Last Comment Bug 431409 - [1.8 branch] Crash [@ js_AtomToPrintableString]
: [1.8 branch] Crash [@ js_AtomToPrintableString]
Status: RESOLVED DUPLICATE of bug 371292
[sg:dupe 371292] verify testcase
: crash, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: 1.8 Branch
: x86 Mac OS X
-- critical (vote)
: ---
Assigned To: Igor Bukanov
: Jason Orendorff [:jorendorff]
Depends on:
Blocks: jsfunfuzz
  Show dependency treegraph
Reported: 2008-04-29 14:36 PDT by Gary Kwong [:gkw] [:nth10sd]
Modified: 2011-06-13 10:01 PDT (History)
5 users (show)
dveditz: wanted1.8.1.x+
gary: in‑testsuite?
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

stacktrace (2.04 KB, text/plain)
2008-04-29 14:36 PDT, Gary Kwong [:gkw] [:nth10sd]
no flags Details

Description User image Gary Kwong [:gkw] [:nth10sd] 2008-04-29 14:36:30 PDT
Created attachment 318482 [details]

I found this bug and reduced it. Jesse Ruderman helped to reduce it even more, till:

"012345".__defineSetter__(5, function(){});

This command crashes at js_AtomToPrintableString with address 0x0000000000000013. It does not crash trunk js shell.
Comment 1 User image Gary Kwong [:gkw] [:nth10sd] 2008-04-29 15:00:15 PDT
Nominating blocking1.8.1.15 per Brendan's advice.
Comment 2 User image Gary Kwong [:gkw] [:nth10sd] 2008-04-29 15:15:47 PDT
Varying the length of the initial string produce different addresses, in comment #0 it is 13 (last few digits), I've seen 9 for shorter strings *and* strings with around 1500 characters, while some with lengths in between produce digits like e17 and 199.

If a suitably long initial string replaces "012345", it comes out with a "TypeError: redeclaration of const -144946491", and it changes to "TypeError: redeclaration of const 242614271" for an incredibly long string. Both cases with these TypeErrors don't crash though.
Comment 3 User image Gary Kwong [:gkw] [:nth10sd] 2008-04-29 15:19:45 PDT
(In reply to comment #0)
> It does not crash trunk js shell.

(In reply to comment #2)
> Both cases with these TypeErrors don't crash though.

Correction: The js shells in these cases work as expected, this should be the correct phrase.
Comment 4 User image Daniel Veditz [:dveditz] 2008-04-30 11:21:45 PDT
Blocking per Brendan, but is this really a security bug? If the offsets are all small offsets from 0 then likely not, but the fact that they vary based on input length is worrying.

Can you take this, Igor?

qa: to reproduce put the line in comment 0 into the error console, you don't need the js shell. javascript: uri works, too.
Comment 5 User image Igor Bukanov 2008-05-30 00:40:40 PDT
The bug is a dup of a trunk bug 371292 that was not nominated  for the branch. I will do the branch fix there.

*** This bug has been marked as a duplicate of bug 371292 ***
Comment 6 User image Igor Bukanov 2008-05-30 00:55:00 PDT
I am moving nomination to the bug 371292 as this bug is a duplicate of the latter.

Note You need to log in before you can comment on or make changes to this bug.