IonMonkey: Crash on Heap trying to execute invalid address through [@ js::Invoke]

RESOLVED DUPLICATE of bug 762936

Status

()

--
major
RESOLVED DUPLICATE of bug 762936
7 years ago
6 years ago

People

(Reporter: decoder, Unassigned)

Tracking

(Blocks: 2 bugs, {crash, sec-critical, testcase})

Other Branch
x86
Linux
crash, sec-critical, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite -

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [jsbugmon:update,ignore], crash signature)

Attachments

(1 attachment)

(Reporter)

Description

7 years ago
Created attachment 631574 [details]
Testcase for shell

The attached testcase crashes on ionmonkey revision 5cfb73435e06 (run with --ion -n -m --ion-eager).
(Reporter)

Comment 1

7 years ago
Crash trace:


==31127== Jump to the invalid address stated on the next line
==31127==    at 0x200: ???
==31127==    by 0x815965E: js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) (jsinterp.cpp:367)
==31127==    by 0x84CF185: js::ion::InvokeFunction(JSContext*, JSFunction*, unsigned int, JS::Value*, JS::Value*) (VMFunctions.cpp:65)
==31127==    by 0x9CCB3D4: ???
==31127==  Address 0x200 is not stack'd, malloc'd or (recently) free'd
Keywords: sec-critical
(Reporter)

Comment 2

6 years ago
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 3dc37e74fdf0).
(Reporter)

Updated

6 years ago
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
(Reporter)

Comment 3

6 years ago
Fixed by bug 762936?
Appears so.
Group: core-security
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 762936
(Reporter)

Comment 5

6 years ago
Will add the test in bug 763440 which should cover this.
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.