Closed
Bug 770235
Opened 12 years ago
Closed 12 years ago
IonMonkey: Crash on heap, trying to call invalid address
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
Tracking | Status | |
---|---|---|
firefox16 | --- | unaffected |
firefox-esr10 | --- | unaffected |
People
(Reporter: decoder, Assigned: dvander)
References
Details
(Keywords: crash, sec-critical, testcase, Whiteboard: [jsbugmon:update])
Attachments
(1 file)
959 bytes,
patch
|
efaust
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on ionmonkey revision 6688ede89a36 (run with --ion -n -m --ion-eager): a = this; with(evalcx('')) this.__defineGetter__("x", Function); AddSplitCases( "splitme", "", "''", ["s", "p", "l", "i", "t", "m", "e"] ); function AddSplitCases( string, separator, str_sep, split_array ) { for ( var matches = 0; matches < split_array.length; (a.x) ) {} }
Reporter | ||
Comment 1•12 years ago
|
||
Trace: ==20429== Jump to the invalid address stated on the next line ==20429== at 0xFFFB80000C71A0C0: ??? ==20429== by 0x4033039: ??? ==20429== by 0x7FEFFE33F: ??? ==20429== by 0x7FEFFE337: ??? ==20429== by 0x7FEFFE2FF: ??? ==20429== Address 0xfffb80000c71a0c0 is not stack'd, malloc'd or (recently) free'd
Assignee | ||
Updated•12 years ago
|
Assignee: general → dvander
Assignee | ||
Updated•12 years ago
|
Status: NEW → ASSIGNED
Assignee | ||
Comment 2•12 years ago
|
||
Attachment #638944 -
Flags: review?(efaust)
Comment 3•12 years ago
|
||
Comment on attachment 638944 [details] [diff] [review] fix Review of attachment 638944 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/ion/IonBuilder.cpp @@ +4776,5 @@ > } > } > > + if (found->isFunction()) > + *funcp = found->toFunction(); I think we want to move this check higher, when we set found the first time. That way, we don't get to the end, having added tons of checks and freezes, only to find that we can't use the information we found. We should leave the toFunction() on the assignment, though.
Attachment #638944 -
Flags: review?(efaust) → review+
Updated•12 years ago
|
Keywords: sec-critical
Assignee | ||
Comment 4•12 years ago
|
||
http://hg.mozilla.org/projects/ionmonkey/rev/851c1c7d13a2
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Updated•12 years ago
|
status-firefox-esr10:
--- → unaffected
status-firefox16:
--- → unaffected
Reporter | ||
Updated•12 years ago
|
Status: RESOLVED → VERIFIED
Reporter | ||
Comment 5•12 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•