Closed
Bug 768436
Opened 12 years ago
Closed 12 years ago
IonMonkey: Crash [@ JSScript::hasAnalysis] with use-after-free
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: decoder, Assigned: jandem)
References
Details
(Keywords: crash, csectype-uaf, testcase, Whiteboard: [jsbugmon:update][fuzzblocker])
Crash Data
Attachments
(1 file, 1 obsolete file)
3.51 KB,
patch
|
dvander
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on ionmonkey revision 80a4e5dfeaaf (run with --ion -n -m --ion-eager): new ({});
Reporter | ||
Comment 1•12 years ago
|
||
Crash trace: ==12410== Invalid read of size 4 ==12410== at 0x8122466: JSScript::hasAnalysis() (jsinferinlines.h:1470) ==12410== by 0x849EA30: js::ion::ShouldMonitorReturnType(JSFunction*) (VMFunctions.cpp:60) ==12410== by 0x849EB22: js::ion::InvokeConstructorFunction(JSContext*, JSFunction*, unsigned int, JS::Value*, JS::Value*) (VMFunctions.cpp:93) ==12410== by 0x78B534C: ??? ==12410== by 0x840C2CA: EnterIon(JSContext*, js::StackFrame*, void*) (Ion.cpp:1112) ==12410== by 0x840C53C: js::ion::Cannon(JSContext*, js::StackFrame*) (Ion.cpp:1143) ==12410== by 0x814C794: js::RunScript(JSContext*, JSScript*, js::StackFrame*) (jsinterp.cpp:263) ==12410== by 0x814D3CC: js::ExecuteKernel(JSContext*, JSScript*, JSObject&, JS::Value const&, js::ExecuteType, js::StackFrame*, JS::Value*) (jsinterp.cpp:474) ==12410== by 0x814D60A: js::Execute(JSContext*, JSScript*, JSObject&, JS::Value*) (jsinterp.cpp:512) ==12410== by 0x808F4F1: JS_ExecuteScript (jsapi.cpp:5370) ==12410== by 0x804FB01: Process(JSContext*, JSObject*, char const*, bool) (js.cpp:440) ==12410== by 0x805AB43: ProcessArgs(JSContext*, JSObject*, js::cli::OptionParser*) (js.cpp:4832) ==12410== Address 0xdadadb02 is not stack'd, malloc'd or (recently) free'd Jandem says this was caused by bug 766011.
Whiteboard: [jsbugmon:update] → [jsbugmon:update][fuzzblocker]
Assignee | ||
Comment 2•12 years ago
|
||
Taking this fuzz blocker, we need to check if the callee is a function.
Assignee | ||
Comment 3•12 years ago
|
||
Attachment #636693 -
Attachment is obsolete: true
Attachment #636693 -
Flags: review?(dvander)
Attachment #636706 -
Flags: review?(dvander)
Comment on attachment 636706 [details] [diff] [review] Patch Review of attachment 636706 [details] [diff] [review]: ----------------------------------------------------------------- Thanks for the quick fix - could we add a test case for this?
Attachment #636706 -
Flags: review?(dvander) → review+
Assignee | ||
Comment 5•12 years ago
|
||
https://hg.mozilla.org/projects/ionmonkey/rev/bd0eba3ea397 (In reply to David Anderson [:dvander] from comment #4) > > Thanks for the quick fix - could we add a test case for this? Hrm I forgot to qref it, pushed with that fixed.
Group: core-security
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Reporter | ||
Comment 6•11 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/ion/bug768436.js.
Flags: in-testsuite+
Updated•7 years ago
|
Keywords: csectype-uaf
You need to log in
before you can comment on or make changes to this bug.
Description
•