Closed
Bug 830063
Opened 11 years ago
Closed 11 years ago
Browser crashed on looping when jit is on and table length specified externally
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
WORKSFORME
Tracking | Status | |
---|---|---|
firefox18 | --- | wontfix |
firefox19 | --- | affected |
firefox20 | --- | unaffected |
firefox21 | --- | unaffected |
firefox-esr17 | --- | unaffected |
b2g18 | --- | unaffected |
People
(Reporter: nicecherub, Unassigned)
References
Details
(4 keywords)
Crash Data
Attachments
(1 file)
365.40 KB,
text/html
|
Details |
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.97 Safari/537.11 Steps to reproduce: Caution: running the attachment and press the simulate button at bottom will crash your browse. 1. Ensure jit is on javascript.options.methodjit.chrome = true javascript.options.methodjit.content = true 2. Open the attachment 3 [review]. Press the "Simulate" button at the bottom 4. Browser crash on line 1161 Actual results: Browser crash Expected results: No crash should happens
Reporter | ||
Updated•11 years ago
|
Severity: normal → critical
Reporter | ||
Updated•11 years ago
|
Component: Untriaged → Webapp Runtime
Summary: loop crash the browser when jit is on → Browser creashed on looping when jit is on and table length specified externally
Updated•11 years ago
|
Component: Webapp Runtime → Untriaged
Reporter | ||
Updated•11 years ago
|
Summary: Browser creashed on looping when jit is on and table length specified externally → Browser crashed on looping when jit is on and table length specified externally
Updated•11 years ago
|
Assignee: nobody → general
Component: Untriaged → JavaScript Engine
Product: Firefox → Core
Updated•11 years ago
|
Attachment #701538 -
Attachment mime type: text/plain → text/html
Comment 1•11 years ago
|
||
Worksforme on trunk; need to retest on 19...
Updated•11 years ago
|
Flags: sec-review?
Updated•11 years ago
|
Flags: sec-review? → sec-bounty?
Comment 3•11 years ago
|
||
Crashes 18.0.1 release and 19.0b3, but not today's m-c or Aurora.
Flags: needinfo?(mwobensmith)
Updated•11 years ago
|
Status: UNCONFIRMED → NEW
status-firefox18:
--- → wontfix
status-firefox19:
--- → affected
status-firefox20:
--- → unaffected
status-firefox21:
--- → unaffected
Ever confirmed: true
Comment 4•11 years ago
|
||
This does not happen in Firefox 17.0.2 (ESR), appears to be part of IonMonkey which landed in Firefox 18. bp-958e240a-b99a-4b75-8b7f-9fe102130130 Looks like a non-scary null deref. Fixed in Fx20, probably not worth tracking down the fix to get it into 19. The B2G branch has ion turned off so it shouldn't affect them, either.
Crash Signature: [@ js::ion::MNode::replaceOperand(unsigned int, js::ion::MDefinition*) ]
status-b2g18:
--- → unaffected
status-firefox-esr17:
--- → unaffected
Version: 19 Branch → 18 Branch
Updated•11 years ago
|
Group: core-security
Comment 5•11 years ago
|
||
Fixed window(m-c) Crash: http://hg.mozilla.org/mozilla-central/rev/0d373cf880fd Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20.0 Firefox/20.0 ID:20121123131117 Fixed: http://hg.mozilla.org/mozilla-central/rev/d7841347b558 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20.0 Firefox/20.0 ID:20121124051005 Fixed pushlog: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=0d373cf880fd&tochange=d7841347b558 Fixed window(m-i) Crash: http://hg.mozilla.org/integration/mozilla-inbound/rev/f83d737c58d5 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20.0 Firefox/20.0 ID:20121123165405 Fixed: http://hg.mozilla.org/integration/mozilla-inbound/rev/d7841347b558 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20.0 Firefox/20.0 ID:20121123232606 Fixed pushlog: http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=f83d737c58d5&tochange=d7841347b558 I guess bug 766592 fix the crash
Updated•11 years ago
|
Status: NEW → RESOLVED
Closed: 11 years ago
Depends on: 766592
Flags: sec-bounty? → sec-bounty-
Keywords: csec-nullptr
Resolution: --- → WORKSFORME
Comment 7•11 years ago
|
||
Does not appear exploitable, and was fixed by ongoing work therefore not eligible for a bug bounty
You need to log in
before you can comment on or make changes to this bug.
Description
•