TI: Crash [@ js_InternalInterpret] or "Assertion failure: codeArray[offset],"
RESOLVED
FIXED
Status
()
People
(Reporter: gkw, Assigned: bhackett)
Tracking
(Blocks: 2 bugs, {assertion, crash, testcase})
Firefox Tracking Flags
(Not tracked)
Details
(Whiteboard: [sg:dos] js-triage-needed)
Attachments
(3 attachments)
Created attachment 563647 [details]
testcase
The attached testcase asserts js debug shell on JM changeset 44ef245b8706 and m-c changeset db9e99d537f2 with -m, -a and -n at Assertion failure: codeArray[offset], and crashes js opt shell at js_InternalInterpret
This was found using a combination of jsfunfuzz and jandem's method fuzzer.
Since it seems to be a null deref, assuming sg:dos and locking s-s to be safe.
|
(Reporter) | |
Comment 1•8 years ago
|
||
Created attachment 563650 [details]
stack
|
(Assignee) | |
Comment 2•8 years ago
|
||
Created attachment 565103 [details] [diff] [review] patch Use of GET_JUMP_OFFSET which did not watch for JOF_JUMPX opcodes. No other suspicious uses of GET_JUMP_OFFSET in analysis/compilation code, though I'd kind of like to kill GET_JUMP_OFFSET / GET_JUMP_OFFSETX completely and use a common function to compute offsets for both.
Assignee: general → bhackett1024
Attachment #565103 -
Flags: review?(dvander)
Attachment #565103 -
Flags: review?(dvander) → review+
|
|
(Assignee) | |
Comment 3•8 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/cfda40f4a5c8
|
||
Comment 4•8 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/cfda40f4a5c8
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
|
||
Updated•7 years ago
|
Group: core-security
|
|
||
Comment 5•6 years ago
|
||
Automatically extracted testcase for this bug was committed: https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•