Closed Bug 871294 Opened 12 years ago Closed 12 years ago

Crash in mozjs!JS_HasPropertyById

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Version:
23 Branch
Platform:
x86_64
Windows 7
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 871849
Tracking Flags:
Tracking Status
firefox22 --- unaffected
firefox23 + fixed
firefox24 + fixed
firefox-esr17 --- unaffected
b2g18 --- unaffected

People

(Reporter: nils, Assigned: peterv)

References

Details

(4 keywords, Whiteboard: [adv-main23-])

Attachments

(3 files)

Testcase (crashes firefox).
751 bytes, text/html
Details
Windbg output
3.91 KB, text/plain
Details
gdb output
4.75 KB, text/plain
Details
The attached test case crashes Firefox dereferencing unmapped memory. The testcase requires Jesse's quitter extension for garbage collection (http://www.squarefree.com/extensions/quitter.xpi)
Attachment #748562 - Attachment mime type: text/plain → text/html
Attached file Windbg output
Attached file gdb output
Looks a lot like bug 869027? This sure looks like issues with the HTMLDocument expando object.
Assignee: general → nobody
Blocks: 869027
Component: JavaScript Engine → DOM
Depends on: 871849
Matt: please try Fx22 (Beta) to see if it suffers this problem also. If it does please try the ESR branch as well.
status-firefox23: --- → affected
status-firefox24: --- → affected
tracking-firefox23: --- → +
tracking-firefox24: --- → +
Flags: needinfo?(mwobensmith)
Does not affect FF22 or FF17esr.
status-firefox22: --- → unaffected
status-firefox-esr17: --- → unaffected
Flags: needinfo?(mwobensmith)
Peter, could you look at this, because you are looking at a bunch of similar bugs? Thanks.
Assignee: nobody → peterv
status-b2g18: --- → unaffected
(In reply to Boris Zbarsky (:bz) from comment #3) > Looks a lot like bug 869027? Probably. That doesn't have a testcase, so this one got fixed in bug 871849. But normally that fix should also fix bug 869027.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
For bounty purposes, FWIW, this was filed a day before the bug it is duped to (which was internally reported).
(In reply to Andrew McCreight [:mccr8] from comment #8) > For bounty purposes, FWIW, this was filed a day before the bug it is duped > to (which was internally reported). Right. Bug 869027 was filed even earlier and turned out to be the exact same problem, but it didn't have a testcase.
Flags: sec-bounty? → sec-bounty-
Whiteboard: [adv-main23-]
Group: core-security
Comment 8 is private: false
Comment 9 is private: false
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: