Closed Bug 682251 Opened 13 years ago Closed 11 years ago

Segmentation fault at js_EmitTree in jsemit.cpp

Categories

(Core :: General, defect)

Product:
Core
Component:
General
Version:
7 Branch
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: attekett, Unassigned)

Details

Attachments

(1 file)

repro file
1.36 KB, text/html
Details
Attached file repro file 
Tested on Firefox 7.0~b1 on Ubuntu x86_64: 
Opening attached file causes segmentation fault at jsemit.cpp(from gdb). You need to have sun-java6-plugin installed to reproduce the crash.(Valgrind shows invalid writes from Java Plugin) Removing few of the "= a" pairs will prevent the crash.

Valgrind:

==25050== Process terminating with default action of signal 11 (SIGSEGV)
==25050==  Access not within mapped region at address 0x7FEF02A40
==25050==    at 0x8B2F549: js_EmitTree (jsemit.cpp:7062)

GDB:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff47f7549 in js_EmitTree (cx=0x7fffd8138800, cg=0x7fffffffa0b0, pn=0x7fffd169dbf0)
    at /build/buildd/firefox-7.0~b1+build1+nobinonly/build-tree/mozilla/js/src/jsemit.cpp:7062
Attachment #555995 - Attachment mime type: text/plain → text/html
ugh, shouldn't have missed this, sounds like it could have been a sec-critical bug. May not happen anymore though, the JS engine has gone through a lot of changes since then.
Group: core-security
Product: Firefox → Core
Sounds plugin-related.

It looks like js_EmitTree is now EmitTree in js/src/frontend/BytecodeEmitter.cpp
sun-java6-plugin is long gone from Ubuntu.
No repro with Oracles Java 7 and Fx19/trunk on Ubuntu.
Virgil, could you possibly test through a few more (Oracle) Java 6/7 versions to see if this still reproduces?
Testing on Fx19 would probably be sufficient.
Flags: needinfo?(virgil.dicu)
Mozilla/5.0 (X11; Linux x86_64; rv:19.0) Gecko/20100101 Firefox/19.0

Verified with Firefox 19.
Disabled blocklisting to avoid CTP. No crash while loading the repro file with following java versions:
java 7u5
java 7u10
java 6u39

Firefox hanged when I activated the plugin via CTP with the Java 6 version, however. Nothing special apart that.
Flags: needinfo?(virgil.dicu)
Thanks Virgil.

dveditz, given that this is not reproducible in current versions - does this need any further action?
Group: core-security
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Flags: sec-bounty? → sec-bounty-
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: