Closed
Bug 674545
Opened 13 years ago
Closed 13 years ago
Crash with too complex regular expressions in js1_5/extensions/regress-330569.js and js1_5/extensions/regress-351448.js
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
firefox5 | --- | unaffected |
firefox6 | --- | unaffected |
firefox7 | --- | unaffected |
firefox8 | --- | unaffected |
firefox9 | --- | unaffected |
firefox10 | --- | unaffected |
status2.0 | --- | unaffected |
blocking1.9.2 | --- | .20+ |
status1.9.2 | --- | .20-fixed |
status1.9.1 | --- | unaffected |
People
(Reporter: bc, Assigned: cdleary)
References
Details
(4 keywords, Whiteboard: [sg:critical?], wanted-standalone-js)
Crash Data
Attachments
(3 files)
2.18 KB,
text/plain
|
Details | |
2.02 KB,
text/plain
|
Details | |
1.96 KB,
patch
|
mrbkap
:
review+
dveditz
:
approval1.9.2.20+
|
Details | Diff | Splinter Review |
js1_5/extensions/regress-330569.js and js1_5/extensions/regress-351448.js crash browser and shell opt and debug on 1.9.2 Linux 32 and 64 bit at least. Haven't tried others. Regressed around 2011-07-23
Flags: in-testsuite+
Reporter | ||
Comment 1•13 years ago
|
||
Assignee | ||
Comment 3•13 years ago
|
||
Missed this because I was using the more modern jstests, which had these tests marked as "skip" because YARR doesn't have the same complexity errors.
Updated•13 years ago
|
Attachment #548919 -
Flags: review?(mrbkap) → review+
Assignee | ||
Updated•13 years ago
|
Attachment #548919 -
Flags: approval1.9.2.20?
Assignee | ||
Updated•13 years ago
|
Blocks: CVE-2011-2983
Reporter | ||
Updated•13 years ago
|
Keywords: regressionwindow-wanted
Comment 4•13 years ago
|
||
Comment on attachment 548919 [details] [diff] [review] Initialize res to NULL for cleanup goto. Approved for 1.9.2.20, a=dveditz Code freeze for 1.9.2.20 is Monday Aug 1, please land soon.
Attachment #548919 -
Flags: approval1.9.2.20? → approval1.9.2.20+
Updated•13 years ago
|
blocking1.9.2: --- → .20+
status1.9.2:
--- → wanted
Comment 5•13 years ago
|
||
Maybe sg:critical if you can get attacker data left over on the stack where res will be created.
Whiteboard: [sg:critical?]
Assignee | ||
Comment 6•13 years ago
|
||
Bob, do you think you could run this patch against the 1.9.2 test suite to confirm we're good now? js reftests apparently don't run on the 1.9.2 tinderboxen and I don't think I'm using the jsDriver correctly.
Reporter | ||
Comment 7•13 years ago
|
||
sure. I'll let you know in a while.
Updated•13 years ago
|
status1.9.1:
--- → unaffected
status2.0:
--- → unaffected
status-firefox5:
--- → unaffected
status-firefox6:
--- → unaffected
status-firefox7:
--- → unaffected
status-firefox8:
--- → unaffected
Reporter | ||
Comment 8•13 years ago
|
||
I'm running the full set of tests on 1.9.2 with the patch. The old way I normally do it is to run js shell opt/debug and browser opt/debug without jit and with jit. The browser tests actually start and stop the browser for each test so they don't get hung up or terminate due to a crash but that means it takes forever to run them. So far, non-jit js shell opt/debug and firefox opt have passed with flying colors, but i really would like to complete a bit more. The full results will be in tomorrow and we'll be able to get this in then.
Reporter | ||
Comment 9•13 years ago
|
||
All tests passed with no regressions.
Assignee | ||
Comment 10•13 years ago
|
||
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/13bbe383ceb2
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Updated•13 years ago
|
Updated•13 years ago
|
Whiteboard: [sg:critical?] → [sg:critical?], wanted-standalone-js
Updated•13 years ago
|
status-firefox10:
--- → unaffected
status-firefox9:
--- → unaffected
Updated•13 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•