Crash [@ js_ValueToString]

RESOLVED FIXED

Status

()

Core
JavaScript Engine
RESOLVED FIXED
8 years ago
7 years ago

People

(Reporter: Paul Nickerson, Assigned: mrbkap)

Tracking

Trunk
x86
Linux
Points:
---
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(blocking1.9.2 .11+, status1.9.2 .11-fixed, blocking1.9.1 .14+, status1.9.1 .14-fixed)

Details

(Whiteboard: [sg:critical])

Attachments

(4 attachments)

(Reporter)

Description

8 years ago
Created attachment 393222 [details]
testcase
(Reporter)

Comment 1

8 years ago
Created attachment 393223 [details]
stack

Updated

8 years ago
Group: core-security
crashes mac 1.9.2 @ JS_HashTableDestroy
bp-b5d38e43-91b8-4994-8ac7-bacb62090807
(Assignee)

Comment 3

8 years ago
I suck :(.
Assignee: general → mrbkap
(Assignee)

Comment 4

8 years ago
Created attachment 393249 [details] [diff] [review]
Fix

The fix here is the argc == 0 check, the rest of it is updating the code to use shiny new APIs.
Attachment #393249 - Flags: review?(jorendorff)
(Reporter)

Comment 5

8 years ago
I'm so sorry, I didn't think this was security-sensitive. Not bad for my fuzzer's
first bug ;)
Attachment #393249 - Flags: review?(jorendorff) → review+
(Assignee)

Updated

8 years ago
Attachment #393249 - Flags: superreview?(jst)

Updated

8 years ago
Attachment #393249 - Flags: superreview?(jst) → superreview+
(Assignee)

Comment 6

8 years ago
http://hg.mozilla.org/mozilla-central/rev/8b71bff4079d
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED

Updated

8 years ago
Whiteboard: [sg:critical?]

Updated

7 years ago
Whiteboard: [sg:critical?] → [sg:critical]

Comment 7

7 years ago
Re-reported as bug 598669 / ZDI-CAN-929.
Why wasn't this fix backported to 1.9.2, especially if it's been fixed on trunk for a year? :/
blocking1.9.2: --- → ?
status1.9.2: --- → ?
blocking1.9.1: --- → ?
blocking1.9.2: ? → .11+
status1.9.1: --- → ?
status1.9.2: ? → wanted
I crashed with this testcase in 3.5.12pre (bp-efdae1d6-c261-42ba-a8a2-be5882100924 -- pthread_mutex_lock, something else?) but after upgrading to a current nightly I no longer crash. Is this problem a regression between 1.9.1 and 1.9.2?
I take back comment 9: it doesn't seem to crash in 1.9.1 if I open the testcase in a new tab, but if I just click the link to navigate from the bug to the testcase it goes down immediately. Another pthread_mutex_lock crash, but with symbols this time so it does look like the same area as this bug and bug 598669
bp-2fa1fcef-aab5-46a8-b5df-8ea972100924
blocking1.9.1: ? → .14+
status1.9.1: ? → wanted
Blocks: 598669
Created attachment 478904 [details] [diff] [review]
1.9.2 fix.
Attachment #478904 - Flags: review?(mrbkap)
(Assignee)

Comment 12

7 years ago
Comment on attachment 478904 [details] [diff] [review]
1.9.2 fix.

Thanks!
Attachment #478904 - Flags: review?(mrbkap) → review+
Comment on attachment 478904 [details] [diff] [review]
1.9.2 fix.

This applies to 1.9.1 as well, and while I can not trigger a crash in 1.9.1 locally, this should be fixed there as well.
Attachment #478904 - Flags: approval1.9.2.11?
Attachment #478904 - Flags: approval1.9.1.14?

Comment 14

7 years ago
Comment on attachment 478904 [details] [diff] [review]
1.9.2 fix.

a=LegNeato for 1.9.2.11 and 1.9.1.14
Attachment #478904 - Flags: approval1.9.2.11?
Attachment #478904 - Flags: approval1.9.2.11+
Attachment #478904 - Flags: approval1.9.1.14?
Attachment #478904 - Flags: approval1.9.1.14+

Updated

7 years ago
Keywords: checkin-needed
Looks like jst checked this in:
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/6f77c13209a8
status1.9.2: wanted → .11-fixed
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/54ff003f8cb0
status1.9.1: wanted → .14-fixed

Updated

7 years ago
Keywords: checkin-needed
Group: core-security

Comment 17

7 years ago
Crashtest: http://hg.mozilla.org/mozilla-central/rev/0981dd4be638
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.