Closed
Bug 480791
Opened 15 years ago
Closed 15 years ago
Crash [@ js_NewObjectWithGivenProto]
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
VERIFIED
DUPLICATE
of bug 480657
People
(Reporter: gkw, Unassigned)
Details
(Keywords: crash, testcase)
Crash Data
eval("new Math.sin");
crashes debug js shell at js_NewObjectWithGivenProto at a possibly exploitable location on TM tip, -j not needed. Opt seems to work as expected. This is a recent occurrence.
js> eval("new Math.sin");
[New Thread 0xb7d446c0 (LWP 14113)]
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb7d446c0 (LWP 14113)]
0x080bef4b in js_NewObjectWithGivenProto (cx=0xa19bd90, clasp=0xdadadada, proto=0xa19f0e0, parent=0xa19f0c0, objectSize=32) at ../jsobj.cpp:2898
2898 ((JSExtendedClass *)clasp)->equality);
(gdb) bt
#0 0x080bef4b in js_NewObjectWithGivenProto (cx=0xa19bd90, clasp=0xdadadada, proto=0xa19f0e0, parent=0xa19f0c0, objectSize=32) at ../jsobj.cpp:2898
#1 0x080c3475 in js_NewObject (cx=0xa19bd90, clasp=0xdadadada, proto=0xa19f0e0, parent=0xa19f0c0, objectSize=0) at ../jsobj.cpp:2866
#2 0x080afd82 in js_InvokeConstructor (cx=0xa19bd90, argc=0, clampReturn=0, vp=0xa1a5024) at ../jsinterp.cpp:1801
#3 0x081c461e in js_Interpret (cx=0xa19bd90) at ../jsinterp.cpp:4796
#4 0x080aed79 in js_Execute (cx=0xa19bd90, chain=0xa19f000, script=0xa1a3e60, down=0xbf911b90, flags=18, result=0xbf91136c) at ../jsinterp.cpp:1567
#5 0x080c6b58 in obj_eval (cx=0xa19bd90, obj=0xa19f000, argc=1, argv=0xa1a5020, rval=0xbf91136c) at ../jsobj.cpp:1478
#6 0x080af87b in js_Invoke (cx=0xa19bd90, argc=1, vp=0xa1a5018, flags=2) at ../jsinterp.cpp:1318
#7 0x081c539e in js_Interpret (cx=0xa19bd90) at ../jsinterp.cpp:5026
#8 0x080aed79 in js_Execute (cx=0xa19bd90, chain=0xa19f000, script=0xa1a3d88, down=0x0, flags=0, result=0xbf911cd4) at ../jsinterp.cpp:1567
#9 0x08058834 in JS_ExecuteScript (cx=0xa19bd90, obj=0xa19f000, script=0xa1a3d88, rval=0xbf911cd4) at ../jsapi.cpp:5130
#10 0x08051aff in Process (cx=0xa19bd90, obj=0xa19f000, filename=0x0, forceTTY=0) at ../../shell/js.cpp:477
#11 0x08052309 in ProcessArgs (cx=0xa19bd90, obj=0xa19f000, argv=0xbf911e48, argc=0) at ../../shell/js.cpp:778
#12 0x0805260b in main (argc=0, argv=0xbf911e48, envp=0xbf911e4c) at ../../shell/js.cpp:4630
(gdb)Flags: blocking1.9.1?
|
Reporter | |
Comment 1•15 years ago
|
||
Crashes at 0xdadadade on Mac Leopard, comment #0 is from Ubuntu 8.10.
Whiteboard: [sg:critical?]
|
||
Comment 2•15 years ago
|
||
I changed something recently in this area.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
|
|
||
Comment 3•15 years ago
|
||
Sorry my bad. Tree was burning, I should have seen that & backed out the patch earlier.
js> eval("new Math.sin");
NaN
js>Status: RESOLVED → VERIFIED
|
|
||
Updated•15 years ago
|
Whiteboard: [sg:critical?]
|
|
||
Comment 4•15 years ago
|
||
I don't know how to make this not security critical. Removed all other flags since the offending patch is gone from the tree.
Flags: blocking1.9.1?
|
|
Reporter | |
Comment 5•15 years ago
|
||
(In reply to comment #4) > I don't know how to make this not security critical. Removed all other flags > since the offending patch is gone from the tree. Opening up.
Group: core-security
|
|
Reporter | |
Updated•15 years ago
|
Flags: in-testsuite?
|
||
Updated•13 years ago
|
Crash Signature: [@ js_NewObjectWithGivenProto]
You need to log in
before you can comment on or make changes to this bug.
Description
•