Created attachment 555995 [details] repro file Tested on Firefox 7.0~b1 on Ubuntu x86_64: Opening attached file causes segmentation fault at jsemit.cpp(from gdb). You need to have sun-java6-plugin installed to reproduce the crash.(Valgrind shows invalid writes from Java Plugin) Removing few of the "= a" pairs will prevent the crash. Valgrind: ==25050== Process terminating with default action of signal 11 (SIGSEGV) ==25050== Access not within mapped region at address 0x7FEF02A40 ==25050== at 0x8B2F549: js_EmitTree (jsemit.cpp:7062) GDB: Program received signal SIGSEGV, Segmentation fault. 0x00007ffff47f7549 in js_EmitTree (cx=0x7fffd8138800, cg=0x7fffffffa0b0, pn=0x7fffd169dbf0) at /build/buildd/firefox-7.0~b1+build1+nobinonly/build-tree/mozilla/js/src/jsemit.cpp:7062
Attachment #555995 - Attachment mime type: text/plain → text/html
ugh, shouldn't have missed this, sounds like it could have been a sec-critical bug. May not happen anymore though, the JS engine has gone through a lot of changes since then.
Component: General → General
Product: Firefox → Core
Sounds plugin-related. It looks like js_EmitTree is now EmitTree in js/src/frontend/BytecodeEmitter.cpp
sun-java6-plugin is long gone from Ubuntu. No repro with Oracles Java 7 and Fx19/trunk on Ubuntu.
Virgil, could you possibly test through a few more (Oracle) Java 6/7 versions to see if this still reproduces? Testing on Fx19 would probably be sufficient.
Mozilla/5.0 (X11; Linux x86_64; rv:19.0) Gecko/20100101 Firefox/19.0 Verified with Firefox 19. Disabled blocklisting to avoid CTP. No crash while loading the repro file with following java versions: java 7u5 java 7u10 java 6u39 Firefox hanged when I activated the plugin via CTP with the Java 6 version, however. Nothing special apart that.
Thanks Virgil. dveditz, given that this is not reproducible in current versions - does this need any further action?
Status: UNCONFIRMED → RESOLVED
Last Resolved: 6 years ago
Flags: sec-bounty? → sec-bounty-
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.