crash in trunk browser js1_7/geniter/326466-01.js

VERIFIED DUPLICATE of bug 343455

Status

()

--
major
VERIFIED DUPLICATE of bug 343455
12 years ago
12 years ago

People

(Reporter: bc, Unassigned)

Tracking

({crash, fixed1.8.1})

Trunk
x86
Windows XP
crash, fixed1.8.1
Points:
---
Bug Flags:
blocking1.8.1 +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:dupe 343455], URL)

(Reporter)

Description

12 years ago
Load the URL in a trunk build on winxp. You may need to click in the url bar or reload to see the crash.

		JSTRAP_CONTINUE	0x00000001	int
+		pc	0x04b20f6b "нннннннннннннннннннннннннннннннннннннннннннннннннннн"	unsigned char *
+		rt	0x00fa90e0 {state=JSRTS_UP gcArenaList=0x00fa90e4 gcRootsHash={...} ...}	JSRuntime *
+		script	0x04b20f28 {code=0xdddddddd <Bad Ptr> length=0xdddddddd main=0xdddddddd <Bad Ptr> ...}	JSScript *


>	js3250.dll!js_Interpret(JSContext * cx=0x03c54230, unsigned char * pc=0x04b20f6b, long * result=0x0012f808)  Line 6140 + 0x42 bytes	C
 	js3250.dll!generator_send(JSContext * cx=0x03c54230, JSObject * obj=0x04affa18, unsigned int argc=0x00000000, long * argv=0x010434a8, long * rval=0x0012f8ec)  Line 778 + 0x14 bytes	C
 	js3250.dll!generator_close(JSContext * cx=0x03c54230, JSObject * obj=0x04affa18, unsigned int argc=0x00000000, long * argv=0x010434a8, long * rval=0x0012f8ec)  Line 828 + 0x17 bytes	C
 	js3250.dll!js_Invoke(JSContext * cx=0x03c54230, unsigned int argc=0x00000000, unsigned int flags=0x00000002)  Line 1328 + 0x20 bytes	C
 	js3250.dll!js_InternalInvoke(JSContext * cx=0x03c54230, JSObject * obj=0x04affa18, long fval=0x04affa00, unsigned int flags=0x00000000, unsigned int argc=0x00000000, long * argv=0x00000000, long * rval=0x0012fa40)  Line 1422 + 0x14 bytes	C
 	js3250.dll!generator_closehook(JSContext * cx=0x03c54230, JSObject * obj=0x04affa18)  Line 632 + 0x1b bytes	C
 	js3250.dll!ExecuteCloseHooks(JSContext * cx=0x03c54230, const JSObjectsToClose * toClose=0x0012fb04)  Line 859 + 0x10 bytes	C
 	js3250.dll!js_GC(JSContext * cx=0x03c54230, unsigned int gcflags=0x00000000)  Line 2633 + 0xd bytes	C
 	js3250.dll!js_ForceGC(JSContext * cx=0x03c54230, unsigned int gcflags=0x00000000)  Line 2098 + 0xd bytes	C
 	js3250.dll!JS_GC(JSContext * cx=0x03c54230)  Line 1907 + 0xb bytes	C
 	gklayout.dll!nsJSContext::Notify(nsITimer * timer=0x03e8b670)  Line 2996 + 0xd bytes	C++
 	xpcom_core.dll!nsTimerImpl::Fire()  Line 404	C++
 	xpcom_core.dll!nsTimerEvent::Run()  Line 486	C++
 	xpcom_core.dll!nsThread::ProcessNextEvent(int mayWait=0x00000001, int * result=0x0012fc34)  Line 483	C++
 	xpcom_core.dll!NS_ProcessNextEvent_P(nsIThread * thread=0x00b083b8, int mayWait=0x00000001)  Line 225 + 0x16 bytes	C++
 	gkwidget.dll!nsBaseAppShell::Run()  Line 153 + 0xc bytes	C++
 	tkitcmps.dll!nsAppStartup::Run()  Line 171 + 0x1c bytes	C++
 	xul.dll!XRE_main(int argc=0x00000004, char * * argv=0x00b07fe0, const nsXREAppData * aAppData=0x004036b0)  Line 2349 + 0x25 bytes	C++
 	firefox.exe!main(int argc=0x00000004, char * * argv=0x00b07fe0)  Line 61 + 0x13 bytes	C++
 	firefox.exe!__tmainCRTStartup()  Line 586 + 0x19 bytes	C
 	firefox.exe!mainCRTStartup()  Line 403	C
 	kernel32.dll!_BaseProcessStart@4()  + 0x23 bytes
(Reporter)

Comment 1

12 years ago
I still get this nasty crash with deleted memory on the trunk during shutdown in the browser test using the v3 js17 rollup patch.
Flags: blocking1.9a1?
(Reporter)

Updated

12 years ago
Group: security
(Reporter)

Comment 2

12 years ago
This occurs on 1.8.1a3/winxp as well now that js17 has landed. Note that deleted memory use is exploitable.
Flags: blocking1.8.1?

Updated

12 years ago
Flags: blocking1.8.1? → blocking1.8.1+
(Reporter)

Updated

12 years ago
Blocks: 344320
If this is fixed now that the fixes for bug 343455 have landed, please mark dup.

/be
(Reporter)

Comment 4

12 years ago
ulled cvs and built trunk debug depends and still crash after clicking url bar and reload with same stack as in bug 343295 comment 2.
crashes for me on linux trunk with clearing hooks.

same stack as in the description.

*** This bug has been marked as a duplicate of 343455 ***
Status: NEW → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → DUPLICATE
(Reporter)

Comment 7

12 years ago
Note test: js1_7/geniter/326466-01.js: result: CRASHED   type: browser description: none : results/2006-07-24-05-43-40-firefox-2.0-dbg-1.8.1b1_2006072312-prune.log CRASHED  5 (2.468000 seconds)
test: js1_7/geniter/326466-01.js: result: CRASHED   type: browser description: none : results/2006-07-24-08-35-59-firefox-2.0-dbg-mac-1.8.1b1_2006072312-pineapple.mozilla.org.log CRASHED signal  6 (4.244419 seconds)
(Reporter)

Updated

12 years ago
Status: RESOLVED → VERIFIED

Updated

12 years ago
Flags: blocking1.9a1?
Keywords: fixed1.8.1
Whiteboard: [sg:dupe 343455]
Group: security
You need to log in before you can comment on or make changes to this bug.