Closed Bug 674545 Opened 8 years ago Closed 8 years ago

Crash with too complex regular expressions in js1_5/extensions/regress-330569.js and js1_5/extensions/regress-351448.js

Categories

(Core :: JavaScript Engine, defect, critical)

1.9.2 Branch
All
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
Tracking Status
firefox5 --- unaffected
firefox6 --- unaffected
firefox7 --- unaffected
firefox8 --- unaffected
firefox9 --- unaffected
firefox10 --- unaffected
status2.0 --- unaffected
blocking1.9.2 --- .20+
status1.9.2 --- .20-fixed
status1.9.1 --- unaffected

People

(Reporter: bc, Assigned: cdleary)

References

Details

(4 keywords, Whiteboard: [sg:critical?], wanted-standalone-js)

Crash Data

Attachments

(3 files)

Attached file 330569 stack
js1_5/extensions/regress-330569.js and js1_5/extensions/regress-351448.js crash browser and shell opt and debug on 1.9.2 Linux 32 and 64 bit at least. Haven't tried others. Regressed around 2011-07-23
Flags: in-testsuite+
Attached file 351448 stack
bug 626297 ?
Group: core-security
Missed this because I was using the more modern jstests, which had these tests marked as "skip" because YARR doesn't have the same complexity errors.
Assignee: general → cdleary
Status: NEW → ASSIGNED
Attachment #548919 - Flags: review?(mrbkap)
Attachment #548919 - Flags: review?(mrbkap) → review+
Attachment #548919 - Flags: approval1.9.2.20?
Comment on attachment 548919 [details] [diff] [review]
Initialize res to NULL for cleanup goto.

Approved for 1.9.2.20, a=dveditz

Code freeze for 1.9.2.20 is Monday Aug 1, please land soon.
Attachment #548919 - Flags: approval1.9.2.20? → approval1.9.2.20+
blocking1.9.2: --- → .20+
Maybe sg:critical if you can get attacker data left over on the stack where res will be created.
Whiteboard: [sg:critical?]
Bob, do you think you could run this patch against the 1.9.2 test suite to confirm we're good now? js reftests apparently don't run on the 1.9.2 tinderboxen and I don't think I'm using the jsDriver correctly.
sure. I'll let you know in a while.
I'm running the full set of tests on 1.9.2 with the patch. The old way I normally do it is to run js shell opt/debug and browser opt/debug without jit and with jit. The browser tests actually start and stop the browser for each test so they don't get hung up or terminate due to a crash but that means it takes forever to run them. So far, non-jit js shell opt/debug and firefox opt have passed with flying colors, but i really would like to complete a bit more. The full results will be in tomorrow and we'll be able to get this in then.
All tests passed with no regressions.
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/13bbe383ceb2
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Verified fixed in 1.9.2 based on passing tests.
Keywords: verified1.9.2
Whiteboard: [sg:critical?] → [sg:critical?], wanted-standalone-js
Group: core-security
You need to log in before you can comment on or make changes to this bug.