Closed
Bug 435497
Opened 16 years ago
Closed 16 years ago
[1.8 branch] Crash [@ js_Interpret] or [@ js_HashString]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: gkw, Assigned: crowderbt)
References
Details
(4 keywords, Whiteboard: [sg:critical?])
Crash Data
Attachments
(3 files)
I found this bug and Jesse Ruderman helped to reduce the testcases.
(function() { x, x setter = 0, y; const x; })()
crashes at js_HashString calling memory address 0x000000003b517c41, and this changes when 0 is replaced by 1 or 2 etc.
(function() { x setter = 0, y; const x; })()
or
(function() { x getter= function(){} ; var x5, x = 0x99; })()
crash at js_Interpret calling memory address 0x0000000080000000.
They also assert at
Assertion failure: op2 == JSOP_INITELEM, at jsinterp.c:5132
May possibly be related to bug 434906?
I nominate them for blocking1.8.1.15 because they crash at scary non-null memory addresses, thus I think they may be exploitable. These testcases seem to get hit quite easily as evident by the sample testcases in both this bug and its possible cousin bug 434906.Flags: blocking1.8.1.15?
|
Reporter | |
Comment 1•16 years ago
|
||
|
|
Reporter | |
Comment 2•16 years ago
|
||
Separate sidenote: trunk js shell seem to work as expected with the testcases in comment #0.
|
|
Reporter | |
Comment 3•16 years ago
|
||
Here's a graphical diff of the 2 stacktraces; I'm not sure if it's useful, but nonetheless I hope it helps.
|
||
Comment 4•16 years ago
|
||
Too late for 1.8.1.15 with no patch, but we want this. Nominating for 1.8.1.16. Brian, can you look at this?
Assignee: general → crowder
Flags: wanted1.8.1.x+
Flags: blocking1.8.1.16?
Flags: blocking1.8.1.15?
Flags: blocking1.8.1.15-
|
||
Updated•16 years ago
|
Flags: blocking1.8.1.17? → blocking1.8.1.17+
Whiteboard: [sg:critical?]
|
||
Comment 5•16 years ago
|
||
Isn't this a dupe of bug 356378?
|
|
||
Comment 6•16 years ago
|
||
Gary, is this fixed for you in recent branch nightlies (or, really, Firefox 2.0.0.15)?
|
|
Reporter | |
Comment 7•16 years ago
|
||
Sam, yes this is fixed, please resolve as appropriate. (WFM?)
Sample output after running the testcases in js shell, which now no longer crashes:
$ ./js-moz181-intelmac
js> (function() { x, x setter = 0, y; const x; })()
typein:1: SyntaxError: invalid setter usage
js> (function() { x setter = 0, y; const x; })()
typein:2: SyntaxError: invalid setter usage
js> (function() { x getter= function(){} ; var x5, x = 0x99; })()
typein:3: SyntaxError: invalid getter usage
js>|
|
||
Comment 8•16 years ago
|
||
Fixed by bug 356378. (Opening up as well since that bug is open.)
Group: core-security
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
|
|
Reporter | |
Updated•16 years ago
|
Flags: in-testsuite?
|
||
Comment 10•16 years ago
|
||
/cvsroot/mozilla/js/tests/js1_5/extensions/regress-435497-01.js,v <-- regress-435497-01.js initial revision: 1.1 /cvsroot/mozilla/js/tests/js1_5/extensions/regress-435497-02.js,v <-- regress-435497-02.js initial revision: 1.1 /cvsroot/mozilla/js/tests/js1_5/extensions/regress-435497-03.js,v <-- regress-435497-03.js initial revision: 1.1 http://hg.mozilla.org/mozilla-central/rev/b04c04268a94
Flags: in-testsuite?
Flags: in-testsuite+
Flags: in-litmus-
|
|
||
Comment 11•16 years ago
|
||
verified fixed on 1.9.1, 1.9.0, 1.8.1. verifying for 1.8.1.16 since bug 356378 was verified on 1.8.1.15.
Status: RESOLVED → VERIFIED
Keywords: fixed1.8.1.16 → verified1.8.1.16
|
||
Updated•13 years ago
|
Crash Signature: [@ js_Interpret]
[@ js_HashString]
You need to log in
before you can comment on or make changes to this bug.
Description
•