Closed Bug 830063 Opened 7 years ago Closed 7 years ago

Browser crashed on looping when jit is on and table length specified externally

Categories

(Core :: JavaScript Engine, defect, critical)

18 Branch
x86_64
Windows 7
defect
Not set
critical

Tracking

()

RESOLVED WORKSFORME
Tracking Status
firefox18 --- wontfix
firefox19 --- affected
firefox20 --- unaffected
firefox21 --- unaffected
firefox-esr17 --- unaffected
b2g18 --- unaffected

People

(Reporter: nicecherub, Unassigned)

References

Details

(4 keywords)

Crash Data

Attachments

(1 file)

Attached file crash.html
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.97 Safari/537.11

Steps to reproduce:

Caution: running the attachment and press the simulate button at bottom will crash your browse.

1. Ensure jit is on
javascript.options.methodjit.chrome = true
javascript.options.methodjit.content = true

2. Open the attachment
3 [review]. Press the "Simulate" button at the bottom
4. Browser crash on line 1161


Actual results:

Browser crash


Expected results:

No crash should happens
Severity: normal → critical
Component: Untriaged → Webapp Runtime
Summary: loop crash the browser when jit is on → Browser creashed on looping when jit is on and table length specified externally
Component: Webapp Runtime → Untriaged
Summary: Browser creashed on looping when jit is on and table length specified externally → Browser crashed on looping when jit is on and table length specified externally
Assignee: nobody → general
Component: Untriaged → JavaScript Engine
Product: Firefox → Core
Attachment #701538 - Attachment mime type: text/plain → text/html
Worksforme on trunk; need to retest on 19...
Flags: sec-review? → sec-bounty?
Matt, can you confirm this for QA?
Flags: needinfo?(mwobensmith)
Crashes 18.0.1 release and 19.0b3, but not today's m-c or Aurora.
Flags: needinfo?(mwobensmith)
Status: UNCONFIRMED → NEW
Ever confirmed: true
This does not happen in Firefox 17.0.2 (ESR), appears to be part of IonMonkey which landed in Firefox 18.

bp-958e240a-b99a-4b75-8b7f-9fe102130130

Looks like a non-scary null deref. Fixed in Fx20, probably not worth tracking down the fix to get it into 19. The B2G branch has ion turned off so it shouldn't affect them, either.
Crash Signature: [@ js::ion::MNode::replaceOperand(unsigned int, js::ion::MDefinition*) ]
Version: 19 Branch → 18 Branch
Group: core-security
Fixed window(m-c)
Crash:
http://hg.mozilla.org/mozilla-central/rev/0d373cf880fd
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20.0 Firefox/20.0 ID:20121123131117
Fixed:
http://hg.mozilla.org/mozilla-central/rev/d7841347b558
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20.0 Firefox/20.0 ID:20121124051005
Fixed pushlog:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=0d373cf880fd&tochange=d7841347b558


Fixed window(m-i)
Crash:
http://hg.mozilla.org/integration/mozilla-inbound/rev/f83d737c58d5
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20.0 Firefox/20.0 ID:20121123165405
Fixed:
http://hg.mozilla.org/integration/mozilla-inbound/rev/d7841347b558
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20.0 Firefox/20.0 ID:20121123232606
Fixed pushlog:
http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=f83d737c58d5&tochange=d7841347b558

I guess  bug 766592 fix the crash
Duplicate of this bug: 840077
Status: NEW → RESOLVED
Closed: 7 years ago
Depends on: 766592
Flags: sec-bounty? → sec-bounty-
Keywords: csec-nullptr
Resolution: --- → WORKSFORME
Does not appear exploitable, and was fixed by ongoing work therefore not eligible for a bug bounty
You need to log in before you can comment on or make changes to this bug.