Closed
Bug 374116
Opened 18 years ago
Closed 18 years ago
Crash [@ JS_GetPrivate] with E4X
Categories
(Core :: JavaScript Engine, defect, P1)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
mozilla1.9alpha3
People
(Reporter: jruderman, Assigned: brendan)
Details
(4 keywords)
Crash Data
Attachments
(2 files)
|
1.11 KB,
patch
|
igor
:
review+
dveditz
:
approval1.8.1.4+
dveditz
:
approval1.8.0.12+
|
Details | Diff | Splinter Review |
|
1.18 KB,
patch
|
Details | Diff | Splinter Review |
js> <a/>.@b[1] = 2;
Segmentation fault
Exception: EXC_BAD_ACCESS (0x0001)
Codes: KERN_INVALID_ADDRESS (0x0001) at 0x8000000c
Thread 0 Crashed:
0 js 0x00015c58 JS_GetPrivate + 15 (jsapi.c:2317)
1 js 0x000d5524 PutProperty + 1295 (jsxml.c:4312)
2 js 0x000d768f xml_setProperty + 93 (jsxml.c:5129)
3 js 0x00067877 js_Interpret + 57921 (jsinterp.c:3827)
4 js 0x000587c6 js_Execute + 715 (jsinterp.c:1612)
5 js 0x0001a12c JS_ExecuteScript + 54 (jsapi.c:4212)
6 js 0x000029d2 Process + 912 (js.c:268)
7 js 0x00003354 ProcessArgs + 1910 (js.c:494)
8 js 0x00007efd main + 612 (js.c:3159)
9 js 0x000024e6 _start + 216
10 js 0x0000240d start + 41
Flags: blocking1.9?
|
Reporter | |
Updated•18 years ago
|
Whiteboard: [sg:critical?]
|
||
Updated•18 years ago
|
Assignee: general → crowder
|
Assignee | |
Comment 1•18 years ago
|
||
I don't believe this is exploitable. It's a guaranteed load from 0x80000000+16, which if successful leads to other dependent loads, no jumps thru vtbls.
/be
|
|
Assignee | |
Updated•18 years ago
|
Group: security
OS: Mac OS X → All
Priority: -- → P1
Hardware: PC → All
Whiteboard: [sg:critical?]
Target Milestone: --- → mozilla1.9alpha3
|
||
Updated•18 years ago
|
Attachment #258729 -
Flags: review?(igor) → review+
|
|
Assignee | |
Comment 2•18 years ago
|
||
Fixed:
js/src/jsxml.c 3.149
/be
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
|
|
Assignee | |
Comment 3•18 years ago
|
||
Comment on attachment 258729 [details] [diff] [review]
fix
Safe fix for dumb crash bug.
/be
Attachment #258729 -
Flags: approval1.8.1.4?
Attachment #258729 -
Flags: approval1.8.0.12?
|
||
Comment 4•18 years ago
|
||
/cvsroot/mozilla/js/tests/e4x/Regress/regress-374116.js,v <-- regress-374116.js
initial revision: 1.1
Flags: in-testsuite+
|
|
||
Comment 5•18 years ago
|
||
fix bug number. sorry.
/cvsroot/mozilla/js/tests/e4x/Regress/regress-374116.js,v <-- regress-374116.js
new revision: 1.2; previous revision: 1.1
|
|
||
Comment 7•18 years ago
|
||
Comment on attachment 258729 [details] [diff] [review]
fix
approved for 1.8.0.12 and 1.8.1.4, a=dveditz for release-drivers
Attachment #258729 -
Flags: approval1.8.1.4?
Attachment #258729 -
Flags: approval1.8.1.4+
Attachment #258729 -
Flags: approval1.8.0.12?
Attachment #258729 -
Flags: approval1.8.0.12+
|
|
Assignee | |
Comment 8•18 years ago
|
||
Trunk skewed far enough that this had to be hand-merged. I'm landing it on both branches now.
/be
|
|
Assignee | |
Comment 9•18 years ago
|
||
js/src/jsxml.c 3.50.2.59
js/src/jsxml.c 3.50.2.15.2.30
/be
Keywords: fixed1.8.0.12,
fixed1.8.1.4
|
||
Updated•14 years ago
|
Crash Signature: [@ JS_GetPrivate]
You need to log in
before you can comment on or make changes to this bug.
Description
•