Closed Bug 505142 Opened 16 years ago Closed 15 years ago

Data from Faulting Address may be used as a return value starting at js3250!Queue

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
1.9.1 Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
blocking1.9.1 --- needed
status1.9.1 --- wanted

People

(Reporter: cbook, Assigned: automation)

References

(
URL
)

Details

(Keywords: crash, qawanted, Whiteboard: [sg:critical?] WFM on trunk post 1.9.2)

Attachments

(1 file)

local copy of the page
400.93 KB, application/x-zip-compressed
Details
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.1pre) Gecko/20090716 Shiretoko/3.5.1pre found during crashtest run: Steps to reproduce: -> Load http://cgi.ebay.de/HTC-HOLLYWOOD-TRADING-COMPANY-WINDSOR-FLECHT-GURTEL-80_W0Q QitemZ120432987537QQcmdZViewItemQQptZMode_Accessoires_Damenaccessoires_Dameng%C3 %BCrtel?hash=item1c0a5d8d91&_trksid=p3286.c0.m14&_trkparms=65%3A10%7C66%3A2%7C39 %3A1%7C240%3A1318% (in my case i had to reload the page) -> Crash (16c.908): Access violation - code c0000005 (!!! second chance !!!) eax=6f772f3a ebx=7ffde000 ecx=6f772f3a edx=08652aa8 esi=01252c73 edi=74736574 eip=00607a3a esp=0012e62c ebp=0012e630 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 js3250!Queue<unsigned short>::length+0xa: 00607a3a 8b4004 mov eax,dword ptr [eax+4] ds:0023:6f772f3e=???????? Exploitability Classification: UNKNOWN Recommended Bug Title: Data from Faulting Address may be used as a return value starting at js3250!Queue<unsigned short>::length+0x000000000000000a (Hash=0x7d677756.0x701d6729) The data from the faulting address may later be used as a return value from this function. ChildEBP RetAddr 0012e630 005d808c js3250!Queue<unsigned short>::length+0xa 0012e648 005ec146 js3250!specializeTreesToMissingGlobals+0xbc 0012e6c8 005ec085 js3250!js_CheckEntryTypes+0x76 0012e6d8 005ebdfb js3250!js_FindVMCompatiblePeer+0x75 0012e724 00510194 js3250!js_MonitorLoopEdge+0x29b 0012ee50 00507fe6 js3250!js_Interpret+0x6a74 0012eee0 004b2bf7 js3250!js_Execute+0x2e6 0012ef08 03015740 js3250!JS_EvaluateUCScriptForPrincipals+0xe7 0012efb4 02ea758a gklayout!nsJSContext::EvaluateString+0x2c0 0012f0ac 02ea703d gklayout!nsScriptLoader::EvaluateScript+0x37a 0012f170 02ea68c0 gklayout!nsScriptLoader::ProcessRequest+0xfd 0012f660 0330c569 gklayout!nsScriptLoader::ProcessScriptElement+0x1040 0012f694 03324444 gklayout!nsScriptElement::MaybeProcessScript+0x149 0012f74c 0332422f gklayout!nsHTMLScriptElement::MaybeProcessScript+0x24 0012f758 02f3f5ef gklayout!nsHTMLScriptElement::DoneAddingChildren+0x1f 0012f77c 02f3a34d gklayout!HTMLContentSink::ProcessSCRIPTEndTag+0xcf 0012f7b0 02f3d7e0 gklayout!SinkContext::CloseContainer+0x31d 0012f7c8 0455ecba gklayout!HTMLContentSink::CloseContainer+0xa0 0012f7f8 0455bcf4 gkparser!CNavDTD::CloseContainer+0x18a 0012f83c 045597ae gkparser!CNavDTD::HandleEndToken+0x214
Flags: blocking1.9.0.12?
Attached file local copy of the page
Can you reproduce with the local copy? This looks like oom to me.
Assignee: general → gal
(In reply to comment #2) > Can you reproduce with the local copy? This looks like oom to me. yes its reproducible with the local copy and also crash mac minefield (http://crash-stats.mozilla.com/report/index/ce3983d9-dbfa-4acf-8fb0-a54122090719?p=1) just now :? Crashing Thread Frame Module Signature [Expand] Source 0 libmozjs.dylib specializeTreesToMissingGlobals js/src/jstracer.cpp:1558 1 libmozjs.dylib js_MonitorLoopEdge js/src/jstracer.cpp:5071 2 libmozjs.dylib js_Interpret js/src/jsinterp.cpp:3918 3 libmozjs.dylib js_Execute js/src/jsinterp.cpp:1635 4 libmozjs.dylib JS_EvaluateUCScriptForPrincipals js/src/jsapi.cpp:5158 5 XUL nsJSContext::EvaluateString dom/base/nsJSEnvironment.cpp:1682 6 XUL nsScriptLoader::EvaluateScript content/base/src/nsScriptLoader.cpp:686 7 XUL nsScriptLoader::ProcessRequest content/base/src/nsScriptLoader.cpp:600 8 XUL nsScriptLoader::ProcessScriptElement content/base/src/nsScriptLoader.cpp:554 9 XUL nsScriptElement::MaybeProcessScript content/base/src/nsScriptElement.cpp:193 10 XUL nsHTMLScriptElement::MaybeProcessScript content/html/content/src/nsHTMLScriptElement.cpp:547 11 XUL HTMLContentSink::ProcessSCRIPTEndTag content/html/document/src/nsHTMLContentSink.cpp:3096 12 XUL SinkContext::CloseContainer content/html/document/src/nsHTMLContentSink.cpp:1014 13 XUL HTMLContentSink::CloseContainer content/html/document/src/nsHTMLContentSink.cpp:2376 14 XUL CNavDTD::CloseContainer parser/htmlparser/src/CNavDTD.cpp:2762 15 XUL CNavDTD::HandleEndToken parser/htmlparser/src/CNavDTD.cpp:1641 16 XUL CNavDTD::HandleToken parser/htmlparser/src/CNavDTD.cpp:721 17 XUL CNavDTD::BuildModel parser/htmlparser/src/CNavDTD.cpp:304 18 XUL nsParser::BuildModel parser/htmlparser/src/nsParser.cpp:2452 19 XUL nsParser::ResumeParse parser/htmlparser/src/nsParser.cpp:2333 20 XUL nsParser::OnDataAvailable parser/htmlparser/src/nsParser.cpp:2981 21 XUL nsBaseChannel::OnDataAvailable netwerk/base/src/nsBaseChannel.cpp:708 22 XUL nsInputStreamPump::OnStateTransfer netwerk/base/src/nsInputStreamPump.cpp:508 23 XUL nsInputStreamPump::OnInputStreamReady netwerk/base/src/nsInputStreamPump.cpp:398 24 XUL nsInputStreamReadyEvent::Run xpcom/io/nsStreamUtils.cpp:111 25 XUL nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:527 26 XUL NS_ProcessPendingEvents_P nsThreadUtils.cpp:180 27 XUL nsBaseAppShell::NativeEventCallback widget/src/xpwidgets/nsBaseAppShell.cpp:121 28 XUL nsAppShell::ProcessGeckoEvents widget/src/cocoa/nsAppShell.mm:413 29 CoreFoundation CFRunLoopRunSpecific 30 CoreFoundation CFRunLoopRunInMode 31 HIToolbox RunCurrentEventLoopInMode 32 HIToolbox ReceiveNextEventCommon 33 HIToolbox BlockUntilNextEventMatchingListInMode 34 AppKit _DPSNextEvent 35 AppKit -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] 36 AppKit -[NSApplication run] 37 XUL nsAppShell::Run widget/src/cocoa/nsAppShell.mm:766 38 XUL nsAppStartup::Run toolkit/components/startup/src/nsAppStartup.cpp:193 39 XUL XRE_main toolkit/xre/nsAppRunner.cpp:3369 40 firefox-bin main browser/app/nsBrowserApp.cpp:156 41 firefox-bin firefox-bin@0x1541 42 firefox-bin firefox-bin@0x1468
i will try to create a reduced testcase today
Might be related to bug 503620.
I am ok with just a local copy I can click on. Doesn't have to be reduced for the moment. I can't reproduce so far.
Flags: blocking1.9.0.12? → blocking1.9.0.13?
This is jit only, afaict, so doesn't need to block 1.9.0.13.
blocking1.9.1: --- → needed
status1.9.1: --- → wanted
Flags: blocking1.9.0.13? → wanted1.9.0.x-
I couldn't get the testcase to crash Minefield on Windows. Tomcat, are you still seeing this one?
Whiteboard: [sg:investigate]
(In reply to comment #8) > I couldn't get the testcase to crash Minefield on Windows. Tomcat, are you > still seeing this one? seems this now wfm for me - seems we fixed this somewhere.
"wfm" on trunk I presume? What about the 1.9.1 branch?
Keywords: qawanted
Whiteboard: [sg:investigate] → [sg:critical?] WFM on trunk post 1.9.2
Tomcat, could we get an update on the status here?
(In reply to comment #11) > Tomcat, could we get an update on the status here? tested and do not crash anymore , i got a lot of WARNING: recurring into frame construction: 'mPresContext->mLayoutPhaseCount[eLa youtPhase_FrameC] == 0', file c:\work\mozilla\builds\1.9.1\mozilla\layout\base\n sPresContext.h, line 1026 on 1.9.1/windows but no crash. --> works for me
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → WORKSFORME
Assignee: gal → automation
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: