Closed Bug 509075 Opened 10 years ago Closed 10 years ago

Crash [@ js_ValueToString]

Categories

(Core :: JavaScript Engine, defect)

x86
Linux
defect
Not set

Tracking

()

RESOLVED FIXED
Tracking Status
blocking1.9.2 --- .11+
status1.9.2 --- .11-fixed
blocking1.9.1 --- .14+
status1.9.1 --- .14-fixed

People

(Reporter: pvnick, Assigned: mrbkap)

References

Details

(Whiteboard: [sg:critical])

Attachments

(4 files)

Attached file testcase
No description provided.
Attached file stack
Group: core-security
crashes mac 1.9.2 @ JS_HashTableDestroy
bp-b5d38e43-91b8-4994-8ac7-bacb62090807
I suck :(.
Assignee: general → mrbkap
Attached patch FixSplinter Review
The fix here is the argc == 0 check, the rest of it is updating the code to use shiny new APIs.
Attachment #393249 - Flags: review?(jorendorff)
I'm so sorry, I didn't think this was security-sensitive. Not bad for my fuzzer's
first bug ;)
Attachment #393249 - Flags: review?(jorendorff) → review+
Attachment #393249 - Flags: superreview?(jst)
Attachment #393249 - Flags: superreview?(jst) → superreview+
http://hg.mozilla.org/mozilla-central/rev/8b71bff4079d
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Whiteboard: [sg:critical?]
Whiteboard: [sg:critical?] → [sg:critical]
Re-reported as bug 598669 / ZDI-CAN-929.
Why wasn't this fix backported to 1.9.2, especially if it's been fixed on trunk for a year? :/
blocking1.9.2: --- → ?
status1.9.2: --- → ?
blocking1.9.1: --- → ?
blocking1.9.2: ? → .11+
status1.9.1: --- → ?
I crashed with this testcase in 3.5.12pre (bp-efdae1d6-c261-42ba-a8a2-be5882100924 -- pthread_mutex_lock, something else?) but after upgrading to a current nightly I no longer crash. Is this problem a regression between 1.9.1 and 1.9.2?
I take back comment 9: it doesn't seem to crash in 1.9.1 if I open the testcase in a new tab, but if I just click the link to navigate from the bug to the testcase it goes down immediately. Another pthread_mutex_lock crash, but with symbols this time so it does look like the same area as this bug and bug 598669
bp-2fa1fcef-aab5-46a8-b5df-8ea972100924
blocking1.9.1: ? → .14+
Attached patch 1.9.2 fix.Splinter Review
Attachment #478904 - Flags: review?(mrbkap)
Comment on attachment 478904 [details] [diff] [review]
1.9.2 fix.

Thanks!
Attachment #478904 - Flags: review?(mrbkap) → review+
Comment on attachment 478904 [details] [diff] [review]
1.9.2 fix.

This applies to 1.9.1 as well, and while I can not trigger a crash in 1.9.1 locally, this should be fixed there as well.
Attachment #478904 - Flags: approval1.9.2.11?
Attachment #478904 - Flags: approval1.9.1.14?
Comment on attachment 478904 [details] [diff] [review]
1.9.2 fix.

a=LegNeato for 1.9.2.11 and 1.9.1.14
Attachment #478904 - Flags: approval1.9.2.11?
Attachment #478904 - Flags: approval1.9.2.11+
Attachment #478904 - Flags: approval1.9.1.14?
Attachment #478904 - Flags: approval1.9.1.14+
Keywords: checkin-needed
Keywords: checkin-needed
Group: core-security
You need to log in before you can comment on or make changes to this bug.