Crash [@ strlen] or [@ js_ExpandErrorArguments]

VERIFIED FIXED in mozilla19

Status

()

--
critical
VERIFIED FIXED
6 years ago
6 years ago

People

(Reporter: gkw, Unassigned)

Tracking

(Blocks: 1 bug, 5 keywords)

Trunk
mozilla19
x86_64
Mac OS X
crash, csectype-dos, regression, sec-moderate, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox16 unaffected, firefox17 unaffected, firefox18 unaffected, firefox-esr10 unaffected, firefox-esr17 unaffected)

Details

(Whiteboard: [fuzzblocker] [jsbugmon:update,ignore], crash signature)

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
Created attachment 681341 [details]
stack

evaluate({
    e: [].some(Proxy.create(function() {}), "")
})

crashes js debug and opt shell on m-c changeset 4e9567eeb09e without any CLI arguments at strlen with js_ExpandErrorArguments on the stack.

s-s due to its simplicity to be safe, even though it seems to be a null deref. Setting fuzzblocker because this is blowing up the fuzzers.

See bug 811606.

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   113105:3da143341145
user:        Till Schneidereit
date:        Tue Aug 28 14:35:15 2012 +0200
summary:     Bug 784294 - Convert some array extras to self-hosted js implementations. r=Waldo
(Reporter)

Comment 1

6 years ago
Till, looks like another one caused by a landing you made.
Crash Signature: [@ strlen] [@ js_ExpandErrorArguments] → [@ strlen] [@ js_ExpandErrorArguments]
Whiteboard: [fuzzblocker][jsbugmon:update] → [fuzzblocker] [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision dd68409d7810).
(Reporter)

Comment 3

6 years ago
Bug 784294 was backed out in https://hg.mozilla.org/mozilla-central/rev/dd68409d7810 - "fixing" this.

Till, please add this testcase to future revised patches.
Status: NEW → RESOLVED
Crash Signature: [@ strlen] [@ js_ExpandErrorArguments] → [@ strlen] [@ js_ExpandErrorArguments]
Last Resolved: 6 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
Crash Signature: [@ strlen] [@ js_ExpandErrorArguments] → [@ strlen] [@ js_ExpandErrorArguments]
JSBugMon: This bug has been automatically verified fixed.
I think we can make this public, as the causing code never made a Nightly.
Crash Signature: [@ strlen] [@ js_ExpandErrorArguments] → [@ strlen] [@ js_ExpandErrorArguments]
(Reporter)

Updated

6 years ago
Group: core-security

Updated

6 years ago
status-firefox19: affected → ---
tracking-firefox19: ? → ---
Target Milestone: --- → mozilla19
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.