Closed Bug 770235 Opened 12 years ago Closed 12 years ago

IonMonkey: Crash on heap, trying to call invalid address

Categories

(Core :: JavaScript Engine, defect)

Other Branch
x86_64
Linux
defect
Not set
major

Tracking

()

VERIFIED FIXED
Tracking Status
firefox16 --- unaffected
firefox-esr10 --- unaffected

People

(Reporter: decoder, Assigned: dvander)

References

Details

(Keywords: crash, sec-critical, testcase, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

The following testcase crashes on ionmonkey revision 6688ede89a36 (run with --ion -n -m --ion-eager):


a = this;
with(evalcx('')) this.__defineGetter__("x", Function);
AddSplitCases( "splitme", "", "''", ["s", "p", "l", "i", "t", "m", "e"] );
function AddSplitCases( string, separator, str_sep, split_array ) {
  for ( var matches = 0; matches < split_array.length; (a.x) ) {}
}
Trace:


==20429== Jump to the invalid address stated on the next line
==20429==    at 0xFFFB80000C71A0C0: ???
==20429==    by 0x4033039: ???
==20429==    by 0x7FEFFE33F: ???
==20429==    by 0x7FEFFE337: ???
==20429==    by 0x7FEFFE2FF: ???
==20429==  Address 0xfffb80000c71a0c0 is not stack'd, malloc'd or (recently) free'd
Assignee: general → dvander
Status: NEW → ASSIGNED
Attached patch fixSplinter Review
Attachment #638944 - Flags: review?(efaust)
Comment on attachment 638944 [details] [diff] [review]
fix

Review of attachment 638944 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/ion/IonBuilder.cpp
@@ +4776,5 @@
>          }
>      }
>  
> +    if (found->isFunction())
> +        *funcp = found->toFunction();

I think we want to move this check higher, when we set found the first time. That way, we don't get to the end, having added tons of checks and freezes, only to find that we can't use the information we found. We should leave the toFunction() on the assignment, though.
Attachment #638944 - Flags: review?(efaust) → review+
http://hg.mozilla.org/projects/ionmonkey/rev/851c1c7d13a2
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
Group: core-security
You need to log in before you can comment on or make changes to this bug.