Closed
Bug 637010
Opened 14 years ago
Closed 14 years ago
Crash [@ js_IteratorMore]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla5
Tracking | Status | |
---|---|---|
firefox5 | --- | fixed |
blocking2.0 | --- | - |
status1.9.2 | --- | unaffected |
status1.9.1 | --- | unaffected |
People
(Reporter: decoder, Assigned: gal)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: [sg:dos] fixed-in-tracemonkey)
Crash Data
Attachments
(1 file)
(deleted),
patch
|
dvander
:
review+
|
Details | Diff | Splinter Review |
The following code crashes on TM tip (without any options even):
var o0 = Iterator.prototype;
function f0(o) {
}
for(var i=0; i<7; i++) {
try { o0.prototype(); } catch(e) {
if (o0.next() != 7)
throw "7 not yielded";
};
}
This looks like a null pointer dereference to me:
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7f8ffa2dc720 (LWP 5590)]
0x00000000004d983c in js_IteratorMore (cx=0x143f530, iterobj=0x7f8ff8c03288, rval=0x7f8ff8d8a0a8) at jsiter.cpp:940
940 bool more = ni->props_cursor < ni->props_end;
(gdb) bt
#0 0x00000000004d983c in js_IteratorMore (cx=0x143f530, iterobj=0x7f8ff8c03288, rval=0x7f8ff8d8a0a8) at jsiter.cpp:940
#1 0x00000000004d94f4 in iterator_next (cx=0x143f530, argc=0, vp=0x7f8ff8d8a0a8) at jsiter.cpp:717
#2 0x00000000004d4d72 in js::CallJSNative (cx=0x143f530, native=0x4d9464 <iterator_next>, argc=0, vp=0x7f8ff8d8a0a8) at jscntxtinlines.h:701
#3 0x00000000006f971d in js::Interpret (cx=0x143f530, entryFrame=0x7f8ff8d8a048, inlineCallCount=0, interpMode=JSINTERP_NORMAL) at jsinterp.cpp:4781
#4 0x00000000004d0dc2 in js::RunScript (cx=0x143f530, script=0x14a6020, fp=0x7f8ff8d8a048) at jsinterp.cpp:650
#5 0x00000000004d21eb in js::Execute (cx=0x143f530, chain=0x7f8ff8c03048, script=0x14a6020, prev=0x0, flags=0, result=0x0) at jsinterp.cpp:1011
#6 0x000000000043141e in JS_ExecuteScript (cx=0x143f530, obj=0x7f8ff8c03048, script=0x14a6020, rval=0x0) at jsapi.cpp:4929
#7 0x0000000000405723 in Process (cx=0x143f530, obj=0x7f8ff8c03048, filename=0x7fffc7876316 "min.js", forceTTY=0) at js.cpp:452
#8 0x0000000000406665 in ProcessArgs (cx=0x143f530, obj=0x7f8ff8c03048, argv=0x7fffc7875c10, argc=1) at js.cpp:944
#9 0x0000000000410a40 in Shell (cx=0x143f530, argc=1, argv=0x7fffc7875c10, envp=0x7fffc7875c20) at js.cpp:5711
#10 0x0000000000410c06 in main (argc=1, argv=0x7fffc7875c10, envp=0x7fffc7875c20) at js.cpp:5819
(gdb) print ni
$1 = (class js::NativeIterator *) 0x0
Locking this anyways, unlock if confirmed to be harmless.
Reporter | ||
Comment 1•14 years ago
|
||
Forgot: Found through combined fuzzing (jandem's method fuzzer + LangFuzz)
Comment 2•14 years ago
|
||
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 42641:b15fd8b568e4
user: Andreas Gal
date: Fri May 07 17:52:52 2010 -0700
summary: fast object iteration (558754, r=brendan, CLOSED TREE).
Updated•14 years ago
|
blocking2.0: ? → ---
Hardware: All → x86_64
Summary: Crash in js_IteratorMore → Crash [@ js_IteratorMore]
Updated•14 years ago
|
blocking2.0: --- → ?
Hardware: x86_64 → All
Comment 3•14 years ago
|
||
I reduced this (to see how my fuzzer can generate this):
Iterator.prototype.next();
iterobj->getNativeIterator() in js_IteratorMore returns NULL in this case.
Assignee | ||
Updated•14 years ago
|
Whiteboard: [sg:dos]
Assignee | ||
Comment 4•14 years ago
|
||
Assignee: general → gal
Assignee | ||
Comment 5•14 years ago
|
||
Just a couple missing null checks. Not exploitable. Should be very safe to take, but I won't fight an a-.
Assignee | ||
Updated•14 years ago
|
Attachment #515373 -
Flags: approval2.0?
Assignee | ||
Updated•14 years ago
|
blocking2.0: ? → -
Assignee | ||
Updated•14 years ago
|
Attachment #515373 -
Flags: review?(dvander)
Comment 6•14 years ago
|
||
Comment on attachment 515373 [details] [diff] [review]
patch
r+ before a? please!
Attachment #515373 -
Flags: approval2.0?
Assignee | ||
Comment 7•14 years ago
|
||
dvander, want to review?
Updated•14 years ago
|
Attachment #515373 -
Flags: review?(dvander) → review+
Assignee | ||
Comment 8•14 years ago
|
||
Comment on attachment 515373 [details] [diff] [review]
patch
This is a safe crash and a DOS. I would like to take it for 2.x but I am not going to fight for it.
Attachment #515373 -
Flags: approval2.0?
Assignee | ||
Comment 9•14 years ago
|
||
Comment on attachment 515373 [details] [diff] [review]
patch
Actually no, I take back the approval nom. I just land it on trunk and we pick it up whenever.
Attachment #515373 -
Flags: approval2.0?
Comment 10•14 years ago
|
||
Whiteboard: [sg:dos] → [sg:dos] fixed-in-tracemonkey
Comment 11•14 years ago
|
||
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Updated•14 years ago
|
status1.9.1:
--- → unaffected
status1.9.2:
--- → unaffected
status-firefox5:
--- → fixed
Target Milestone: --- → mozilla5
Updated•13 years ago
|
Crash Signature: [@ js_IteratorMore]
Updated•13 years ago
|
Group: core-security
Reporter | ||
Comment 13•12 years ago
|
||
Automatically extracted testcase for this bug was committed:
https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•