Closed
Bug 1053683
Opened 10 years ago
Closed 10 years ago
Crash [@ js::irregexp::ActionNode::FillInBMInfo]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla34
Tracking | Status | |
---|---|---|
firefox31 | --- | unaffected |
firefox32 | --- | fixed |
firefox33 | --- | fixed |
firefox34 | --- | fixed |
firefox-esr24 | --- | unaffected |
firefox-esr31 | --- | unaffected |
b2g-v1.4 | --- | unaffected |
b2g-v2.0 | --- | fixed |
b2g-v2.1 | --- | fixed |
People
(Reporter: gkw, Assigned: bhackett1024)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(2 files)
(deleted),
text/plain
|
Details | |
(deleted),
patch
|
jandem
:
review+
abillings
:
approval-mozilla-aurora+
abillings
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
RegExp("(||(w{2147483648}){4})*1").test()
crashes js debug and opt shells on m-c changeset d7e78f0c1465 with --ion-eager --ion-offthread-compile=off --no-threads at js::irregexp::ActionNode::FillInBMInfo
My configure flags are: (debug)
CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize --enable-gczeal --enable-debug-symbols --disable-tests --enable-more-deterministic --with-ccache --enable-nspr-build
Opt:
CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --disable-debug --enable-optimize --enable-gczeal --enable-debug-symbols --disable-tests --enable-more-deterministic --with-ccache --enable-nspr-build
Guessing this is related to irregexp, so setting needinfo? from Brian. Setting s-s and guessing sec-high as a start.
Flags: needinfo?(bhackett1024)
Reporter | ||
Updated•10 years ago
|
status-firefox34:
--- → affected
Assignee | ||
Comment 1•10 years ago
|
||
This is a simple overrecursion --- FillInBMInfo implementations freely recurse into each other with no stack checks. I'm not sure how v8 avoids the need for overrecursion checks in this case, but it seems better to make these checks explicit.
Assignee: nobody → bhackett1024
Attachment #8473111 -
Flags: review?(jdemooij)
Flags: needinfo?(bhackett1024)
Updated•10 years ago
|
Attachment #8473111 -
Flags: review?(jdemooij) → review+
Reporter | ||
Updated•10 years ago
|
Crash Signature: [@ js::irregexp::ActionNode::FillInBMInfo]
Assignee | ||
Comment 2•10 years ago
|
||
Comment on attachment 8473111 [details] [diff] [review]
patch
[Security approval request comment]
How easily could an exploit be constructed based on the patch?
Not exploitable --- overrecursion crash.
Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
The problem is kind of obvious from the patch.
Which older supported branches are affected by this flaw?
32+
If not all supported branches, which bug introduced the flaw?
bug 976446
Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
trivial
How likely is this patch to cause regressions; how much testing does it need?
none
Approval Request Comment
[Feature/regressing bug #]: bug 976446
[User impact if declined]: potential non-exploitable crash
[Describe test coverage new/current, TBPL]: none
[Risks and why]: none
Attachment #8473111 -
Flags: sec-approval?
Attachment #8473111 -
Flags: approval-mozilla-beta?
Attachment #8473111 -
Flags: approval-mozilla-aurora?
Updated•10 years ago
|
Attachment #8473111 -
Flags: sec-approval?
Updated•10 years ago
|
status-firefox31:
--- → unaffected
status-firefox32:
--- → affected
status-firefox33:
--- → affected
status-firefox-esr24:
--- → unaffected
status-firefox-esr31:
--- → unaffected
Updated•10 years ago
|
Attachment #8473111 -
Flags: approval-mozilla-beta?
Attachment #8473111 -
Flags: approval-mozilla-beta+
Attachment #8473111 -
Flags: approval-mozilla-aurora?
Attachment #8473111 -
Flags: approval-mozilla-aurora+
Comment 3•10 years ago
|
||
Comment 4•10 years ago
|
||
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla34
Comment 5•10 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/afbb49c2e22c
https://hg.mozilla.org/releases/mozilla-beta/rev/c6e134b4ed52
Comment 6•10 years ago
|
||
Flags: qe-verify-
You need to log in
before you can comment on or make changes to this bug.
Description
•