[tor-bugs] #20970 [Applications/Tor Browser Sandbox]: Firefox crashes if the security slider is left at the default on certain pages.
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Dec 14 23:02:38 UTC 2016
#20970: Firefox crashes if the security slider is left at the default on certain
pages.
----------------------------------------------+-------------------------
Reporter: yawning | Owner: yawning
Type: defect | Status: new
Priority: High | Milestone:
Component: Applications/Tor Browser Sandbox | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
----------------------------------------------+-------------------------
Comment (by yawning):
Nothing to do with seccomp either (disabling that doesn't change things).
{{{
Thread 1 "firefox" received signal SIGSEGV, Segmentation fault.
0x000003ad7714e7c8 in
js::frontend::Parser<js::frontend::FullParseHandler>::standaloneLazyFunction
(
this=this at entry=0x3fb1070e940, fun=fun at entry=..., strict=false,
generatorKind=js::NotGenerator)
at /home/debian/build/tor-browser/js/src/frontend/Parser.cpp:2880
2880 /home/debian/build/tor-browser/js/src/frontend/Parser.cpp: No such
file or directory.
(gdb) bt
#0 0x000003ad7714e7c8 in
js::frontend::Parser<js::frontend::FullParseHandler>::standaloneLazyFunction(JS::Handle<JSFunction*>,
bool, js::GeneratorKind) (this=this at entry=0x3fb1070e940,
fun=fun at entry=..., strict=false, generatorKind=js::NotGenerator)
at /home/debian/build/tor-browser/js/src/frontend/Parser.cpp:2880
#1 0x000003ad770930ab in js::frontend::CompileLazyFunction(JSContext*,
JS::Handle<js::LazyScript*>, char16_t const*, unsigned long)
(cx=cx at entry=0x3ad5b93a400, lazy=lazy at entry=..., chars=0x3ad56267ac4
u"($,jQuery,require,module){(function($){if(document.selection&&document.selection.createRange){$.fn.extend({focus:(function(jqFocus){return
function(){var $w,state,result;if(arguments.length===0){$w=$("...,
length=9692) at /home/debian/build/tor-
browser/js/src/frontend/BytecodeCompiler.cpp:799
#2 0x000003ad76e9b6b7 in
JSFunction::createScriptForLazilyInterpretedFunction(JSContext*,
JS::Handle<JSFunction*>) (cx=cx at entry=0x3ad5b93a400, fun=fun at entry=...)
at /home/debian/build/tor-browser/js/src/jsfun.cpp:1422
#3 0x000003ad76fa7901 in JSFunction::getOrCreateScript(JSContext*)
(cx=0x3ad5b93a400, this=<optimized out>) at /home/debian/build/tor-
browser/js/src/jsfun.h:389
#4 0x000003ad76fa7901 in js::Invoke(JSContext*, JS::CallArgs const&,
js::MaybeConstruct) (cx=cx at entry=0x3ad5b93a400, args=...,
construct=construct at entry=js::NO_CONSTRUCT)
at /home/debian/build/tor-browser/js/src/vm/Interpreter.cpp:447
#5 0x000003ad76fa8035 in js::Invoke(JSContext*, JS::Value const&,
JS::Value const&, unsigned int, JS::Value const*,
JS::MutableHandle<JS::Value>) (cx=cx at entry=0x3ad5b93a400, thisv=...,
fval=..., argc=argc at entry=4, argv=argv at entry=0x3fb1070f4b0, rval=...,
rval at entry=...)
at /home/debian/build/tor-browser/js/src/vm/Interpreter.cpp:496
#6 0x000003ad76c62718 in js::jit::DoCallFallback(JSContext*,
js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, uint32_t, JS::Value*,
JS::MutableHandleValue) (cx=0x3ad5b93a400, frame=0x3fb1070f528,
stub_=0x3ad5a44ecc8, argc=4, vp=0x3fb1070f4a0, res=...)
at /home/debian/build/tor-browser/js/src/jit/BaselineIC.cpp:6162
#7 0x000003ad7a67e280 in ()
#8 0x000003ad66826280 in ()
#9 0x000003fb1070f458 in ()
#10 0x000003ad5b93a418 in ()
Python Exception <class 'SystemError'> <built-in function isinstance>
returned a result with an error set:
#11 0xffffffffffffffff in #12 0x000003ad79670e00 in
js::jit::DoCallFallbackInfo ()
at /home/amnesia/sandboxed-tor-browser/tor-browser/Browser/libxul.so
#13 0x000003ad668646a0 in ()
#14 0x000003ad6867b833 in ()
#15 0x0000000000000c02 in ()
#16 0x000003fb1070f528 in ()
#17 0x000003ad5a44ecc8 in ()
#18 0x0000000000000004 in ()
#19 0x000003fb1070f4a0 in ()
Python Exception <class 'SystemError'> <built-in function isinstance>
returned a result with an error set:
Python Exception <class 'SystemError'> <built-in function isinstance>
returned a result with an error set:
Python Exception <class 'SystemError'> <built-in function isinstance>
returned a result with an error set:
Python Exception <class 'SystemError'> <built-in function isinstance>
returned a result with an error set:
Python Exception <class 'SystemError'> <built-in function isinstance>
returned a result with an error set:
Python Exception <class 'SystemError'> <built-in function isinstance>
returned a result with an error set:
#20 0xffffffffffffffff in #21 0xffffffffffffffff in #22 0xffffffffffffffff
in #23 0xffffffffffffffff in #24 0xffffffffffffffff in #25
0xffffffffffffffff in #26 0x000003fb1070f568 in ()
#27 0x000003ad5a44ecc8 in ()
#28 0x000003ad663d358b in ()
#29 0x0000000000001001 in ()
Python Exception <class 'SystemError'> <built-in function isinstance>
returned a result with an error set:
Python Exception <class 'SystemError'> <built-in function isinstance>
returned a result with an error set:
Python Exception <class 'SystemError'> <built-in function isinstance>
returned a result with an error set:
Python Exception <class 'SystemError'> <built-in function isinstance>
returned a result with an error set:
Python Exception <class 'SystemError'> <built-in function isinstance>
returned a result with an error set:
Python Exception <class 'SystemError'> <built-in function isinstance>
returned a result with an error set:
Python Exception <class 'SystemError'> <built-in function isinstance>
returned a result with an error set:
#30 0xffffffffffffffff in #31 0xffffffffffffffff in #32 0xffffffffffffffff
in #33 0xffffffffffffffff in #34 0xffffffffffffffff in #35
0xffffffffffffffff in #36 0xffffffffffffffff in #37 0x0000000000000000 in
()
}}}
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20970#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list