Crash with __lookupGetter__, empty proxy

VERIFIED FIXED in Firefox 16

Status

()

Core
JavaScript Engine
--
critical
VERIFIED FIXED
6 years ago
5 years ago

People

(Reporter: Jesse Ruderman, Assigned: Bobby Holley (On Leave Until June 11th))

Tracking

(5 keywords)

Trunk
mozilla16
x86_64
Mac OS X
assertion, crash, regression, sec-critical, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox15 unaffected, firefox16+ fixed, firefox-esr10 unaffected)

Details

(Whiteboard: [fuzzblocker][advisory-tracking-])

Attachments

(3 attachments)

(Reporter)

Description

6 years ago
Created attachment 632588 [details]
browser testcase (crashes when loaded, in a random way)

This testcase hits the "compartment mismatch" assertion.  Or crashes trying to evaluate that assertion.  Or crashes somewhere else.

The first bad revision is:
changeset:   1bdd81c4d926
user:        Bobby Holley
date:        Tue Jun 12 15:44:14 2012 +0200
summary:     Bug 762432 - Handle proxies on __lookupGetter__ and __lookupSetter__. r=jorendorff
(Reporter)

Comment 1

6 years ago
Created attachment 632589 [details]
shell testcase

You have to feed this to the shell using "<".  I even tried evaluate() with various options and could not get it to crash.  I would like to know why, so I can improve jsfunfuzz if needed.
(Reporter)

Updated

6 years ago
Blocks: 326633
Created attachment 633108 [details] [diff] [review]
patch v1
Attachment #633108 - Flags: review?(jorendorff)
I couldn't write a reliable crashtest for this. :-(
(Reporter)

Comment 4

6 years ago
Eh?  Both testcases are reliable for me.
(In reply to Jesse Ruderman from comment #4)
> Eh?  Both testcases are reliable for me.

Yeah, but when I converted the browser one to a crashtest it didn't crash for some reason. I'm pretty swamped with security stuff at the moment so I decided to cut my losses and stop messing around with it.
(Reporter)

Comment 6

6 years ago
For me, the patch fixes a valgrind warning for "./js a.js", and a crash (both in and out of valgrind) for "./js < a.js".
(Reporter)

Comment 7

6 years ago
I'd just check in the shell testcase and hope we (eventually) do runs under Valgrind often enough.
(Reporter)

Updated

6 years ago
Duplicate of this bug: 764783
status-firefox-esr10: --- → unaffected
status-firefox15: --- → unaffected
status-firefox16: --- → affected
tracking-firefox16: --- → +
Attachment #633108 - Flags: review?(jorendorff) → review+
Pushed to m-i: http://hg.mozilla.org/integration/mozilla-inbound/rev/0ba224d850bd
Assignee: general → bobbyholley+bmo
Target Milestone: --- → mozilla16
https://hg.mozilla.org/mozilla-central/rev/0ba224d850bd
Status: NEW → RESOLVED
Last Resolved: 6 years ago
status-firefox16: affected → fixed
Resolution: --- → FIXED
Verified fixed in 6-19 jsshell.
Status: RESOLVED → VERIFIED
Whiteboard: [fuzzblocker] → [fuzzblocker][advisory-tracking-]
Group: core-security
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug764289.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.