Closed Bug 684594 Opened 13 years ago Closed 13 years ago

Crash [@ JSObject::setProperty]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: crash, testcase, Whiteboard: fixed-in-jaegermonkey)

Crash Data

The following test crashes on mozilla-central revision a351ae35f2c4 (with shell build fix from mozilla-inbound rev fff3dc9478ce) debug and opt builds (options -m -n -a). Works on both 32 and 64 bit, but crashes look different. On 64 bit, the crash looks very similar to bug 684590 (which does not crash on 32 bit though).


function foo(x,n) {
  for (var i = -5; i < n; (this.foo)++) {
    x[i] = 10;
  }
}
foo([1,36.e6 ,3,(/[\u0075]\u0072[][]\u00b6/ ),5],5);


Backtrace on 32 bit dbg:

==55272== Invalid read of size 4
==55272==    at 0x808484F: JSObject::setProperty(JSContext*, jsid, js::Value*, int) (jsobj.h:1382)
==55272==    by 0x83FAFDA: void js::mjit::stubs::SetElem<0>(js::VMFrame&) (StubCalls.cpp:615)
==55272==    by 0x830B75B: ??? (MethodJIT.cpp:153)
==55272==    by 0x84C7FF3: ??? (in /srv/repos/mozilla-central/js/src/debug32/shell/js)
==55272==  Address 0xffffffe9 is not stack'd, malloc'd or (recently) free'd
Argh, braindead bug.  When hoisting loop invariant array accesses we checked both underflow and overflow when the index could change in the loop body, but only checked for overflow if the index was itself loop invariant.  This case needed an underflow check as well.

http://hg.mozilla.org/projects/jaegermonkey/rev/d4696bf0d286
Whiteboard: js-triage-needed → fixed-in-jaegermonkey
http://hg.mozilla.org/mozilla-central/rev/d4696bf0d286
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
Group: core-security
You need to log in before you can comment on or make changes to this bug.