Closed
Bug 779812
Opened 12 years ago
Closed 12 years ago
IonMonkey: Crash [@ js::EncapsulatedPtr] with use-after-free
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
Tracking | Status | |
---|---|---|
firefox17 | --- | unaffected |
firefox-esr10 | --- | unaffected |
People
(Reporter: decoder, Assigned: dvander)
References
Details
(4 keywords, Whiteboard: [jsbugmon:update][ion:p1:fx18])
Crash Data
Attachments
(1 file)
4.17 KB,
patch
|
sstangl
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on ionmonkey revision 2169bca0c9a5 (run with --ion -n -m --ion-eager -a): gczeal(2,1); (function () { var m = {} return { stringify: stringify }; })();
Reporter | ||
Comment 1•12 years ago
|
||
Crash info: ==9467== Invalid read of size 8 ==9467== at 0x4150E0: js::EncapsulatedPtr<JSObject, unsigned long>::operator JSObject*() const (Barrier.h:172) ==9467== by 0x426C71: js::ObjectImpl::hasSingletonType() const (ObjectImpl.h:1129) ==9467== by 0x94F0EF: js::ion::CodeGenerator::visitNewObject(js::ion::LNewObject*) (CodeGenerator.cpp:1306) ==9467== by 0x8941DA: js::ion::LNewObject::accept(js::ion::LInstructionVisitor*) (LIR-Common.h:250) ==9467== by 0x94E78D: js::ion::CodeGenerator::generateBody() (CodeGenerator.cpp:1137) ==9467== by 0x9562C7: js::ion::CodeGenerator::generate() (CodeGenerator.cpp:2638) ==9467== by 0x823414: js::ion::GenerateCode(js::ion::IonBuilder&, js::ion::MIRGraph&) (Ion.cpp:827) ==9467== by 0x8234AE: js::ion::TestCompiler(js::ion::IonBuilder&, js::ion::MIRGraph&) (Ion.cpp:842) ==9467== by 0x82A4FB: bool js::ion::IonCompile<&(js::ion::TestCompiler(js::ion::IonBuilder&, js::ion::MIRGraph&))>(JSContext*, JSScript*, JSFunction*, unsigned char*, bool) (Ion.cpp:876) ==9467== by 0x827877: js::ion::MethodStatus js::ion::Compile<&(js::ion::TestCompiler(js::ion::IonBuilder&, js::ion::MIRGraph&))>(JSContext*, JSScript*, JSFunction*, unsigned char*, bool) (Ion.cpp:992) ==9467== by 0x823B38: js::ion::CanEnter(JSContext*, JSScript*, js::StackFrame*, bool) (Ion.cpp:1082) ==9467== by 0x52B446: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (jsinterp.cpp:2495) ==9467== Address 0xdadadadadadadae2 is not stack'd, malloc'd or (recently) free'd
Assignee | ||
Updated•12 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update][ion:p1:fx18]
Assignee | ||
Comment 2•12 years ago
|
||
MIR.h is using HeapPtr<> instead of CompilerRoot<>
Assignee: general → dvander
Status: NEW → ASSIGNED
Assignee | ||
Comment 3•12 years ago
|
||
Attachment #648474 -
Flags: review?(sstangl)
Updated•12 years ago
|
Attachment #648474 -
Flags: review?(sstangl) → review+
Assignee | ||
Comment 4•12 years ago
|
||
https://hg.mozilla.org/projects/ionmonkey/rev/9f3dc298e25b
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Reporter | ||
Updated•12 years ago
|
Status: RESOLVED → VERIFIED
Reporter | ||
Comment 5•12 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Updated•12 years ago
|
status-firefox-esr10:
--- → unaffected
status-firefox17:
--- → unaffected
Updated•12 years ago
|
Keywords: sec-critical
Updated•9 years ago
|
Group: core-security
Updated•7 years ago
|
Keywords: csectype-uaf
You need to log in
before you can comment on or make changes to this bug.
Description
•