Closed Bug 684594 Opened 8 years ago Closed 8 years ago

Crash [@ JSObject::setProperty]

Categories

(Core :: JavaScript Engine, defect, critical)

x86
Linux
defect
Not set
critical

Tracking

()

VERIFIED FIXED

People

(Reporter: decoder, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase, Whiteboard: fixed-in-jaegermonkey)

Crash Data

The following test crashes on mozilla-central revision a351ae35f2c4 (with shell build fix from mozilla-inbound rev fff3dc9478ce) debug and opt builds (options -m -n -a). Works on both 32 and 64 bit, but crashes look different. On 64 bit, the crash looks very similar to bug 684590 (which does not crash on 32 bit though).


function foo(x,n) {
  for (var i = -5; i < n; (this.foo)++) {
    x[i] = 10;
  }
}
foo([1,36.e6 ,3,(/[\u0075]\u0072[][]\u00b6/ ),5],5);


Backtrace on 32 bit dbg:

==55272== Invalid read of size 4
==55272==    at 0x808484F: JSObject::setProperty(JSContext*, jsid, js::Value*, int) (jsobj.h:1382)
==55272==    by 0x83FAFDA: void js::mjit::stubs::SetElem<0>(js::VMFrame&) (StubCalls.cpp:615)
==55272==    by 0x830B75B: ??? (MethodJIT.cpp:153)
==55272==    by 0x84C7FF3: ??? (in /srv/repos/mozilla-central/js/src/debug32/shell/js)
==55272==  Address 0xffffffe9 is not stack'd, malloc'd or (recently) free'd
Duplicate of this bug: 684590
Argh, braindead bug.  When hoisting loop invariant array accesses we checked both underflow and overflow when the index could change in the loop body, but only checked for overflow if the index was itself loop invariant.  This case needed an underflow check as well.

http://hg.mozilla.org/projects/jaegermonkey/rev/d4696bf0d286
Whiteboard: js-triage-needed → fixed-in-jaegermonkey
http://hg.mozilla.org/mozilla-central/rev/d4696bf0d286
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
Group: core-security
You need to log in before you can comment on or make changes to this bug.