Closed
Bug 763112
Opened 13 years ago
Closed 13 years ago
IonMonkey: Crash on Heap trying to execute invalid address through [@ js::Invoke]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 762936
People
(Reporter: decoder, Unassigned)
References
Details
(Keywords: crash, sec-critical, testcase, Whiteboard: [jsbugmon:update,ignore])
Crash Data
Attachments
(1 file)
1.02 KB,
text/javascript
|
Details |
The attached testcase crashes on ionmonkey revision 5cfb73435e06 (run with --ion -n -m --ion-eager).
Reporter | ||
Comment 1•13 years ago
|
||
Crash trace:
==31127== Jump to the invalid address stated on the next line
==31127== at 0x200: ???
==31127== by 0x815965E: js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) (jsinterp.cpp:367)
==31127== by 0x84CF185: js::ion::InvokeFunction(JSContext*, JSFunction*, unsigned int, JS::Value*, JS::Value*) (VMFunctions.cpp:65)
==31127== by 0x9CCB3D4: ???
==31127== Address 0x200 is not stack'd, malloc'd or (recently) free'd
Updated•13 years ago
|
Keywords: sec-critical
Reporter | ||
Comment 2•13 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 3dc37e74fdf0).
Reporter | ||
Updated•13 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
Reporter | ||
Comment 3•13 years ago
|
||
Fixed by bug 762936?
Comment 4•13 years ago
|
||
Appears so.
Group: core-security
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
Reporter | ||
Comment 5•12 years ago
|
||
Will add the test in bug 763440 which should cover this.
Flags: in-testsuite-
You need to log in
before you can comment on or make changes to this bug.
Description
•