Closed Bug 435497 Opened 17 years ago Closed 17 years ago

[1.8 branch] Crash [@ js_Interpret] or [@ js_HashString]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
1.8 Branch
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: gkw, Assigned: crowderbt)

References

Details

(4 keywords, Whiteboard: [sg:critical?])

Crash Data

Attachments

(3 files)

full backtrace for the assertion of the 1st testcase
5.86 KB, text/plain
Details
full backtrace for the assertion of the 2nd testcase
5.90 KB, text/plain
Details
comparison between the 2 stacktraces
81.51 KB, text/html
Details
I found this bug and Jesse Ruderman helped to reduce the testcases. (function() { x, x setter = 0, y; const x; })() crashes at js_HashString calling memory address 0x000000003b517c41, and this changes when 0 is replaced by 1 or 2 etc. (function() { x setter = 0, y; const x; })() or (function() { x getter= function(){} ; var x5, x = 0x99; })() crash at js_Interpret calling memory address 0x0000000080000000. They also assert at Assertion failure: op2 == JSOP_INITELEM, at jsinterp.c:5132 May possibly be related to bug 434906? I nominate them for blocking1.8.1.15 because they crash at scary non-null memory addresses, thus I think they may be exploitable. These testcases seem to get hit quite easily as evident by the sample testcases in both this bug and its possible cousin bug 434906.
Flags: blocking1.8.1.15?
Separate sidenote: trunk js shell seem to work as expected with the testcases in comment #0.
Here's a graphical diff of the 2 stacktraces; I'm not sure if it's useful, but nonetheless I hope it helps.
Too late for 1.8.1.15 with no patch, but we want this. Nominating for 1.8.1.16. Brian, can you look at this?
Assignee: general → crowder
Flags: wanted1.8.1.x+
Flags: blocking1.8.1.16?
Flags: blocking1.8.1.15?
Flags: blocking1.8.1.15-
Flags: blocking1.8.1.17? → blocking1.8.1.17+
Whiteboard: [sg:critical?]
Isn't this a dupe of bug 356378?
Gary, is this fixed for you in recent branch nightlies (or, really, Firefox 2.0.0.15)?
Sam, yes this is fixed, please resolve as appropriate. (WFM?) Sample output after running the testcases in js shell, which now no longer crashes: $ ./js-moz181-intelmac js> (function() { x, x setter = 0, y; const x; })() typein:1: SyntaxError: invalid setter usage js> (function() { x setter = 0, y; const x; })() typein:2: SyntaxError: invalid setter usage js> (function() { x getter= function(){} ; var x5, x = 0x99; })() typein:3: SyntaxError: invalid getter usage js>
Fixed by bug 356378. (Opening up as well since that bug is open.)
Group: core-security
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Removing blocking flag too.
Flags: blocking1.8.1.17+
Keywords: fixed1.8.1.16
Flags: in-testsuite?
/cvsroot/mozilla/js/tests/js1_5/extensions/regress-435497-01.js,v <-- regress-435497-01.js initial revision: 1.1 /cvsroot/mozilla/js/tests/js1_5/extensions/regress-435497-02.js,v <-- regress-435497-02.js initial revision: 1.1 /cvsroot/mozilla/js/tests/js1_5/extensions/regress-435497-03.js,v <-- regress-435497-03.js initial revision: 1.1 http://hg.mozilla.org/mozilla-central/rev/b04c04268a94
Flags: in-testsuite?
Flags: in-testsuite+
Flags: in-litmus-
verified fixed on 1.9.1, 1.9.0, 1.8.1. verifying for 1.8.1.16 since bug 356378 was verified on 1.8.1.15.
Status: RESOLVED → VERIFIED
Keywords: fixed1.8.1.16verified1.8.1.16
Crash Signature: [@ js_Interpret] [@ js_HashString]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: