Closed
Bug 764289
Opened 12 years ago
Closed 12 years ago
Crash with __lookupGetter__, empty proxy
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla16
Tracking | Status | |
---|---|---|
firefox15 | --- | unaffected |
firefox16 | + | fixed |
firefox-esr10 | --- | unaffected |
People
(Reporter: jruderman, Assigned: bholley)
References
Details
(5 keywords, Whiteboard: [fuzzblocker][advisory-tracking-])
Attachments
(3 files)
This testcase hits the "compartment mismatch" assertion. Or crashes trying to evaluate that assertion. Or crashes somewhere else. The first bad revision is: changeset: 1bdd81c4d926 user: Bobby Holley date: Tue Jun 12 15:44:14 2012 +0200 summary: Bug 762432 - Handle proxies on __lookupGetter__ and __lookupSetter__. r=jorendorff
Reporter | ||
Comment 1•12 years ago
|
||
You have to feed this to the shell using "<". I even tried evaluate() with various options and could not get it to crash. I would like to know why, so I can improve jsfunfuzz if needed.
Assignee | ||
Comment 2•12 years ago
|
||
Attachment #633108 -
Flags: review?(jorendorff)
Assignee | ||
Comment 3•12 years ago
|
||
I couldn't write a reliable crashtest for this. :-(
Reporter | ||
Comment 4•12 years ago
|
||
Eh? Both testcases are reliable for me.
Assignee | ||
Comment 5•12 years ago
|
||
(In reply to Jesse Ruderman from comment #4) > Eh? Both testcases are reliable for me. Yeah, but when I converted the browser one to a crashtest it didn't crash for some reason. I'm pretty swamped with security stuff at the moment so I decided to cut my losses and stop messing around with it.
Reporter | ||
Comment 6•12 years ago
|
||
For me, the patch fixes a valgrind warning for "./js a.js", and a crash (both in and out of valgrind) for "./js < a.js".
Reporter | ||
Comment 7•12 years ago
|
||
I'd just check in the shell testcase and hope we (eventually) do runs under Valgrind often enough.
Updated•12 years ago
|
status-firefox-esr10:
--- → unaffected
status-firefox15:
--- → unaffected
status-firefox16:
--- → affected
tracking-firefox16:
--- → +
Updated•12 years ago
|
Attachment #633108 -
Flags: review?(jorendorff) → review+
Assignee | ||
Comment 9•12 years ago
|
||
Pushed to m-i: http://hg.mozilla.org/integration/mozilla-inbound/rev/0ba224d850bd
Assignee: general → bobbyholley+bmo
Target Milestone: --- → mozilla16
Comment 10•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/0ba224d850bd
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Updated•12 years ago
|
Whiteboard: [fuzzblocker] → [fuzzblocker][advisory-tracking-]
Updated•11 years ago
|
Group: core-security
Comment 12•11 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug764289.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•