Closed
Bug 763226
Opened 13 years ago
Closed 13 years ago
IonMonkey: Crash [@ QuoteString]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 779390
People
(Reporter: decoder, Unassigned)
References
Details
(Keywords: crash, testcase, Whiteboard: [jsbugmon:ignore][ion:p1:fx18][sg:dupe 779390])
Crash Data
Attachments
(1 file)
|
965 bytes,
application/x-gzip
|
Details |
The attached testcase crashes on ionmonkey revision 5cfb73435e06 (run with --ion -n -m --ion-eager).
|
Reporter | |
Comment 1•13 years ago
|
||
Valgrind shows:
==27586== Invalid read of size 2
==27586== at 0x581B1F: QuoteString(js::Sprinter*, JSString*, unsigned int) (jsopcode.cpp:951)
==27586== by 0x581E63: js_QuoteString (jsopcode.cpp:1012)
==27586== by 0x5F171F: js_ValueToSource(JSContext*, JS::Value const&) (jsstr.cpp:3274)
==27586== by 0x42EC50: JS_ValueToSource (jsapi.cpp:514)
==27586== by 0x40B877: ToSource(JSContext*, JS::Value*, JSAutoByteString*) (js.cpp:1214)
==27586== by 0x40BA76: AssertEq(JSContext*, unsigned int, JS::Value*) (js.cpp:1245)
==27586== by 0x403829C: ???
==27586== by 0xC71223F: ???
==27586== by 0x7FEFFD257: ???
==27586== by 0x43F: ???
==27586== Address 0xc7fffff is not stack'd, malloc'd or (recently) free'd
==27586==
==27586== Invalid read of size 2
==27586== at 0x581B31: QuoteString(js::Sprinter*, JSString*, unsigned int) (jsopcode.cpp:953)
==27586== by 0x581E63: js_QuoteString (jsopcode.cpp:1012)
==27586== by 0x5F171F: js_ValueToSource(JSContext*, JS::Value const&) (jsstr.cpp:3274)
==27586== by 0x42EC50: JS_ValueToSource (jsapi.cpp:514)
==27586== by 0x40B877: ToSource(JSContext*, JS::Value*, JSAutoByteString*) (js.cpp:1214)
==27586== by 0x40BA76: AssertEq(JSContext*, unsigned int, JS::Value*) (js.cpp:1245)
==27586== by 0x403829C: ???
==27586== by 0xC71223F: ???
==27586== by 0x7FEFFD257: ???
==27586== by 0x43F: ???
==27586== Address 0xc800047 is 7 bytes inside a block of size 32 free'd
==27586== at 0x4C2695D: free (vg_replace_malloc.c:366)
==27586== by 0x403C14: js_free (Utility.h:169)
==27586== by 0x403C4E: js::Foreground::free_(void*) (Utility.h:588)
==27586== by 0x41B48F: JSRuntime::free_(void*) (jscntxt.h:880)
==27586== by 0x41B4E3: JSContext::free_(void*) (jscntxt.h:1320)
==27586== by 0x581A40: js::Sprint(js::Sprinter*, char const*, ...) (jsopcode.cpp:914)
==27586== by 0x581D27: QuoteString(js::Sprinter*, JSString*, unsigned int) (jsopcode.cpp:986)
==27586== by 0x581E63: js_QuoteString (jsopcode.cpp:1012)
==27586== by 0x5F171F: js_ValueToSource(JSContext*, JS::Value const&) (jsstr.cpp:3274)
==27586== by 0x42EC50: JS_ValueToSource (jsapi.cpp:514)
==27586== by 0x40B877: ToSource(JSContext*, JS::Value*, JSAutoByteString*) (js.cpp:1214)
==27586== by 0x40BA76: AssertEq(JSContext*, unsigned int, JS::Value*) (js.cpp:1245)
|
||
Comment 2•13 years ago
|
||
Not sure if this is exploitable... is it just a bug local to QuoteString, and so always interpreting the unclean data as strings?
|
||
Comment 3•13 years ago
|
||
Can't reproduce locally. Fixed by Bug 762936?
|
|
Reporter | |
Comment 4•13 years ago
|
||
The bot would have mentioned that, but trying to get explicity confirmation.
Whiteboard: [jsbugmon:update] → [jsbugmon:update,reconfirm]
|
|
Reporter | |
Comment 5•13 years ago
|
||
I forgot that the bot cannot cope with archived testcases yet. But I found an easier testcase on tip now (rev 7ab88528503e, options as in comment 0):
gcPreserveCode();
gczeal(2);
var obj = {
1: 1,
2.5: 2.5,
1073741822: 1073741822,
1073741823: 1073741823,
1073741824: 1073741824,
};
for (var s in obj) {
var n = obj[s];
assertEq(JSON.stringify(obj, [n]), '{"' + s + '":' + n + '}', "Failed (" + n + ")");
assertEq(JSON.stringify(obj, [s, ]), '{"' + s + '":' + n + '}', "Failed (" + s + "', " + n + ")");
assertEq(JSON.stringify(obj, [n, s]), '{"' + s + '":' + n + '}', "Failed (" + n + ", '" + s + "')" );
}
Whiteboard: [jsbugmon:update,reconfirm] → [jsbugmon:ignore]
decoder, I can't seem to reproduce the test case in comment #5 on tip or the given cset.
|
|
Reporter | |
Comment 7•13 years ago
|
||
Just tried this again and it reproduced for me (rev b02a7b214e49):
$ /srv/repos/ionmonkey/js/src/debug64/js --ion -n -m --ion-eager test.js
Segmentation fault
What configure options did you use and did you try linux 64 bit?
|
|
||
Updated•13 years ago
|
Whiteboard: [jsbugmon:ignore] → [jsbugmon:ignore] js-triage-needed
This is another one I still can't reproduce, either on the given cset or tip, using either test case. --enable-valgrind and valgrind shows no errors either.
|
||
Updated•13 years ago
|
Whiteboard: [jsbugmon:ignore] js-triage-needed → [jsbugmon:ignore][ion:p1:fx18]
|
|
||
Updated•13 years ago
|
Assignee: general → kvijayan
|
|
||
Updated•13 years ago
|
Assignee: kvijayan → general
Sweet, I can reproduce this on the given cset on the fuzzing box. It doesn't repro on tip and hg bisect claims it was bug 779390, which is very believable.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
|
|
||
Updated•13 years ago
|
Group: core-security
Whiteboard: [jsbugmon:ignore][ion:p1:fx18] → [jsbugmon:ignore][ion:p1:fx18][sg:dupe 779390]
|
|
Reporter | |
Comment 10•13 years ago
|
||
A testcase for this bug was already added in the original bug (bug 779390).
Flags: in-testsuite-
You need to log in
before you can comment on or make changes to this bug.
Description
•