Crash @ js_AllocStack via Script()

VERIFIED DUPLICATE of bug 291213

Status

()

Core
JavaScript Engine
--
major
VERIFIED DUPLICATE of bug 291213
13 years ago
13 years ago

People

(Reporter: bc, Assigned: brendan)

Tracking

({crash})

Trunk
x86
Windows XP
crash
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [keep private until bug 290908 is fixed])

Attachments

(1 attachment)

(Reporter)

Description

13 years ago
Modifying testcase 3 from bug 290908 to use:

var MALICIOUS_CODE = 'Components.stack';
var scriptCode = "arguments.callee.__parent__.eval('" + MALICIOUS_CODE + "');'';";

will crash Firefox 1.0.4/Trunk, Seamonkey 1.7.8/Trunk

NTDLL! 7c901230()
js_AllocStack(JSContext * 0x02fb1d08, unsigned int 3, void * * 0x0012e5d0) line
394 + 39 bytes
nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJSClass * const 0x031109d8,
nsXPCWrappedJS * 0x03112c48, unsigned short 5, const nsXPTMethodInfo *
0x03111cb8, nsXPTCMiniVariant * 0x0012e694) line 1133 + 37 bytes
nsXPCWrappedJS::CallMethod(nsXPCWrappedJS * const 0x03112c48, unsigned short 5,
const nsXPTMethodInfo * 0x03111cb8, nsXPTCMiniVariant * 0x0012e694) line 450
PrepareAndDispatch(nsXPTCStubBase * 0x03112c48, unsigned int 5, unsigned int *
0x0012e744, unsigned int * 0x0012e734) line 117 + 31 bytes
SharedStub() line 147
nsContentTreeOwner::SetStatus(nsContentTreeOwner * const 0x02fb1984, unsigned
int 3, const unsigned short * 0x0033ea64 empty_buffer) line 385
nsWebShell::OnLeaveLink(nsWebShell * const 0x02fb1254) line 602 + 39 bytes
nsGenericElement::LeaveLink(nsPresContext * 0x034f7eb8) line 3330
nsGenericHTMLElement::HandleDOMEventForAnchors(nsPresContext * 0x034f7eb8,
nsEvent * 0x0012e9f0, nsIDOMEvent * * 0x00000000, unsigned int 1, nsEventStatus
* 0x0012ea40) line 1632 + 15 bytes
nsHTMLAnchorElement::HandleDOMEvent(nsPresContext * 0x034f7eb8, nsEvent *
0x0012e9f0, nsIDOMEvent * * 0x00000000, unsigned int 1, nsEventStatus *
0x0012ea40) line 287
nsEventStateManager::DispatchMouseEvent(nsGUIEvent * 0x0012f1a4, unsigned int
332, nsIContent * 0x03502b20, nsIContent * 0x03454d10) line 2518
nsEventStateManager::NotifyMouseOut(nsGUIEvent * 0x0012f1a4, nsIContent *
0x03454d10) line 2587
nsEventStateManager::NotifyMouseOver(nsGUIEvent * 0x0012f1a4, nsIContent *
0x03454d10) line 2633
nsEventStateManager::GenerateMouseEnterExit(nsGUIEvent * 0x0012f1a4) line 2672
nsEventStateManager::PreHandleEvent(nsEventStateManager * const 0x033fe028,
nsPresContext * 0x034f7eb8, nsEvent * 0x0012f1a4, nsIFrame * 0x0351a3f4,
nsEventStatus * 0x0012ef60, nsIView * 0x034a7818) line 479
PresShell::HandleEventInternal(nsEvent * 0x0012f1a4, nsIView * 0x034a7818,
unsigned int 1, nsEventStatus * 0x0012ef60) line 6311 + 61 bytes
PresShell::HandleEvent(PresShell * const 0x033e6c14, nsIView * 0x034a7818,
nsGUIEvent * 0x0012f1a4, nsEventStatus * 0x0012ef60, int 0, int & 1) line 6163 +
25 bytes
nsViewManager::HandleEvent(nsView * 0x03517348, nsGUIEvent * 0x0012f1a4, int 0)
line 2502
nsViewManager::DispatchEvent(nsViewManager * const 0x033fdd10, nsGUIEvent *
0x0012f1a4, nsEventStatus * 0x0012f080) line 2224 + 20 bytes
HandleEvent(nsGUIEvent * 0x0012f1a4) line 174
nsWindow::DispatchEvent(nsWindow * const 0x034ac86c, nsGUIEvent * 0x0012f1a4,
nsEventStatus & nsEventStatus_eIgnore) line 1180 + 10 bytes
nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012f1a4) line 1201
nsWindow::DispatchMouseEvent(unsigned int 300, unsigned int 0, nsPoint *
0x00000000) line 5904 + 21 bytes
ChildWindow::DispatchMouseEvent(unsigned int 300, unsigned int 0, nsPoint *
0x00000000) line 6159
nsWindow::ProcessMessage(unsigned int 512, unsigned int 0, long 30343326, long *
0x0012f6a8) line 4533 + 28 bytes
nsWindow::WindowProc(HWND__ * 0x0499028e, unsigned int 512, unsigned int 0, long
30343326) line 1472 + 27 bytes
USER32! 77d48734()
USER32! 77d48816()
USER32! 77d489cd()
USER32! 77d48a10()
nsAppShell::Run(nsAppShell * const 0x02181478) line 135
nsAppStartup::Run(nsAppStartup * const 0x021813d8) line 145
XRE_main(int 1, char * * 0x01a56fd8, const nsXREAppData * 0x011fa01c kAppData)
line 2012 + 35 bytes
main(int 1, char * * 0x01a56fd8) line 60 + 18 bytes
mainCRTStartup() line 338 + 17 bytes
(Reporter)

Updated

13 years ago
Whiteboard: [keep private until bug 290908 is fixed]
(Reporter)

Comment 1

13 years ago
Created attachment 183333 [details]
testcase

Stack:

NTDLL! 7c901230()
js_AllocStack(JSContext * 0x02fb1d08, unsigned int 3, void * * 0x0012e5d0) line
394 + 39 bytes
nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJSClass * const 0x031109d8,
nsXPCWrappedJS * 0x03112c48, unsigned short 5, const nsXPTMethodInfo *
0x03111cb8, nsXPTCMiniVariant * 0x0012e694) line 1133 + 37 bytes
nsXPCWrappedJS::CallMethod(nsXPCWrappedJS * const 0x03112c48, unsigned short 5,
const nsXPTMethodInfo * 0x03111cb8, nsXPTCMiniVariant * 0x0012e694) line 450
PrepareAndDispatch(nsXPTCStubBase * 0x03112c48, unsigned int 5, unsigned int *
0x0012e744, unsigned int * 0x0012e734) line 117 + 31 bytes
SharedStub() line 147
nsContentTreeOwner::SetStatus(nsContentTreeOwner * const 0x02fb1984, unsigned
int 3, const unsigned short * 0x0033ea64 empty_buffer) line 385
nsWebShell::OnLeaveLink(nsWebShell * const 0x02fb1254) line 602 + 39 bytes
nsGenericElement::LeaveLink(nsPresContext * 0x034f7eb8) line 3330
nsGenericHTMLElement::HandleDOMEventForAnchors(nsPresContext * 0x034f7eb8,
nsEvent * 0x0012e9f0, nsIDOMEvent * * 0x00000000, unsigned int 1, nsEventStatus
* 0x0012ea40) line 1632 + 15 bytes
nsHTMLAnchorElement::HandleDOMEvent(nsPresContext * 0x034f7eb8, nsEvent *
0x0012e9f0, nsIDOMEvent * * 0x00000000, unsigned int 1, nsEventStatus *
0x0012ea40) line 287
nsEventStateManager::DispatchMouseEvent(nsGUIEvent * 0x0012f1a4, unsigned int
332, nsIContent * 0x03502b20, nsIContent * 0x03454d10) line 2518
nsEventStateManager::NotifyMouseOut(nsGUIEvent * 0x0012f1a4, nsIContent *
0x03454d10) line 2587
nsEventStateManager::NotifyMouseOver(nsGUIEvent * 0x0012f1a4, nsIContent *
0x03454d10) line 2633
nsEventStateManager::GenerateMouseEnterExit(nsGUIEvent * 0x0012f1a4) line 2672
nsEventStateManager::PreHandleEvent(nsEventStateManager * const 0x033fe028,
nsPresContext * 0x034f7eb8, nsEvent * 0x0012f1a4, nsIFrame * 0x0351a3f4,
nsEventStatus * 0x0012ef60, nsIView * 0x034a7818) line 479
PresShell::HandleEventInternal(nsEvent * 0x0012f1a4, nsIView * 0x034a7818,
unsigned int 1, nsEventStatus * 0x0012ef60) line 6311 + 61 bytes
PresShell::HandleEvent(PresShell * const 0x033e6c14, nsIView * 0x034a7818,
nsGUIEvent * 0x0012f1a4, nsEventStatus * 0x0012ef60, int 0, int & 1) line 6163
+ 25 bytes
nsViewManager::HandleEvent(nsView * 0x03517348, nsGUIEvent * 0x0012f1a4, int 0)
line 2502
nsViewManager::DispatchEvent(nsViewManager * const 0x033fdd10, nsGUIEvent *
0x0012f1a4, nsEventStatus * 0x0012f080) line 2224 + 20 bytes
HandleEvent(nsGUIEvent * 0x0012f1a4) line 174
nsWindow::DispatchEvent(nsWindow * const 0x034ac86c, nsGUIEvent * 0x0012f1a4,
nsEventStatus & nsEventStatus_eIgnore) line 1180 + 10 bytes
nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012f1a4) line 1201
nsWindow::DispatchMouseEvent(unsigned int 300, unsigned int 0, nsPoint *
0x00000000) line 5904 + 21 bytes
ChildWindow::DispatchMouseEvent(unsigned int 300, unsigned int 0, nsPoint *
0x00000000) line 6159
nsWindow::ProcessMessage(unsigned int 512, unsigned int 0, long 30343326, long
* 0x0012f6a8) line 4533 + 28 bytes
nsWindow::WindowProc(HWND__ * 0x0499028e, unsigned int 512, unsigned int 0,
long 30343326) line 1472 + 27 bytes
USER32! 77d48734()
USER32! 77d48816()
USER32! 77d489cd()
USER32! 77d48a10()
nsAppShell::Run(nsAppShell * const 0x02181478) line 135
nsAppStartup::Run(nsAppStartup * const 0x021813d8) line 145
XRE_main(int 1, char * * 0x01a56fd8, const nsXREAppData * 0x011fa01c kAppData)
line 2012 + 35 bytes
main(int 1, char * * 0x01a56fd8) line 60 + 18 bytes
mainCRTStartup() line 338 + 17 bytes
K
(Assignee)

Comment 2

13 years ago
I crash in args_resolve for this variation of the testcase, as did dbaron for
another variation.  See bug 291213.  I think this is a dup, but I'm not sure why
Bob sees such a bogus stack.  Did js_AllocRawStack trash its stack when it was
in the midst of returning?

/be
(Assignee)

Comment 3

13 years ago
Optimistically asserting DUP status; pls. verify.

/be

*** This bug has been marked as a duplicate of 291213 ***
Status: NEW → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → DUPLICATE
(Reporter)

Comment 4

13 years ago
The patch in Bug 291213 Comment 3 fixes this crash in both Firefox 1.0.4 branch
and Seamonkey 1.7.8 branch on winxp. Verified dupe.
Status: RESOLVED → VERIFIED
Group: security
You need to log in before you can comment on or make changes to this bug.