Closed
Bug 431409
Opened 17 years ago
Closed 17 years ago
[1.8 branch] Crash [@ js_AtomToPrintableString]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 371292
People
(Reporter: gkw, Assigned: igor)
Details
(Keywords: crash, testcase, Whiteboard: [sg:dupe 371292] verify testcase)
Crash Data
Attachments
(1 file)
|
2.04 KB,
text/plain
|
Details |
I found this bug and reduced it. Jesse Ruderman helped to reduce it even more, till:
"012345".__defineSetter__(5, function(){});
This command crashes at js_AtomToPrintableString with address 0x0000000000000013. It does not crash trunk js shell.
|
Reporter | |
Comment 1•17 years ago
|
||
Nominating blocking1.8.1.15 per Brendan's advice.
Flags: blocking1.8.1.15?
|
|
Reporter | |
Comment 2•17 years ago
|
||
Varying the length of the initial string produce different addresses, in comment #0 it is 13 (last few digits), I've seen 9 for shorter strings *and* strings with around 1500 characters, while some with lengths in between produce digits like e17 and 199.
If a suitably long initial string replaces "012345", it comes out with a "TypeError: redeclaration of const -144946491", and it changes to "TypeError: redeclaration of const 242614271" for an incredibly long string. Both cases with these TypeErrors don't crash though.
|
|
Reporter | |
Comment 3•17 years ago
|
||
(In reply to comment #0)
> It does not crash trunk js shell.
(In reply to comment #2)
> Both cases with these TypeErrors don't crash though.
Correction: The js shells in these cases work as expected, this should be the correct phrase.
|
||
Comment 4•17 years ago
|
||
Blocking per Brendan, but is this really a security bug? If the offsets are all small offsets from 0 then likely not, but the fact that they vary based on input length is worrying.
Can you take this, Igor?
qa: to reproduce put the line in comment 0 into the error console, you don't need the js shell. javascript: uri works, too.
Assignee: general → igor
Flags: blocking1.8.1.15? → blocking1.8.1.15+
|
|
||
Updated•17 years ago
|
Flags: wanted1.8.1.x+
|
Assignee | |
Comment 5•17 years ago
|
||
The bug is a dup of a trunk bug 371292 that was not nominated for the branch. I will do the branch fix there.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → DUPLICATE
|
|
Assignee | |
Comment 6•17 years ago
|
||
I am moving 1.8.1.15 nomination to the bug 371292 as this bug is a duplicate of the latter.
Flags: blocking1.8.1.15+
|
|
||
Updated•17 years ago
|
Whiteboard: [sg:dupe 371292] verify testcase
|
|
||
Updated•17 years ago
|
Group: security
|
|
Reporter | |
Updated•16 years ago
|
Flags: in-testsuite?
|
||
Updated•14 years ago
|
Crash Signature: [@ js_AtomToPrintableString]
You need to log in
before you can comment on or make changes to this bug.
Description
•