Note: There are a few cases of duplicates in user autocompletion which are being worked on.

Crash [@ MarkGCThingChildren] involving watch and setter

VERIFIED FIXED in mozilla1.8.1

Status

()

Core
JavaScript Engine
P1
critical
VERIFIED FIXED
11 years ago
6 years ago

People

(Reporter: moz_bug_r_a4, Assigned: mrbkap)

Tracking

(4 keywords)

Trunk
mozilla1.8.1
crash, regression, verified1.8.0.9, verified1.8.1.1
Points:
---
Bug Flags:
blocking1.9 ?
blocking1.8.1.1 +
blocking1.8.0.9 +
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical?], crash signature)

Attachments

(6 attachments, 1 obsolete attachment)

(Reporter)

Description

11 years ago
Crash:
  document.watch("title", function(a,b,c,d) {
    return { toString : function() { alert(1); } };
  });
  document.title = "xxx";

No crash:
  document.watch("title", function() {
    return { toString : function() { alert(1); } };
  });
  document.title = "xxx";

Regression range on trunk is from 2006-11-06-04 to 2006-11-07-04.
http://bonsai.mozilla.org/cvsquery.cgi?module=PhoenixTinderbox&date=explicit&mindate=2006-11-06+04&maxdate=2006-11-07+04

Regression range on 1.8.0 branch is from 2006-11-24-07 to 2006-11-25-08
http://bonsai.mozilla.org/cvsquery.cgi?module=AviarySuiteBranchTinderbox&branch=MOZILLA_1_8_0_BRANCH&date=explicit&mindate=2006-11-24+07&maxdate=2006-11-25+08

Regressed from bug 354978?

I'm marking this security sensitive for now, since I'm not sure if this could
be an exploitable crash or not.

Steps to reproduce:
0. Load a testcase.
1. Click a button.
2. An alert dialog appears.
3. Don't close the alert dialog.
4. After a few seconds, crash.
(Reporter)

Comment 1

11 years ago
Created attachment 246677 [details]
testcase
(Reporter)

Comment 2

11 years ago
Created attachment 246678 [details]
backtrace from debug build
(Assignee)

Comment 3

11 years ago
Created attachment 246687 [details] [diff] [review]
Possible fix

I haven't actually tested this, but I think the problem is that we're trying to mark fun->nargs + fun->extra slots, when we're only providing two memory spaces.
Assignee: general → mrbkap
Status: NEW → ASSIGNED
Attachment #246687 - Flags: review?(brendan)
(Assignee)

Comment 4

11 years ago
Comment on attachment 246687 [details] [diff] [review]
Possible fix

>+                frame.scopeChain = OBJ_GET_PARENT(cx, closure);

This line is not actually part of this patch.
(Assignee)

Updated

11 years ago
Severity: normal → critical
OS: Windows XP → All
Priority: -- → P1
Hardware: PC → All
Target Milestone: --- → mozilla1.8.1
(Assignee)

Comment 5

11 years ago
Created attachment 246733 [details] [diff] [review]
Updated
Attachment #246687 - Attachment is obsolete: true
Attachment #246733 - Flags: review?(brendan)
Attachment #246687 - Flags: review?(brendan)
Comment on attachment 246733 [details] [diff] [review]
Updated

r=me, thanks.

/be
Attachment #246733 - Flags: review?(brendan) → review+
Need this on the trunk when it opens, and on the branches sooner.

/be
Flags: blocking1.8.1.1?
Flags: blocking1.8.0.9?
Keywords: crash, regression

Updated

11 years ago
Flags: blocking1.8.1.1?
Flags: blocking1.8.1.1+
Flags: blocking1.8.0.9?
Flags: blocking1.8.0.9+

Comment 8

11 years ago
mrbkap/brendan:  Is the patch good as-is for the branches?  If so, please ask for approval for 1.8.0.9 and 1.8.1.1.  If we need separate patches, please attach and ask for separate approvals.  Thanks!
(Assignee)

Comment 9

11 years ago
Fixed on trunk.
Status: ASSIGNED → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → FIXED
(Assignee)

Comment 10

11 years ago
Comment on attachment 246733 [details] [diff] [review]
Updated

This patch applies cleanly to the 1.8 branch.
Attachment #246733 - Flags: approval1.8.1.1?
(Assignee)

Comment 11

11 years ago
Comment on attachment 246733 [details] [diff] [review]
Updated

This patch applies cleanly to the 1.8 branch.
(Assignee)

Comment 12

11 years ago
Created attachment 247101 [details] [diff] [review]
Patch for 1.8.0

The only changes are:
- fun->u.n.extra -> fun->extra (since the unionizing of JSFunction didn't happen on the 1.8.0 branch).
- JS_ARRAY_LENGTH doesn't exist on the 1.8.0 branch, so I hand-expanded it.

I don't think this needs another review.
Attachment #247101 - Flags: approval1.8.0.9?

Comment 13

11 years ago
Comment on attachment 246733 [details] [diff] [review]
Updated

Approved for 1.8 branch, a=jay for drivers.
Attachment #246733 - Flags: approval1.8.1.1? → approval1.8.1.1+

Comment 14

11 years ago
Comment on attachment 247101 [details] [diff] [review]
Patch for 1.8.0

Approved for 1.8.0 branch, a=jay for drivers.
Attachment #247101 - Flags: approval1.8.0.9? → approval1.8.0.9+
(Assignee)

Comment 15

11 years ago
Fixed on the 1.8 branches.
Keywords: fixed1.8.0.9, fixed1.8.1.1

Comment 16

11 years ago
Created attachment 247184 [details]
js1_5/Regress/regress-361964.js

Updated

11 years ago
Flags: in-testsuite+
(Reporter)

Comment 17

11 years ago
I can still reproduce crash.

This seems to be due to missing |* sizeof(jsval)|.

- argv = JS_malloc(cx, nslots);
+ argv = JS_malloc(cx, nslots * sizeof(jsval));

- memset(argv + 2, 0, nslots - 2);
+ memset(argv + 2, 0, (nslots - 2) * sizeof(jsval));
Status: RESOLVED → REOPENED
Resolution: FIXED → ---

Comment 18

11 years ago
In trunk winxp debug I get MSVC CRT Debug error: Heap Corruption Detected... detected that the application wrote to memory after the end of the heap buffer. 

In 1.8.0.9|1.8.1.1 winxp debug I get MSCC CRT Debug error: DAMAGE after normal block

This should block the Firefox 1.5.0.9, Firefox 2.0.0.1 and Gran Paradiso releases.

Comment 19

11 years ago
Removing "fixed1.8.x.x" keywords since this doesn't appear to be fixed.  

Blake/Brendan:  We are past our code freeze date, but really need to get this fixed, so please let us know if either of you can take a look at this.  It would be nice to have a patch together by Monday morning, since we were hoping to spin RC1 then.
Flags: blocking1.9?
Keywords: fixed1.8.0.9, fixed1.8.1.1
Whiteboard: [need new patch]
(Assignee)

Comment 20

11 years ago
Created attachment 247282 [details] [diff] [review]
D'oh

I blame all of the Java code I've had to write lately.
Attachment #247282 - Flags: review?(brendan)
Attachment #247282 - Flags: approval1.8.1.1?
Attachment #247282 - Flags: approval1.8.0.9?
Comment on attachment 247282 [details] [diff] [review]
D'oh

I have no Java-on-the-brainn excuse :-(.

This needs prompt approval for the branches.

/be
Attachment #247282 - Flags: review?(brendan) → review+
(Assignee)

Comment 22

11 years ago
Fixed (again) on trunk.
Status: REOPENED → RESOLVED
Last Resolved: 11 years ago11 years ago
Resolution: --- → FIXED

Comment 23

11 years ago
Comment on attachment 247282 [details] [diff] [review]
D'oh

Approved for both branches, a=jay for drivers.  Thanks for the quick patch patch mrbkap. ;-)
Attachment #247282 - Flags: approval1.8.1.1?
Attachment #247282 - Flags: approval1.8.1.1+
Attachment #247282 - Flags: approval1.8.0.9?
Attachment #247282 - Flags: approval1.8.0.9+
(Assignee)

Comment 24

11 years ago
Fixed, again.

Thanks for the heads-up moz_bug.
Keywords: fixed1.8.0.9, fixed1.8.1.1

Comment 25

11 years ago
verified fixed 20061203 1.8.0.9 windows/linux, 1.8.1.1 windows/linux, 1.9 windows/linux
Status: RESOLVED → VERIFIED
Keywords: fixed1.8.0.9, fixed1.8.1.1 → verified1.8.0.9, verified1.8.1.1
Whiteboard: [need new patch] → [sg:critical?]
Group: security

Comment 26

11 years ago
/cvsroot/mozilla/js/tests/js1_5/extensions/regress-361964.js,v  <--  regress-361964.js
Crash Signature: [@ MarkGCThingChildren]
You need to log in before you can comment on or make changes to this bug.