Closed Bug 811612 Opened 10 years ago Closed 10 years ago

Crash [@ strlen] or [@ js_ExpandErrorArguments]

Categories

(Core :: JavaScript Engine, defect)

x86_64
macOS
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla19
Tracking Status
firefox16 --- unaffected
firefox17 --- unaffected
firefox18 --- unaffected
firefox-esr10 --- unaffected
firefox-esr17 --- unaffected

People

(Reporter: gkw, Unassigned)

References

Details

(5 keywords, Whiteboard: [fuzzblocker] [jsbugmon:update,ignore])

Crash Data

Attachments

(1 file)

Attached file stack
evaluate({
    e: [].some(Proxy.create(function() {}), "")
})

crashes js debug and opt shell on m-c changeset 4e9567eeb09e without any CLI arguments at strlen with js_ExpandErrorArguments on the stack.

s-s due to its simplicity to be safe, even though it seems to be a null deref. Setting fuzzblocker because this is blowing up the fuzzers.

See bug 811606.

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   113105:3da143341145
user:        Till Schneidereit
date:        Tue Aug 28 14:35:15 2012 +0200
summary:     Bug 784294 - Convert some array extras to self-hosted js implementations. r=Waldo
Till, looks like another one caused by a landing you made.
Crash Signature: [@ strlen] [@ js_ExpandErrorArguments] → [@ strlen] [@ js_ExpandErrorArguments]
Whiteboard: [fuzzblocker][jsbugmon:update] → [fuzzblocker] [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision dd68409d7810).
Bug 784294 was backed out in https://hg.mozilla.org/mozilla-central/rev/dd68409d7810 - "fixing" this.

Till, please add this testcase to future revised patches.
Status: NEW → RESOLVED
Crash Signature: [@ strlen] [@ js_ExpandErrorArguments] → [@ strlen] [@ js_ExpandErrorArguments]
Closed: 10 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
Crash Signature: [@ strlen] [@ js_ExpandErrorArguments] → [@ strlen] [@ js_ExpandErrorArguments]
JSBugMon: This bug has been automatically verified fixed.
I think we can make this public, as the causing code never made a Nightly.
Crash Signature: [@ strlen] [@ js_ExpandErrorArguments] → [@ strlen] [@ js_ExpandErrorArguments]
Group: core-security
Target Milestone: --- → mozilla19
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.