Closed
Bug 361964
Opened 18 years ago
Closed 18 years ago
Crash [@ MarkGCThingChildren] involving watch and setter
Categories
(Core :: JavaScript Engine, defect, P1)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
mozilla1.8.1
People
(Reporter: moz_bug_r_a4, Assigned: mrbkap)
Details
(4 keywords, Whiteboard: [sg:critical?])
Crash Data
Attachments
(6 files, 1 obsolete file)
|
1.29 KB,
text/html
|
Details | |
|
11.11 KB,
text/plain
|
Details | |
|
3.05 KB,
patch
|
brendan
:
review+
jay
:
approval1.8.1.1+
|
Details | Diff | Splinter Review |
|
3.01 KB,
patch
|
jay
:
approval1.8.0.9+
|
Details | Diff | Splinter Review |
|
2.69 KB,
text/plain
|
Details | |
|
1.40 KB,
patch
|
brendan
:
review+
jay
:
approval1.8.0.9+
jay
:
approval1.8.1.1+
|
Details | Diff | Splinter Review |
Crash:
document.watch("title", function(a,b,c,d) {
return { toString : function() { alert(1); } };
});
document.title = "xxx";
No crash:
document.watch("title", function() {
return { toString : function() { alert(1); } };
});
document.title = "xxx";
Regression range on trunk is from 2006-11-06-04 to 2006-11-07-04.
http://bonsai.mozilla.org/cvsquery.cgi?module=PhoenixTinderbox&date=explicit&mindate=2006-11-06+04&maxdate=2006-11-07+04
Regression range on 1.8.0 branch is from 2006-11-24-07 to 2006-11-25-08
http://bonsai.mozilla.org/cvsquery.cgi?module=AviarySuiteBranchTinderbox&branch=MOZILLA_1_8_0_BRANCH&date=explicit&mindate=2006-11-24+07&maxdate=2006-11-25+08
Regressed from bug 354978?
I'm marking this security sensitive for now, since I'm not sure if this could
be an exploitable crash or not.
Steps to reproduce:
0. Load a testcase.
1. Click a button.
2. An alert dialog appears.
3. Don't close the alert dialog.
4. After a few seconds, crash.
|
Reporter | |
Comment 1•18 years ago
|
||
|
|
Reporter | |
Comment 2•18 years ago
|
||
|
Assignee | |
Comment 3•18 years ago
|
||
I haven't actually tested this, but I think the problem is that we're trying to mark fun->nargs + fun->extra slots, when we're only providing two memory spaces.
|
|
Assignee | |
Comment 4•18 years ago
|
||
Comment on attachment 246687 [details] [diff] [review]
Possible fix
>+ frame.scopeChain = OBJ_GET_PARENT(cx, closure);
This line is not actually part of this patch.
|
|
Assignee | |
Updated•18 years ago
|
Severity: normal → critical
OS: Windows XP → All
Priority: -- → P1
Hardware: PC → All
Target Milestone: --- → mozilla1.8.1
|
|
Assignee | |
Comment 5•18 years ago
|
||
Attachment #246687 -
Attachment is obsolete: true
Attachment #246733 -
Flags: review?(brendan)
Attachment #246687 -
Flags: review?(brendan)
|
||
Comment 6•18 years ago
|
||
Comment on attachment 246733 [details] [diff] [review]
Updated
r=me, thanks.
/be
Attachment #246733 -
Flags: review?(brendan) → review+
|
|
||
Comment 7•18 years ago
|
||
Need this on the trunk when it opens, and on the branches sooner.
/be
Flags: blocking1.8.1.1?
Flags: blocking1.8.0.9?
|
||
Updated•18 years ago
|
Keywords: crash,
regression
|
||
Updated•18 years ago
|
Flags: blocking1.8.1.1?
Flags: blocking1.8.1.1+
Flags: blocking1.8.0.9?
Flags: blocking1.8.0.9+
|
|
||
Comment 8•18 years ago
|
||
mrbkap/brendan: Is the patch good as-is for the branches? If so, please ask for approval for 1.8.0.9 and 1.8.1.1. If we need separate patches, please attach and ask for separate approvals. Thanks!
|
|
Assignee | |
Comment 9•18 years ago
|
||
Fixed on trunk.
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
|
|
Assignee | |
Comment 10•18 years ago
|
||
Comment on attachment 246733 [details] [diff] [review]
Updated
This patch applies cleanly to the 1.8 branch.
Attachment #246733 -
Flags: approval1.8.1.1?
|
|
Assignee | |
Comment 11•18 years ago
|
||
Comment on attachment 246733 [details] [diff] [review]
Updated
This patch applies cleanly to the 1.8 branch.
|
|
Assignee | |
Comment 12•18 years ago
|
||
The only changes are:
- fun->u.n.extra -> fun->extra (since the unionizing of JSFunction didn't happen on the 1.8.0 branch).
- JS_ARRAY_LENGTH doesn't exist on the 1.8.0 branch, so I hand-expanded it.
I don't think this needs another review.
Attachment #247101 -
Flags: approval1.8.0.9?
|
|
||
Comment 13•18 years ago
|
||
Comment on attachment 246733 [details] [diff] [review]
Updated
Approved for 1.8 branch, a=jay for drivers.
Attachment #246733 -
Flags: approval1.8.1.1? → approval1.8.1.1+
|
|
||
Comment 14•18 years ago
|
||
Comment on attachment 247101 [details] [diff] [review]
Patch for 1.8.0
Approved for 1.8.0 branch, a=jay for drivers.
Attachment #247101 -
Flags: approval1.8.0.9? → approval1.8.0.9+
|
||
Comment 16•18 years ago
|
||
|
|
||
Updated•18 years ago
|
Flags: in-testsuite+
|
|
Reporter | |
Comment 17•18 years ago
|
||
I can still reproduce crash.
This seems to be due to missing |* sizeof(jsval)|.
- argv = JS_malloc(cx, nslots);
+ argv = JS_malloc(cx, nslots * sizeof(jsval));
- memset(argv + 2, 0, nslots - 2);
+ memset(argv + 2, 0, (nslots - 2) * sizeof(jsval));
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
|
|
||
Comment 18•18 years ago
|
||
In trunk winxp debug I get MSVC CRT Debug error: Heap Corruption Detected... detected that the application wrote to memory after the end of the heap buffer.
In 1.8.0.9|1.8.1.1 winxp debug I get MSCC CRT Debug error: DAMAGE after normal block
This should block the Firefox 1.5.0.9, Firefox 2.0.0.1 and Gran Paradiso releases.
|
|
||
Comment 19•18 years ago
|
||
Removing "fixed1.8.x.x" keywords since this doesn't appear to be fixed.
Blake/Brendan: We are past our code freeze date, but really need to get this fixed, so please let us know if either of you can take a look at this. It would be nice to have a patch together by Monday morning, since we were hoping to spin RC1 then.
|
|
Assignee | |
Comment 20•18 years ago
|
||
I blame all of the Java code I've had to write lately.
Attachment #247282 -
Flags: review?(brendan)
Attachment #247282 -
Flags: approval1.8.1.1?
Attachment #247282 -
Flags: approval1.8.0.9?
|
|
||
Comment 21•18 years ago
|
||
Comment on attachment 247282 [details] [diff] [review]
D'oh
I have no Java-on-the-brainn excuse :-(.
This needs prompt approval for the branches.
/be
Attachment #247282 -
Flags: review?(brendan) → review+
|
|
Assignee | |
Comment 22•18 years ago
|
||
Fixed (again) on trunk.
Status: REOPENED → RESOLVED
Closed: 18 years ago → 18 years ago
Resolution: --- → FIXED
|
|
||
Comment 23•18 years ago
|
||
Comment on attachment 247282 [details] [diff] [review]
D'oh
Approved for both branches, a=jay for drivers. Thanks for the quick patch patch mrbkap. ;-)
Attachment #247282 -
Flags: approval1.8.1.1?
Attachment #247282 -
Flags: approval1.8.1.1+
Attachment #247282 -
Flags: approval1.8.0.9?
Attachment #247282 -
Flags: approval1.8.0.9+
|
|
Assignee | |
Comment 24•18 years ago
|
||
Fixed, again.
Thanks for the heads-up moz_bug.
Keywords: fixed1.8.0.9,
fixed1.8.1.1
|
|
||
Comment 25•18 years ago
|
||
verified fixed 20061203 1.8.0.9 windows/linux, 1.8.1.1 windows/linux, 1.9 windows/linux
Status: RESOLVED → VERIFIED
|
|
||
Updated•18 years ago
|
Whiteboard: [need new patch] → [sg:critical?]
|
|
||
Updated•18 years ago
|
Group: security
|
|
||
Comment 26•18 years ago
|
||
/cvsroot/mozilla/js/tests/js1_5/extensions/regress-361964.js,v <-- regress-361964.js
|
||
Updated•14 years ago
|
Crash Signature: [@ MarkGCThingChildren]
You need to log in
before you can comment on or make changes to this bug.
Description
•