Closed
Bug 893684
Opened 12 years ago
Closed 12 years ago
OdinMonkey: Assertion failure: (size_t) (dst - src) >= len, at jsutil.h
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla25
| Tracking | Status | |
|---|---|---|
| firefox22 | --- | wontfix |
| firefox23 | + | fixed |
| firefox24 | + | fixed |
| firefox25 | + | fixed |
| firefox-esr17 | --- | unaffected |
| b2g18 | --- | unaffected |
People
(Reporter: gkw, Assigned: luke)
References
Details
(5 keywords, Whiteboard: [jsbugmon:][adv-main23+] fixed on trunk in bug 880538)
Attachments
(2 files)
|
5.88 KB,
text/plain
|
Details | |
|
1020 bytes,
patch
|
bbouvier
:
review+
lsblakk
:
approval-mozilla-aurora+
lsblakk
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
evaluate("\
valueOf = (function() {\
\"use asm\";\
function f() {}\
return f\
});\
this + ''\
", {
fileName: '',
})
this + ''
asserts js debug shell on m-c changeset 3433a021847b without any CLI arguments intermittently (but fairly reliably) at Assertion failure: (size_t) (dst - src) >= len, at jsutil.h
Locking s-s because previously-found similar assertion bug 855442 was also s-s.
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: http://hg.mozilla.org/mozilla-central/rev/b674f0e40c8e
user: Brian Hackett
date: Wed Jul 10 09:29:52 2013 -0600
summary: Bug 885758 - Add ExclusiveContext for use by threads with exclusive access to their compartment, r=billm.
Brian, is bug 885758 a likely regressor?
Flags: needinfo?(bhackett1024)
|
||
Updated•12 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:]
|
|
||
Comment 1•12 years ago
|
||
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
|
Assignee | |
Comment 4•12 years ago
|
||
The problem here is PostFailureLinkInfo stores a copy of the CompileOptions which stores a (dangling) pointer to filename (I should have caught this in review). The patches in bug 880538 stop doing this and reconstruct the CompileOptions using the filename stored in ScriptSource. That should be getting landed soon, so I'll wait until that and we can verify this problem is fixed.
|
|
Assignee | |
Comment 5•12 years ago
|
||
Actually the fix is super-trivial, no need to wait for the bigger patch. I'd like to wait to land the testcase until the fix is in release, though, since this is pretty exploitable.
|
|
Assignee | |
Updated•12 years ago
|
Attachment #776120 -
Flags: review? → review?(bbouvier)
|
||
Updated•12 years ago
|
status-b2g18:
--- → unaffected
status-firefox22:
--- → wontfix
status-firefox23:
--- → affected
status-firefox24:
--- → affected
status-firefox25:
--- → affected
status-firefox-esr17:
--- → unaffected
tracking-firefox23:
--- → ?
tracking-firefox24:
--- → ?
tracking-firefox25:
--- → ?
Keywords: csec-uaf,
sec-critical
|
||
Comment 6•12 years ago
|
||
Comment on attachment 776120 [details] [diff] [review]
fix
Review of attachment 776120 [details] [diff] [review]:
-----------------------------------------------------------------
Love it when patches are simple like that.
Attachment #776120 -
Flags: review?(bbouvier) → review+
|
|
Reporter | |
Comment 8•12 years ago
|
||
Bug 880538 just landed on inbound - is this patch still needed?
Flags: needinfo?(luke)
|
||
Comment 10•12 years ago
|
||
What does that mean for 23/24? will we want this as a smaller, lower risk fix on those branches?
|
|
Assignee | |
Comment 11•12 years ago
|
||
We could, if you think it is a good idea. (It having not been discovered externally yet, I was thinking landing the smaller fix only drew attention.)
|
|
Reporter | |
Updated•12 years ago
|
Flags: needinfo?(luke)
|
||
Updated•12 years ago
|
Depends on: 880538
Whiteboard: [jsbugmon:] → [jsbugmon:] fixed on trunk in bug 880538
|
|
Assignee | |
Comment 13•12 years ago
|
||
Comment on attachment 776120 [details] [diff] [review]
fix
[Approval Request Comment]
Bug caused by (feature/regressing bug #): 851421
User impact if declined: exploitable bug
Testing completed (on m-c, etc.): a bigger version of this patch is on m-c
Risk to taking this patch (and alternatives if risky): low
Attachment #776120 -
Flags: approval-mozilla-beta?
Attachment #776120 -
Flags: approval-mozilla-aurora?
|
|
Assignee | |
Updated•12 years ago
|
Flags: needinfo?(luke)
|
|
||
Updated•12 years ago
|
Attachment #776120 -
Flags: approval-mozilla-beta?
Attachment #776120 -
Flags: approval-mozilla-beta+
Attachment #776120 -
Flags: approval-mozilla-aurora?
Attachment #776120 -
Flags: approval-mozilla-aurora+
|
|
Reporter | |
Updated•12 years ago
|
Keywords: checkin-needed
|
|
Reporter | |
Comment 14•12 years ago
|
||
(Please land the patch only on Aurora and Beta, thanks!)
|
||
Comment 15•12 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/b3aa850f03fc
https://hg.mozilla.org/releases/mozilla-beta/rev/aa1e0d96de39
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Keywords: checkin-needed
Resolution: --- → FIXED
Target Milestone: --- → mozilla25
|
||
Updated•12 years ago
|
Whiteboard: [jsbugmon:] fixed on trunk in bug 880538 → [jsbugmon:][adv-main23+] fixed on trunk in bug 880538
|
|
||
Updated•11 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•