Null pointer dereference in (jaeger) JIT code

RESOLVED WORKSFORME

Status

()

Core
JavaScript Engine
RESOLVED WORKSFORME
6 years ago
6 years ago

People

(Reporter: Arthur Gerkis, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
Created attachment 613130 [details]
Testcase

Firefox crashes when trying to dereference null pointer in JIT emitted code. 

Tested Firefox 11.0 on Ubuntu x64 and Windows 7 x64, XP SP3 x32. For previous version (10.*) works too.
Attachment #613130 - Attachment mime type: text/plain → text/html
Assignee: nobody → general
Component: Untriaged → JavaScript Engine
Product: Firefox → Core
QA Contact: untriaged → general

Comment 1

6 years ago
Crashes Firefox 11 at bp-c0ce5e23-8ce9-4a8b-8173-7a6a92120409 on OS X 10.7.

Interestingly, it doesn't seem to crash nightly on the same machine: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:14.0) Gecko/20120409 Firefox/14.0a1

Comment 2

6 years ago
It also doesn't seem to crash the current Aurora build on my machine: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:13.0) Gecko/20120409 Firefox/13.0a2

or Beta: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:12.0) Gecko/20100101 Firefox/12.0
We appear to have fixed this bug in Firefox 12, possible through bug 730706
Group: core-security
Status: UNCONFIRMED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 730706
FWIW, I don't think bug 730706 is the right duplicate
Status: RESOLVED → REOPENED
Ever confirmed: true
Resolution: DUPLICATE → ---

Updated

6 years ago
Summary: Null pointer dereference in JIT code → Null pointer dereference in (jaeger) JIT code

Updated

6 years ago
Status: REOPENED → RESOLVED
Last Resolved: 6 years ago6 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.