Closed
Bug 567580
Opened 14 years ago
Closed 14 years ago
TM: Crash [@ JSObject::getClass] or [@ js::TraceRecorder::record_JSOP_BINDNAME] with Proxy.createFunction
Categories
(Core :: JavaScript Engine, defect, P2)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
blocking2.0 | --- | betaN+ |
blocking1.9.2 | --- | - |
status1.9.2 | --- | wanted |
blocking1.9.1 | --- | - |
status1.9.1 | --- | unaffected |
People
(Reporter: gkw, Assigned: gal)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: [ccbr][sg:dos], fixed-in-tracemonkey)
Crash Data
Attachments
(1 file)
(deleted),
patch
|
brendan
:
review+
|
Details | Diff | Splinter Review |
y = Proxy.createFunction((function() { return {}; })(), /a/gi) __proto__ = y; (function() { (eval("\ (function() {\ for (var x = 0; x < 20; ++x) {\ if (x % 5 == 0) {\" \"} \ else { \ for (xr = 0; 3; ) {} \ }\ }\ })\ "))() })() crashes js debug shell on TM tip with -j at JSObject::getClass and crashes js opt shell on TM tip with -j at js::TraceRecorder::record_JSOP_BINDNAME. Assuming related to harmony:proxies. Also this seems to be a null crash and assuming [sg:dos] but locking s-s just-in-case. Console stdout: Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_PROTECTION_FAILURE at address: 0x00000004 0x00079e29 in JSObject::getClass (this=0x0) at jsobj.h:266 266 return (JSClass *) (classword & ~JSSLOT_CLASS_MASK_BITS); (gdb) bt #0 0x00079e29 in JSObject::getClass (this=0x0) at jsobj.h:266 #1 0x0018b986 in js::TraceRecorder::record_JSOP_BINDNAME (this=0x868200) at ../jstracer.cpp:13949 #2 0x00199f1e in js::TraceRecorder::monitorRecording (this=0x868200, op=JSOP_BINDNAME) at jsopcode.tbl:274 #3 0x0008221e in js_Interpret (cx=0x809200) at jsops.cpp:78 #4 0x000a8576 in js_Execute (cx=0x809200, chain=0x1002000, script=0x40cca0, down=0x0, flags=0, result=0x0) at jsinterp.cpp:837 #5 0x00012384 in JS_ExecuteScript (cx=0x809200, obj=0x1002000, script=0x40cca0, rval=0x0) at ../jsapi.cpp:4827 #6 0x0000a863 in Process (cx=0x809200, obj=0x1002000, filename=0xbffff9c5 "720-interesting.js", forceTTY=0) at ../../shell/js.cpp:422 #7 0x0000b5a5 in ProcessArgs (cx=0x809200, obj=0x1002000, argv=0xbffff8d8, argc=2) at ../../shell/js.cpp:836 #8 0x0000b75a in main (argc=2, argv=0xbffff8d8, envp=0xbffff8e4) at ../../shell/js.cpp:5077 (gdb) x/i $eip 0x79e29 <_ZNK8JSObject8getClassEv+9>: mov 0x4(%eax),%eax (gdb) x/b $eax 0x0: Cannot access memory at address 0x0
Reporter | ||
Updated•14 years ago
|
Summary: TM: Crash [@ JSObject::getClass] or [@ js::TraceRecorder::record_JSOP_BINDNAME] → TM: Crash [@ JSObject::getClass] or [@ js::TraceRecorder::record_JSOP_BINDNAME] with Proxy.createFunction
Assignee | ||
Comment 1•14 years ago
|
||
Confirm that this is a safe NULL crash (dos), not exploitable.
Assignee | ||
Comment 2•14 years ago
|
||
Drivers: very old bug, affects all branches. Probably very hard to trigger in 1.9.1 and 1.9.2 (above test case only works with trunk, it uses a feature that is not in 1.9.1 and 1.9.2). Not exploitable, but a guaranteed crash.
blocking1.9.1: --- → ?
blocking1.9.2: --- → ?
blocking2.0: --- → ?
Assignee | ||
Comment 3•14 years ago
|
||
Assignee: general → gal
Attachment #446907 -
Flags: review?(brendan)
Assignee | ||
Updated•14 years ago
|
Severity: critical → major
OS: Mac OS X → All
Priority: -- → P2
Hardware: x86 → All
Comment 4•14 years ago
|
||
Comment on attachment 446907 [details] [diff] [review] patch Not in 1.9.1 -- this code involving js_FindIdentifierBase (not called in jstracer.cpp before this changeset: 080548cb428d) was for bug 510642. /be
Attachment #446907 -
Flags: review?(brendan) → review+
Assignee | ||
Comment 5•14 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/3c0e96b610a2
Whiteboard: [ccbr][sg:dos] → [ccbr][sg:dos], fixed-in-tracemonkey
Comment 6•14 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/3c0e96b610a2
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Updated•14 years ago
|
blocking2.0: ? → betaN+
Updated•13 years ago
|
Crash Signature: [@ JSObject::getClass]
[@ js::TraceRecorder::record_JSOP_BINDNAME]
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•