118849 - calling javascript `Function' with bad args crashes browser

Status: VERIFIED FIXED

(Core :: JavaScript Engine, defect)

Description

[Jeff Rogers]

the javascript Function constructor apparently does insufficient argument
checking;  if the arguments for formal argument names are not strings (e.g.
they're numbers) an immediate crash results.  The functionBody argument does not
have this property.

Comment 1

[Phil Schwartau]

Confirming on WinNT. OS: Linux --> All.
In the current JS shell:

js> Function('0')
function anonymous() {
}

js> Function(0);
function anonymous() {
}

js> Function('0', '0')
1: SyntaxError: malformed formal parameter

js> Function(0, 0)
---> CRASH!


cc'ing Brendan on this JS Engine crash.
Will attach stack trace below.

Comment 2

[Phil Schwartau]

Attachment: WinNT stack trace + function at crashpoint

Comment 3

[Brendan Eich [:brendan]]

Old norris bug, I think.  Patch in a second.

/be

Comment 4

[Brendan Eich [:brendan]]

Attachment: proposed fix, plus the patch for bug 118732

I'm working on jsfun.c in the same tree as I used to patch bug 118732. 
Reviews?  Another easy one.

/be

Comment 5

[Brendan Eich [:brendan]]

Attachment: oops -- last patch was the Call removal one only

Comment 6

[Phil Schwartau]

Testcase added to JS testsuite:

         mozilla/js/tests/js1_5/Regress/regress-118849.js

Currently passing in Rhino, crashing in Spidermonkey -

Comment 7

[Mike Shaver (:shaver emeritus)]

Comment on attachment 64056 [details] [diff] [review]
oops -- last patch was the Call removal one only

Looks good. sr=shaver.

Comment 8

[Brendan Eich [:brendan]]

Darn, those patches are the same after all.  Anyway, still waiting for r=.

/be

Comment 9

[Brendan Eich [:brendan]]

Thank you, timeless!  I should call you timely.

/be

Comment 10

[Phil Schwartau]

Marking Verified. The above testcase now passes in both the debug
and optimized SpiderMonkey shell -