Closed Bug 622593 Opened 14 years ago Closed 13 years ago

Firefox 3.5.16 Crash Report [@ JS_StackFramePrincipals ]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
1.9.1 Branch
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: cbook, Unassigned)

References

Details

(Keywords: crash, reproducible, testcase, Whiteboard: [sg:dos] null deref)

Crash Data

Attachments

(1 file)

testcase
118 bytes, text/html
Details
Firefox Crash running mz's fuzzer caused on Firefox 3.5.16 a crash in @ JS_StackFramePrincipals - will see if i get the url for the testcase http://crash-stats.mozilla.com/report/index/e99d6358-5e0f-4559-8729-3555f2110103 0 js3250.dll JS_StackFramePrincipals js/src/jsdbgapi.cpp:1028 1 js3250.dll obj_eval js/src/jsobj.cpp:1512 2 js3250.dll js_Invoke js/src/jsinterp.cpp:1386 3 js3250.dll js_InternalInvoke js/src/jsinterp.cpp:1447 4 js3250.dll JS_CallFunctionValue js/src/jsapi.cpp:5190 5 xul.dll nsJSContext::CallEventHandler dom/src/base/nsJSEnvironment.cpp:2169 6 xul.dll nsGlobalWindow::RunTimeout dom/src/base/nsGlobalWindow.cpp:7968 7 xul.dll nsGlobalWindow::TimerCallback dom/src/base/nsGlobalWindow.cpp:8302 8 xul.dll nsTimerImpl::Fire xpcom/threads/nsTimerImpl.cpp:420 9 xul.dll nsTimerEvent::Run xpcom/threads/nsTimerImpl.cpp:512 10 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:521 11 xul.dll nsBaseAppShell::Run widget/src/xpwidgets/nsBaseAppShell.cpp:170 12 xul.dll nsAppStartup::Run toolkit/components/startup/src/nsAppStartup.cpp:193 13 nspr4.dll nspr4.dll@0xd94f 14 firefox.exe wmain toolkit/xre/nsWindowsWMain.cpp:110 15 firefox.exe __tmainCRTStartup obj-firefox/memory/jemalloc/src/crtexe.c:591 16 kernel32.dll BaseThreadInitThunk 17 ntdll.dll __RtlUserThreadStart 18 ntdll.dll _RtlUserThreadStart
The crash-stats report looks like a null dereference (accessing 0x20 dereferencing fp->fun), but I don't see a call to JS_StackFramePrincipals from near that line of jsobj.cpp. Could be inlined or buried in a macro. I don't know how bad it is that the framepointer is null.
Keywords: testcase-wanted
Whiteboard: [sg:needinfo]
Attached file testcase
Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_PROTECTION_FAILURE at address: 0x00000020 0x002b2279 in JS_StackFramePrincipals (cx=0x6145e00, fp=0x0) at /work/mozilla/builds/1.9.1/mozilla/js/src/jsdbgapi.cpp:1028 1028 if (fp->fun) {
OS: Windows 7 → All
removing the sg:needinfo tag so it gets back in the critkill triage queue.
Whiteboard: [sg:needinfo]
Whiteboard: [sg:dos] null deref
Blocks: crossfuzz-pvt
Crash Signature: [@ JS_StackFramePrincipals ]
WFM on Firefox 10
Group: core-security
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: