Closed Bug 764289 Opened 12 years ago Closed 12 years ago

Crash with __lookupGetter__, empty proxy

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla16
Tracking Flags:
Tracking Status
firefox15 --- unaffected
firefox16 + fixed
firefox-esr10 --- unaffected

People

(Reporter: jruderman, Assigned: bholley)

References

Details

(5 keywords, Whiteboard: [fuzzblocker][advisory-tracking-])

Attachments

(3 files)

browser testcase (crashes when loaded, in a random way)
154 bytes, text/html
Details
shell testcase
117 bytes, text/plain
Details
patch v1
1.11 KB, patch
jorendorff
: review+
Details | Diff | Splinter Review 
This testcase hits the "compartment mismatch" assertion.  Or crashes trying to evaluate that assertion.  Or crashes somewhere else.

The first bad revision is:
changeset:   1bdd81c4d926
user:        Bobby Holley
date:        Tue Jun 12 15:44:14 2012 +0200
summary:     Bug 762432 - Handle proxies on __lookupGetter__ and __lookupSetter__. r=jorendorff
Attached file shell testcase 
You have to feed this to the shell using "<".  I even tried evaluate() with various options and could not get it to crash.  I would like to know why, so I can improve jsfunfuzz if needed.
Attached patch patch v1Splinter Review 

        Attachment #633108 -
        Flags: review?(jorendorff)

    
    

    
  
I couldn't write a reliable crashtest for this. :-(

    
    

    
  
Eh?  Both testcases are reliable for me.

    
    

    
  
(In reply to Jesse Ruderman from comment #4)
> Eh?  Both testcases are reliable for me.

Yeah, but when I converted the browser one to a crashtest it didn't crash for some reason. I'm pretty swamped with security stuff at the moment so I decided to cut my losses and stop messing around with it.

    
    

    
  
For me, the patch fixes a valgrind warning for "./js a.js", and a crash (both in and out of valgrind) for "./js < a.js".

    
    

    
  
I'd just check in the shell testcase and hope we (eventually) do runs under Valgrind often enough.

        Attachment #633108 -
        Flags: review?(jorendorff) → review+

    
    

    
  
Pushed to m-i: http://hg.mozilla.org/integration/mozilla-inbound/rev/0ba224d850bd
Assignee: general → bobbyholley+bmo
Target Milestone: --- → mozilla16

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/0ba224d850bd
Status: NEW → RESOLVED
Closed: 12 years ago

          status-firefox16:
          affectedfixed
Resolution: --- → FIXED

    
    

    
  
Verified fixed in 6-19 jsshell.
Status: RESOLVED → VERIFIED
Whiteboard: [fuzzblocker] → [fuzzblocker][advisory-tracking-]
Group: core-security

    
    

    
  
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug764289.js.
Flags: in-testsuite+

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: