Closed Bug 505360 Opened 15 years ago Closed 15 years ago

TM: Crash [@ __memcpy - jsstr::js_StringReplaceHelper()]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED DUPLICATE of bug 505305
Tracking Flags:
Tracking Status
blocking1.9.1 --- .2+
status1.9.1 --- .2-fixed

People

(Reporter: aaronmt, Unassigned)

References

(
URL
)

Details

(Keywords: crash, verified1.9.1, Whiteboard: [sg:dupe 505305])

Crash Data

Crash on load of URL in do_replace() Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2a1pre) Gecko/20090720 Minefield/3.6a1pre http://crash-stats.mozilla.com/report/index/d71bd634-ce61-431f-9cac-c5c4c2090720 Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_INVALID_ADDRESS at address: 0x1efffff0 0xffff0af6 in ___memcpy () #0 0xffff0af6 in ___memcpy () at /System/Library/Frameworks/System.framework/PrivateHeaders/i386/cpu_capabilities.h:246 #1 0x00361e51 in do_replace (cx=0xac7600, rdata=0xbfffcb40, chars=0x16df82f0) at /Users/mozilla/mozilla-central/js/src/jsstr.cpp:1696 #2 0x003640b7 in js_StringReplaceHelper (cx=0xac7600, argc=4294903656, lambda=0x0, repstr=0x17203c80, vp=0xc2fcf4) at /Users/mozilla/mozilla-central/js/src/jsstr.cpp:1832 #3 0x0036413f in str_replace (cx=0xac7600, argc=2, vp=0xc2fcf4) at /Users/mozilla/mozilla-central/js/src/jsstr.cpp:1775 #4 0x002c72d7 in js_Interpret (cx=0xac7600) at /Users/mozilla/mozilla-central/js/src/jsinterp.cpp:5182 #5 0x002d9ceb in js_Invoke (cx=0xac7600, argc=1, vp=0xc2fc24, flags=32) at jsinterp.cpp:1370 #6 0x002da758 in js_InternalInvoke (cx=0xac7600, obj=<value temporarily unavailable, due to optimizations>, fval=342388848, flags=0, argc=1, argv=0xc2fc20, rval=0xbfffd3b8) at jsinterp.cpp:1442 #7 0x00247353 in JS_CallFunctionValue (cx=0xac7600, obj=0xffff0768, fval=-63640, argc=4294903656, argv=0xffff0768, rval=0xffff0768) at /Users/mozilla/mozilla-central/js/src/jsapi.cpp:5199 #8 0x18b3bae1 in nsJSContext::CallEventHandler (this=0x1b907bf0, aTarget=0x126d65e0, aScope=0x19e64c60, aHandler=<value temporarily unavailable, due to optimizations>, aargv=0x16dbd980, arv=0xbfffd5f4) at /Users/mozilla/mozilla-central/dom/base/nsJSEnvironment.cpp:2092 #9 0x18bd8b4b in nsCOMPtr<nsIVariant>::get () at nsCOMPtr.h:247 #10 0x18bd8b4b in ~nsGetterAddRefs [inlined] () at nsCOMPtr.h:1329 EXPLOITABLE: Exploitable - User Mode Write AV starting at MSVCR80D!strnicmp+0x00000000000003a3 (Hash=0x171a7743.0x3e542632): http://www.donorschoose.org/donors/ search.html?page=9&keywords=music&max=50: EXIT STATUS: ABNORMAL 84 (95.610000 seconds)
Group: core-security
argc=4294903656? Thats unlikely. #2 0x003640b7 in js_StringReplaceHelper (cx=0xac7600, argc=4294903656, lambda=0x0, repstr=0x17203c80, vp=0xc2fcf4) at /Users/mozilla/mozilla-central/js/src/jsstr.cpp:1832 #3 0x0036413f in str_replace (cx=0xac7600, argc=2, vp=0xc2fcf4) at
blocking1.9.1: --- → ?
how about branch?
gal: this looks like the bug that I mentioned to you earlier today.
argc is just passed through here. Either the stack dump is lying, or the stack got blown away (partially). I have my money on the former, since otherwise the stack walk wouldn't work properly. static JSBool str_replace(JSContext *cx, uintN argc, jsval *vp) { JSObject *lambda; JSString *repstr; if (argc >= 2 && JS_TypeOfValue(cx, vp[3]) == JSTYPE_FUNCTION) { lambda = JSVAL_TO_OBJECT(vp[3]); repstr = NULL; } else { lambda = NULL; repstr = ArgToRootedString(cx, argc, vp, 1); if (!repstr) return JS_FALSE; } return js_StringReplaceHelper(cx, argc, lambda, repstr, vp); }
Crash on debug build Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.2pre) Gecko/20090720 Shiretoko/3.5.2pre and relbranch 3.5.1 Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1 http://crash-stats.mozilla.com/report/index/c86e576f-0efc-43bd-a130-fd8c52090720?p=1
Duping to Tomcat's bug, which beat this one out by about a day.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
v. dupe
Status: RESOLVED → VERIFIED
I'm going to mark this blocking because I marked bug 505305 blocking. We should ensure this case is completely fixed as well when verifying bug 505305.
blocking1.9.1: ? → .2+
Blake checked in his fix for 1.9.1.2
status1.9.1: --- → .2-fixed
Verified vicariously through 505305. Adding the keyword verified1.9.1 to dot the i. Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)
Keywords: verified1.9.1
Whiteboard: [sg:dupe 505305]
Group: core-security
Flags: wanted1.9.0.x-
Crash Signature: [@ __memcpy - jsstr::js_StringReplaceHelper()]
You need to log in before you can comment on or make changes to this bug.