Closed
Bug 682251
Opened 13 years ago
Closed 11 years ago
Segmentation fault at js_EmitTree in jsemit.cpp
Categories
(Core :: General, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: attekett, Unassigned)
Details
Attachments
(1 file)
1.36 KB,
text/html
|
Details |
Tested on Firefox 7.0~b1 on Ubuntu x86_64: Opening attached file causes segmentation fault at jsemit.cpp(from gdb). You need to have sun-java6-plugin installed to reproduce the crash.(Valgrind shows invalid writes from Java Plugin) Removing few of the "= a" pairs will prevent the crash. Valgrind: ==25050== Process terminating with default action of signal 11 (SIGSEGV) ==25050== Access not within mapped region at address 0x7FEF02A40 ==25050== at 0x8B2F549: js_EmitTree (jsemit.cpp:7062) GDB: Program received signal SIGSEGV, Segmentation fault. 0x00007ffff47f7549 in js_EmitTree (cx=0x7fffd8138800, cg=0x7fffffffa0b0, pn=0x7fffd169dbf0) at /build/buildd/firefox-7.0~b1+build1+nobinonly/build-tree/mozilla/js/src/jsemit.cpp:7062
Updated•13 years ago
|
Attachment #555995 -
Attachment mime type: text/plain → text/html
Updated•11 years ago
|
Flags: sec-bounty?
Comment 1•11 years ago
|
||
ugh, shouldn't have missed this, sounds like it could have been a sec-critical bug. May not happen anymore though, the JS engine has gone through a lot of changes since then.
Group: core-security
Product: Firefox → Core
Comment 2•11 years ago
|
||
Sounds plugin-related. It looks like js_EmitTree is now EmitTree in js/src/frontend/BytecodeEmitter.cpp
Comment 3•11 years ago
|
||
sun-java6-plugin is long gone from Ubuntu. No repro with Oracles Java 7 and Fx19/trunk on Ubuntu.
Comment 4•11 years ago
|
||
Virgil, could you possibly test through a few more (Oracle) Java 6/7 versions to see if this still reproduces? Testing on Fx19 would probably be sufficient.
Flags: needinfo?(virgil.dicu)
Comment 5•11 years ago
|
||
Mozilla/5.0 (X11; Linux x86_64; rv:19.0) Gecko/20100101 Firefox/19.0 Verified with Firefox 19. Disabled blocklisting to avoid CTP. No crash while loading the repro file with following java versions: java 7u5 java 7u10 java 6u39 Firefox hanged when I activated the plugin via CTP with the Java 6 version, however. Nothing special apart that.
Flags: needinfo?(virgil.dicu)
Comment 6•11 years ago
|
||
Thanks Virgil. dveditz, given that this is not reproducible in current versions - does this need any further action?
Updated•11 years ago
|
Group: core-security
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Flags: sec-bounty? → sec-bounty-
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•