527380 - Read Access Violation starting at js3250!NativeToValueBase<FailDoubleOOMHandler>+0x00000000000000e5 (Hash=0x6e2e3a1b.0x73572f0b)

Status: RESOLVED DUPLICATE of bug 522024

(Core :: JavaScript Engine, defect)

Description

[Carsten Book [:Tomcat]]

Steps to reproduce:
-> Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2b2pre) Gecko/20091108 Namoroka/3.6b2pre (debug build)
--> Load http://www.iask.com (you might reload the page)
--> Crashes on load


(b98.ac0): Access violation - code c0000005 (!!! second chance !!!)
eax=00000001 ebx=7ffd8000 ecx=dddddddd edx=0012f674 esi=00000002 edi=7c9118c0
eip=00620815 esp=0012ee98 ebp=0012eebc iopl=0         nv up ei ng nz ac pe cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000297

js3250!NativeToValueBase<FailDoubleOOMHandler>+0xe5:
00620815 8b11            mov     edx,dword ptr [ecx]  ds:0023:dddddddd=????????

Exploitability Classification: UNKNOWN
Recommended Bug Title: Read Access Violation starting at js3250!NativeToValueBas
e<FailDoubleOOMHandler>+0x00000000000000e5 (Hash=0x6e2e3a1b.0x73572f0b)
ChildEBP RetAddr
0012eebc 005f1bd8 js3250!NativeToValueBase<FailDoubleOOMHandler>+0xe5
0012eed4 00515a94 js3250!js_NativeToValue+0x18
0012ef0c 0056554f js3250!ArgGetter+0x94
0012ef2c 005651b0 js3250!js_GetSprop+0xdf
0012ef78 00566061 js3250!js_NativeGet+0x250
0012efb4 0056623a js3250!js_GetPropertyHelper+0x341
0012efe4 0053beb5 js3250!js_GetMethod+0x4a
0012f6a8 0052ba8a js3250!js_Interpret+0xed55
0012f72c 004d37d7 js3250!js_Execute+0x2ba
0012f754 01e80420 js3250!JS_EvaluateUCScriptForPrincipals+0xe7
0012f800 01ec40e2 gklayout!nsJSContext::EvaluateString+0x2c0
0012f948 01ec4c78 gklayout!nsGlobalWindow::RunTimeout+0x522
0012f958 0030a9be gklayout!nsGlobalWindow::TimerCallback+0x28
0012f9ac 0030aba1 xpcom_core!nsTimerImpl::Fire+0x28e
0012f9c4 0030c82a xpcom_core!nsTimerEvent::Run+0xa1
0012fa00 00297b43 xpcom_core!nsThread::ProcessNextEvent+0x1fa
0012fa1c 02a5cead xpcom_core!NS_ProcessNextEvent_P+0x53
0012fa30 036b42db gkwidget!nsBaseAppShell::Run+0x5d
0012fa44 1000c302 tkitcmps!nsAppStartup::Run+0x6b
0012fed0 004024e2 xul!XRE_main+0x2ba2
quit:

Comment 1

[Carsten Book [:Tomcat]]

Attachment: zipped page source

zipped page source, crashes on load/reload

Comment 2

[Daniel Veditz [:dveditz]]

From the ecx value we're clearly dealing with a deleted object here: probably exploitable.

Comment 3

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

I can reproduce this on Fx 3.6 beta 2, will try and come up with a reduced testcase soon.

Comment 4

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

(In reply to comment #3)
> I can reproduce this on Fx 3.6 beta 2, will try and come up with a reduced
> testcase soon.

Oh, I meant on Mac 10.5.8 as well.

Comment 5

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: reduced DOM testcase

Here's the same testcase in <40 lines. Hopefully someone can turn this into a shell testcase... anyone? ;-)

Comment 6

[Jesse Ruderman]

Testcase in comment 5 doesn't crash for me.
Built from http://hg.mozilla.org/tracemonkey/rev/a76089fc9dba+

Comment 7

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

(In reply to comment #5)
> Created an attachment (id=412099) [details]
> reduced DOM testcase
> 
> Here's the same testcase in <40 lines. Hopefully someone can turn this into a
> shell testcase... anyone? ;-)

(In reply to comment #6)
> Testcase in comment 5 doesn't crash for me.
> Built from http://hg.mozilla.org/tracemonkey/rev/a76089fc9dba+

I crashed using Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2b2) Gecko/20091108 Firefox/3.6b2

Comment 8

[Jesse Ruderman]

Attachment: shell testcase (JIT gives wrong answer)

Comment 9

[Jesse Ruderman]

Attachment: DOM testcase, reduced a little more (sometimes crashes)

Comment 10

[David Anderson [:dvander] - inactive, e-mail if emergency]

Thanks for reducing this - it looks like bug 522024, which didn't land until very recently. After updating to 1.9.2-tip it no longer produces incorrect results.