Last Comment Bug 509075 - Crash [@ js_ValueToString]
: Crash [@ js_ValueToString]
Status: RESOLVED FIXED
[sg:critical]
:
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86 Linux
: -- normal (vote)
: ---
Assigned To: Blake Kaplan (:mrbkap)
:
:
Mentors:
Depends on:
Blocks: CVE-2010-3183
  Show dependency treegraph
 
Reported: 2009-08-07 11:18 PDT by Paul Nickerson
Modified: 2010-11-06 18:30 PDT (History)
8 users (show)
jruderman: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
.11+
.11-fixed
.14+
.14-fixed


Attachments
testcase (602 bytes, text/html)
2009-08-07 11:18 PDT, Paul Nickerson
no flags Details
stack (6.88 KB, text/plain)
2009-08-07 11:20 PDT, Paul Nickerson
no flags Details
Fix (4.94 KB, patch)
2009-08-07 12:42 PDT, Blake Kaplan (:mrbkap)
jorendorff: review+
jst: superreview+
Details | Diff | Splinter Review
1.9.2 fix. (1.19 KB, patch)
2010-09-27 16:15 PDT, Johnny Stenback (:jst, jst@mozilla.com)
mrbkap: review+
christian: approval1.9.2.11+
christian: approval1.9.1.14+
Details | Diff | Splinter Review

Description Paul Nickerson 2009-08-07 11:18:08 PDT
Created attachment 393222 [details]
testcase
Comment 1 Paul Nickerson 2009-08-07 11:20:22 PDT
Created attachment 393223 [details]
stack
Comment 2 Bob Clary [:bc:] 2009-08-07 12:24:03 PDT
crashes mac 1.9.2 @ JS_HashTableDestroy
bp-b5d38e43-91b8-4994-8ac7-bacb62090807
Comment 3 Blake Kaplan (:mrbkap) 2009-08-07 12:27:35 PDT
I suck :(.
Comment 4 Blake Kaplan (:mrbkap) 2009-08-07 12:42:37 PDT
Created attachment 393249 [details] [diff] [review]
Fix

The fix here is the argc == 0 check, the rest of it is updating the code to use shiny new APIs.
Comment 5 Paul Nickerson 2009-08-07 12:43:49 PDT
I'm so sorry, I didn't think this was security-sensitive. Not bad for my fuzzer's
first bug ;)
Comment 6 Blake Kaplan (:mrbkap) 2009-08-18 20:57:05 PDT
http://hg.mozilla.org/mozilla-central/rev/8b71bff4079d
Comment 7 Andreas Gal :gal 2010-09-22 11:21:04 PDT
Re-reported as bug 598669 / ZDI-CAN-929.
Comment 8 Reed Loden [:reed] (use needinfo?) 2010-09-22 11:24:19 PDT
Why wasn't this fix backported to 1.9.2, especially if it's been fixed on trunk for a year? :/
Comment 9 Daniel Veditz [:dveditz] 2010-09-24 12:02:59 PDT
I crashed with this testcase in 3.5.12pre (bp-efdae1d6-c261-42ba-a8a2-be5882100924 -- pthread_mutex_lock, something else?) but after upgrading to a current nightly I no longer crash. Is this problem a regression between 1.9.1 and 1.9.2?
Comment 10 Daniel Veditz [:dveditz] 2010-09-24 12:09:02 PDT
I take back comment 9: it doesn't seem to crash in 1.9.1 if I open the testcase in a new tab, but if I just click the link to navigate from the bug to the testcase it goes down immediately. Another pthread_mutex_lock crash, but with symbols this time so it does look like the same area as this bug and bug 598669
bp-2fa1fcef-aab5-46a8-b5df-8ea972100924
Comment 11 Johnny Stenback (:jst, jst@mozilla.com) 2010-09-27 16:15:16 PDT
Created attachment 478904 [details] [diff] [review]
1.9.2 fix.
Comment 12 Blake Kaplan (:mrbkap) 2010-09-27 16:18:09 PDT
Comment on attachment 478904 [details] [diff] [review]
1.9.2 fix.

Thanks!
Comment 13 Johnny Stenback (:jst, jst@mozilla.com) 2010-09-27 16:19:26 PDT
Comment on attachment 478904 [details] [diff] [review]
1.9.2 fix.

This applies to 1.9.1 as well, and while I can not trigger a crash in 1.9.1 locally, this should be fixed there as well.
Comment 14 christian 2010-09-28 10:21:58 PDT
Comment on attachment 478904 [details] [diff] [review]
1.9.2 fix.

a=LegNeato for 1.9.2.11 and 1.9.1.14
Comment 15 Daniel Veditz [:dveditz] 2010-09-28 23:34:22 PDT
Looks like jst checked this in:
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/6f77c13209a8
Comment 16 Daniel Veditz [:dveditz] 2010-09-28 23:46:34 PDT
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/54ff003f8cb0
Comment 17 Jesse Ruderman 2010-11-06 18:30:26 PDT
Crashtest: http://hg.mozilla.org/mozilla-central/rev/0981dd4be638

Note You need to log in before you can comment on or make changes to this bug.