Status
()
People
(Reporter: gkw, Unassigned)
Tracking
(Blocks: 1 bug, {crash, regression, testcase})
Firefox Tracking Flags
(Not tracked)
Details
(Whiteboard: [sg:dos null deref] js-triage-needed, crash signature)
Attachments
(2 attachments)
Created attachment 612011 [details]
stack
mjitChunkLimit(7)
try {
g = (function() {})
g.get = (function() {
for (p in undefined) {
d
}
return q + ''
})
q = Proxy.create(g, undefined); + q
} catch (e) {}
gc()
delete eval
crashes js opt shell on m-c changeset 95df15895e02 with -m and -n at js_SuppressDeletedProperty
s-s because this involves gc.
Thanks go out to Julian Seward for helping with using Valgrind during the reduction process - the crash disappeared halfway through but Valgrind continued to show an invalid read error which I'm attaching later.
I'm not sure if autoBisect will be accurate when bisecting this because the crash went away and came back during the reduction process.
|
(Reporter) | |
Comment 1•7 years ago
|
||
CC'ing bholley since this seems to involve proxies, and bhackett since mjitChunkLimit seems to be involved.
|
|
(Reporter) | |
Comment 2•7 years ago
|
||
Created attachment 612012 [details]
Valgrind stack
The 32-bit js shell that I tested on Mac OS X 10.7 was compiled with --enable-more-deterministic.|
|
(Reporter) | |
Comment 3•7 years ago
|
||
Note to self, this was the Valgrind patch used to aid reduction:
$ svn diff --diff-cmd=diff -x -U8
Index: memcheck/mc_errors.c
===================================================================
--- memcheck/mc_errors.c (revision 12485)
+++ memcheck/mc_errors.c (working copy)
@@ -730,16 +730,17 @@
emit( "Invalid %s of size %ld\n",
extra->Err.Addr.isWrite ? "write" : "read",
extra->Err.Addr.szB );
VG_(pp_ExeContext)( VG_(get_error_where)(err) );
mc_pp_AddrInfo( VG_(get_error_address)(err),
&extra->Err.Addr.ai,
extra->Err.Addr.maybe_gcc );
+ VG_(exit)(0);
}
break;
case Err_Jump:
if (xml) {
emit( " <kind>InvalidJump</kind>\n" );
emit( " <what>Jump to the invalid address stated "
"on the next line</what>\n" );
|
||
Comment 4•7 years ago
|
||
You want jimb here.
|
||
Comment 5•7 years ago
|
||
Looks like a null deref, or is there still a security bug hiding behind that?
Whiteboard: js-triage-needed → [sg:dos null deref] js-triage-needed
|
|
(Reporter) | |
Comment 6•7 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 88677:412f24be91ed user: Luke Wagner date: Fri Mar 09 16:25:50 2012 -0800 summary: Bug 734129 - uncatchable exceptions should still pop cx->enumerators (r=dvander)
Blocks: 734129
Keywords: regression
|
|
(Reporter) | |
Comment 7•7 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: 90829:3a185f034768 user: Luke Wagner date: Mon Apr 02 08:57:27 2012 -0700 summary: Bug 740654 - Hoist recursion checks out of Interpret into callers so that Interpret does not throw when trying to rejoin from mjit (r=bhackett) It got fixed by bug 740654. Yay!
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 740654
|
|
||
Updated•7 years ago
|
||
Group: core-security
|
||
Comment 8•6 years ago
|
||
A testcase for this bug was already added in the original bug (bug 740654).
Flags: in-testsuite-
You need to log in
before you can comment on or make changes to this bug.
Description
•