Closed Bug 762005 Opened 12 years ago Closed 12 years ago

Crash on heap with invalid write using valueOf

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 761863

People

(Reporter: decoder, Unassigned)

Details

(Keywords: crash, sec-critical, testcase, Whiteboard: js-triage-needed [sg:dupe 761863]) 

The following test crashes on mozilla-central revision cf4face65451 (options -m -n -a):


gczeal(4);
test();
function test() {
  var primitiveValues = [ "", "xxx", ];
  for (var i = 0; i != primitiveValues.length; ++i) {
    var v = primitiveValues[i];
    var obj = { valueOf: function() { return v; } };
  }
}


Valgrind only shows:

==3298== Invalid write of size 4
==3298==    at 0x6F515A2: ???
==3298==  Address 0xffffffb5 is not stack'd, malloc'd or (recently) free'd


Assuming s-s due to GC-related crash.
I'm unable to repro.  Could you give more details (os, arch, debug/opt, configure opts)?
This should be a debug build (because I usually explicitly note if an opt-build is required). The details should be identical to those that I just posted in bug 762014.
This is fixed by bug 761863: I confirmed the valgrind error before 1c5e63e6237d and no error with 1c5e63e6237d.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
Depends on: 761863
Keywords: sec-critical
Whiteboard: js-triage-needed → js-triage-needed [sg:dupe 761863]
No longer depends on: 761863
Group: core-security
A testcase for this bug was already added in the original bug (bug 761863).
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.