Closed
Bug 527380
Opened 15 years ago
Closed 15 years ago
Read Access Violation starting at js3250!NativeToValueBase<FailDoubleOOMHandler>+0x00000000000000e5 (Hash=0x6e2e3a1b.0x73572f0b)
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 522024
People
(Reporter: cbook, Unassigned)
References
()
Details
(Keywords: crash, testcase, Whiteboard: [sg:dupe 522024])
Attachments
(2 files, 2 obsolete files)
Steps to reproduce: -> Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2b2pre) Gecko/20091108 Namoroka/3.6b2pre (debug build) --> Load http://www.iask.com (you might reload the page) --> Crashes on load (b98.ac0): Access violation - code c0000005 (!!! second chance !!!) eax=00000001 ebx=7ffd8000 ecx=dddddddd edx=0012f674 esi=00000002 edi=7c9118c0 eip=00620815 esp=0012ee98 ebp=0012eebc iopl=0 nv up ei ng nz ac pe cy cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000297 js3250!NativeToValueBase<FailDoubleOOMHandler>+0xe5: 00620815 8b11 mov edx,dword ptr [ecx] ds:0023:dddddddd=???????? Exploitability Classification: UNKNOWN Recommended Bug Title: Read Access Violation starting at js3250!NativeToValueBas e<FailDoubleOOMHandler>+0x00000000000000e5 (Hash=0x6e2e3a1b.0x73572f0b) ChildEBP RetAddr 0012eebc 005f1bd8 js3250!NativeToValueBase<FailDoubleOOMHandler>+0xe5 0012eed4 00515a94 js3250!js_NativeToValue+0x18 0012ef0c 0056554f js3250!ArgGetter+0x94 0012ef2c 005651b0 js3250!js_GetSprop+0xdf 0012ef78 00566061 js3250!js_NativeGet+0x250 0012efb4 0056623a js3250!js_GetPropertyHelper+0x341 0012efe4 0053beb5 js3250!js_GetMethod+0x4a 0012f6a8 0052ba8a js3250!js_Interpret+0xed55 0012f72c 004d37d7 js3250!js_Execute+0x2ba 0012f754 01e80420 js3250!JS_EvaluateUCScriptForPrincipals+0xe7 0012f800 01ec40e2 gklayout!nsJSContext::EvaluateString+0x2c0 0012f948 01ec4c78 gklayout!nsGlobalWindow::RunTimeout+0x522 0012f958 0030a9be gklayout!nsGlobalWindow::TimerCallback+0x28 0012f9ac 0030aba1 xpcom_core!nsTimerImpl::Fire+0x28e 0012f9c4 0030c82a xpcom_core!nsTimerEvent::Run+0xa1 0012fa00 00297b43 xpcom_core!nsThread::ProcessNextEvent+0x1fa 0012fa1c 02a5cead xpcom_core!NS_ProcessNextEvent_P+0x53 0012fa30 036b42db gkwidget!nsBaseAppShell::Run+0x5d 0012fa44 1000c302 tkitcmps!nsAppStartup::Run+0x6b 0012fed0 004024e2 xul!XRE_main+0x2ba2 quit:
Flags: blocking1.9.2?
Reporter | ||
Comment 1•15 years ago
|
||
zipped page source, crashes on load/reload
Comment 2•15 years ago
|
||
From the ecx value we're clearly dealing with a deleted object here: probably exploitable.
Keywords: testcase
Whiteboard: [sg:critical?]
Updated•15 years ago
|
Attachment #411101 -
Attachment mime type: application/zip → application/java-archive
Updated•15 years ago
|
Flags: blocking1.9.2? → blocking1.9.2+
Comment 3•15 years ago
|
||
I can reproduce this on Fx 3.6 beta 2, will try and come up with a reduced testcase soon.
OS: Windows XP → All
Hardware: x86 → All
Comment 4•15 years ago
|
||
(In reply to comment #3) > I can reproduce this on Fx 3.6 beta 2, will try and come up with a reduced > testcase soon. Oh, I meant on Mac 10.5.8 as well.
Comment 5•15 years ago
|
||
Here's the same testcase in <40 lines. Hopefully someone can turn this into a shell testcase... anyone? ;-)
Attachment #411101 -
Attachment is obsolete: true
Comment 6•15 years ago
|
||
Testcase in comment 5 doesn't crash for me. Built from http://hg.mozilla.org/tracemonkey/rev/a76089fc9dba+
Comment 7•15 years ago
|
||
(In reply to comment #5) > Created an attachment (id=412099) [details] > reduced DOM testcase > > Here's the same testcase in <40 lines. Hopefully someone can turn this into a > shell testcase... anyone? ;-) (In reply to comment #6) > Testcase in comment 5 doesn't crash for me. > Built from http://hg.mozilla.org/tracemonkey/rev/a76089fc9dba+ I crashed using Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2b2) Gecko/20091108 Firefox/3.6b2
Comment 8•15 years ago
|
||
Comment 9•15 years ago
|
||
Attachment #412099 -
Attachment is obsolete: true
Thanks for reducing this - it looks like bug 522024, which didn't land until very recently. After updating to 1.9.2-tip it no longer produces incorrect results.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
Updated•15 years ago
|
Flags: in-testsuite?
Updated•14 years ago
|
Whiteboard: [sg:critical?] → [sg:dupe 522024]
Updated•12 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•