Closed Bug 690650 Opened 10 years ago Closed 10 years ago

TI: Crash [@ js_InternalInterpret] or "Assertion failure: codeArray[offset],"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: gkw, Assigned: bhackett1024)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, crash, testcase, Whiteboard: [sg:dos] js-triage-needed)

Attachments

(3 files)

testcase
192.13 KB, text/plain
Details
stack
2.81 KB, text/plain
Details
patch
764 bytes, patch
dvander
: review+
Details | Diff | Splinter Review
Attached file testcase 
The attached testcase asserts js debug shell on JM changeset 44ef245b8706 and m-c changeset db9e99d537f2 with -m, -a and -n at Assertion failure: codeArray[offset], and crashes js opt shell at js_InternalInterpret

This was found using a combination of jsfunfuzz and jandem's method fuzzer.

Since it seems to be a null deref, assuming sg:dos and locking s-s to be safe.
Attached patch patchSplinter Review 
Use of GET_JUMP_OFFSET which did not watch for JOF_JUMPX opcodes.  No other suspicious uses of GET_JUMP_OFFSET in analysis/compilation code, though I'd kind of like to kill GET_JUMP_OFFSET / GET_JUMP_OFFSETX completely and use a common function to compute offsets for both.
Assignee: general → bhackett1024
Attachment #565103 - Flags: review?(dvander)
Attachment #565103 - Flags: review?(dvander) → review+
https://hg.mozilla.org/mozilla-central/rev/cfda40f4a5c8
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Group: core-security
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.