Closed Bug 674545 Opened 13 years ago Closed 13 years ago

Crash with too complex regular expressions in js1_5/extensions/regress-330569.js and js1_5/extensions/regress-351448.js

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
1.9.2 Branch
Platform:
All
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox5 --- unaffected
firefox6 --- unaffected
firefox7 --- unaffected
firefox8 --- unaffected
firefox9 --- unaffected
firefox10 --- unaffected
status2.0 --- unaffected
blocking1.9.2 --- .20+
status1.9.2 --- .20-fixed
status1.9.1 --- unaffected

People

(Reporter: bc, Assigned: cdleary)

References

Details

(4 keywords, Whiteboard: [sg:critical?], wanted-standalone-js)

Crash Data

Attachments

(3 files)

330569 stack
2.18 KB, text/plain
Details
351448 stack
2.02 KB, text/plain
Details
Initialize res to NULL for cleanup goto.
1.96 KB, patch
mrbkap
: review+
dveditz
: approval1.9.2.20+
Details | Diff | Splinter Review
Attached file 330569 stack 
js1_5/extensions/regress-330569.js and js1_5/extensions/regress-351448.js crash browser and shell opt and debug on 1.9.2 Linux 32 and 64 bit at least. Haven't tried others. Regressed around 2011-07-23
Flags: in-testsuite+
Attached file 351448 stack 

    
    

    
  
bug 626297 ?
Group: core-security

    
    

    
  


  
Missed this because I was using the more modern jstests, which had these tests marked as "skip" because YARR doesn't have the same complexity errors.
Assignee: general → cdleary
Status: NEW → ASSIGNED

        Attachment #548919 -
        Flags: review?(mrbkap)

        Attachment #548919 -
        Flags: review?(mrbkap) → review+

        Attachment #548919 -
        Flags: approval1.9.2.20?

    
  
Keywords: regressionwindow-wanted

    
    

    
  
Comment on attachment 548919 [details] [diff] [review]
Initialize res to NULL for cleanup goto.

Approved for 1.9.2.20, a=dveditz

Code freeze for 1.9.2.20 is Monday Aug 1, please land soon.

        Attachment #548919 -
        Flags: approval1.9.2.20? → approval1.9.2.20+
blocking1.9.2: --- → .20+

          status1.9.2:
          --- → wanted

    
    

    
  
Maybe sg:critical if you can get attacker data left over on the stack where res will be created.
Whiteboard: [sg:critical?]

    
    

    
  
Bob, do you think you could run this patch against the 1.9.2 test suite to confirm we're good now? js reftests apparently don't run on the 1.9.2 tinderboxen and I don't think I'm using the jsDriver correctly.

    
    

    
  
sure. I'll let you know in a while.

    
    

    
  
I'm running the full set of tests on 1.9.2 with the patch. The old way I normally do it is to run js shell opt/debug and browser opt/debug without jit and with jit. The browser tests actually start and stop the browser for each test so they don't get hung up or terminate due to a crash but that means it takes forever to run them. So far, non-jit js shell opt/debug and firefox opt have passed with flying colors, but i really would like to complete a bit more. The full results will be in tomorrow and we'll be able to get this in then.

    
    

    
  
All tests passed with no regressions.

    
    

    
  
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/13bbe383ceb2
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED

    
    

    
  
Verified fixed in 1.9.2 based on passing tests.
Keywords: verified1.9.2

    
  
Whiteboard: [sg:critical?] → [sg:critical?], wanted-standalone-js
Group: core-security

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: