,
text/plain
|
Details |
The following testcase crashes on mozilla-central revision 20210203-ca7a3f92939d (debug build, run with --fuzzing-safe --no-threads):
mathy0=(function(i,foreign){
'use asm';
var ff=foreign.ff;
function f(i0,d1){
i0=i0|0;
d1=+d1;
ff()
}
return f
})(this,{ff:Map});
mathy0();
Backtrace:
received signal SIGSEGV, Segmentation fault.
0x49c3d460 in ?? ()
#0 0x49c3d460 in ?? ()
#1 0x49c3d0c6 in ?? ()
#2 0x49c3d282 in ?? ()
eax 0xbad 2989
ebx 0xf6609800 -161441792
ecx 0x46533100 1179857152
edx 0xf6e1900c -152989684
esi 0xf66232e0 -161336608
edi 0xf6e4e600 -152771072
ebp 0xffffa818 4294944792
esp 0xffffa7e0 4294944736
eip 0x49c3d460 1237570656
=> 0x49c3d460: mov 0xc(%eax),%ecx
0x49c3d463: cmp $0x6,%ecx
Marking s-s due to crash address. Also this is a fuzzblocker for jsfunfuzz.
|
Reporter | |
Comment 1•5 years ago
|
||
|
||
Comment 2•5 years ago
|
||
Iain, do you think you could take a quick look at this bug?
Flags: needinfo?(iireland)
|
||
Comment 3•5 years ago
|
||
This is possibly bug 1335652 comment 59.
|
||
Comment 4•5 years ago
|
||
Yeah, this failure is the same as those failures.
Flags: needinfo?(iireland)
|
||
Updated•5 years ago
|
status-firefox85:
--- → unaffected
status-firefox86:
--- → unaffected
status-firefox-esr78:
--- → unaffected
Regressed by: 1335652
|
||
Updated•5 years ago
|
Has Regression Range: --- → yes
|
||
Updated•5 years ago
|
|
|
||
Comment 5•5 years ago
|
||
(In reply to Iain Ireland [:iain] from comment #4)
Yeah, this failure is the same as those failures.
32-bit x86 exception handling failure has been fixed.
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
|
|
||
Updated•5 years ago
|
Group: javascript-core-security → core-security-release
Target Milestone: --- → 87 Branch
|
||
Comment 6•5 years ago
|
||
Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20210218214637-b82bd51a119e.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
|
||
Updated•4 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•