Closed Bug 243389 Opened 21 years ago Closed 21 years ago

Crash when doing illegal regexp [@ProcessOp]

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Windows 2000
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.7final

People

(Reporter: bugzilla, Assigned: brendan)

References

(
URL
)

Details

(Keywords: crash, fixed1.7, js1.5)

Crash Data

Attachments

(2 files)

simple fix
965 bytes, patch
shaver
: superreview+
asa
: approval1.7+
Details | Diff | Splinter Review
js1_5/Regress/regress-243389-n.js
2.32 KB, text/plain
Details
WARNING: THE URL WILL CRASH YOUR BROWSER! on http://gemal.dk/test/crash.html I have: <script> if (/(\\|/)/) { } </script> this will crash your browser. please make it not crash. using latest nighly build on Win2000 it also crashed Firefox 0.8
crash Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8a) Gecko/20040511 Talkbackid TB45120K
Whiteboard: TB45120K
Stacktrace with current cvs trunk build: ProcessOp(CompilerState * 0x0012ec4c, REOpData * 0x032f6a04, RENode * * 0x0331fd08, int 0x00000001) line 363 + 28 bytes ParseRegExp(CompilerState * 0x032f69f8) line 566 + 17 bytes js_NewRegExp(JSContext * 0x033f4908, JSTokenStream * 0x00000000, JSString * 0x032e6658, unsigned int 0x00000000, int 0x00000000) line 1563 + 9 bytes js_NewRegExpObject(JSContext * 0x033f4908, JSTokenStream * 0x033b7920, unsigned short * 0x033b7c18, unsigned int 0x00000004, unsigned int 0x00000000) line 3643 + 15 bytes js_GetToken(JSContext * 0x78001532, JSTokenStream * 0x01500ff9) line 1193 + 26 bytes MSVCRT! 78001532() MulExpr(JSContext * 0x033f4908, JSTokenStream * 0x033b7920, JSTreeContext * 0x0012efec) line 2483 + 16 bytes AddExpr(JSContext * 0x033f4908, JSTokenStream * 0x033b7920, JSTreeContext * 0x0012efec) line 2465 + 16 bytes ShiftExpr(JSContext * 0x033f4908, JSTokenStream * 0x033b7920, JSTreeContext * 0x0012efec) line 2450 + 16 bytes RelExpr(JSContext * 0x033f4908, JSTokenStream * 0x033b7920, JSTreeContext * 0x0012efec) line 2418 + 26 bytes EqExpr(JSContext * 0x033f4908, JSTokenStream * 0x033b7920, JSTreeContext * 0x0012efec) line 2394 + 16 bytes BitAndExpr(JSContext * 0x033f4908, JSTokenStream * 0x033b7920, JSTreeContext * 0x0012efec) line 2382 + 15 bytes BitXorExpr(JSContext * 0x033f4908, JSTokenStream * 0x033b7920, JSTreeContext * 0x0012efec) line 2369 + 15 bytes BitOrExpr(JSContext * 0x033f4908, JSTokenStream * 0x033b7920, JSTreeContext * 0x0012efec) line 2356 + 15 bytes AndExpr(JSContext * 0x033f4908, JSTokenStream * 0x033b7920, JSTreeContext * 0x0012efec) line 2345 + 16 bytes OrExpr(JSContext * 0x033f4908, JSTokenStream * 0x033b7920, JSTreeContext * 0x0012efec) line 2334 + 16 bytes CondExpr(JSContext * 0x033f4908, JSTokenStream * 0x033b7920, JSTreeContext * 0x0012efec) line 2294 + 18 bytes AssignExpr(JSContext * 0x033f4908, JSTokenStream * 0x033b7920, JSTreeContext * 0x0012efec) line 2240 + 13 bytes Expr(JSContext * 0x033f4908, JSTokenStream * 0x033b7920, JSTreeContext * 0x0012efec) line 2212 + 18 bytes Condition(JSContext * 0x033f4908, JSTokenStream * 0x033b7920, JSTreeContext * 0x0012efec) line 1051 + 12 bytes Statement(JSContext * 0x033f4908, JSTokenStream * 0x033b7920, JSTreeContext * 0x0012efec) line 1281 + 10 bytes Statements(JSContext * 0x033f4908, JSTokenStream * 0x033b7920, JSTreeContext * 0x0012efec) line 999 + 14 bytes js_CompileTokenStream(JSContext * 0x033f4908, JSObject * 0x02c96590, JSTokenStream * 0x033b7920, JSCodeGenerator * 0x0012efec) line 451 + 12 bytes CompileTokenStream(JSContext * 0x033f4908, JSObject * 0x02c96590, JSTokenStream * 0x033b7920, void * 0x033f4958, int * 0x00000000) line 3044 + 21 bytes JS_CompileUCScriptForPrincipals(JSContext * 0x033f4908, JSObject * 0x02c96590, JSPrincipals * 0x033fe364, const unsigned short * 0x0012f308, unsigned int 0x00000013, const char * 0x033a8730, unsigned int 0x0000000f) line 3125 + 13 bytes JS_EvaluateUCScriptForPrincipals(JSContext * 0x033f4908, JSObject * 0x02c96590, JSPrincipals * 0x033fe364, const unsigned short * 0x0012f308, unsigned int 0x00000013, const char * 0x033a8730, unsigned int 0x0000000f, long * 0x0012f190) line 3579 nsJSContext::EvaluateString(nsJSContext * const 0x00080104, const nsAString & {...}, void * 0x02c96590, nsIPrincipal * 0xffffffff, const char * 0x033a8730, unsigned int 0x0000000f, const char * 0x00000000, nsAString & {...}, int * 0x0012f2c8) line 927 + 69 bytes nsScriptLoader::EvaluateScript(nsScriptLoader * const 0x00080104, nsScriptLoadRequest * 0x02b86568, const nsString & {...}) line 676 nsScriptLoader::ProcessRequest(nsScriptLoader * const 0x00080104, nsScriptLoadRequest * 0x02b86568) line 589 + 9 bytes nsScriptLoader::ProcessScriptElement(nsScriptLoader * const 0x0341988c, nsIDOMHTMLScriptElement * 0x0000000f, nsIScriptLoaderObserver * 0x03419888) line 535 + 11 bytes nsHTMLScriptElement::MaybeProcessScript(nsHTMLScriptElement * const 0x00080104) line 655 nsHTMLScriptElement::SetDocument(nsHTMLScriptElement * const 0x00080104, nsIDocument * 0x03057140, int 0x00000000, int 0x00000001) line 468 + 7 bytes nsGenericElement::AppendChildTo(nsGenericElement * const 0x00080104, nsIContent * 0x03419868, int 0x00000000, int 0x00000000) line 2525 HTMLContentSink::ProcessSCRIPTTag(HTMLContentSink * const 0x00080104, const nsIParserNode & {...}) line 4335 HTMLContentSink::AddLeaf(HTMLContentSink * const 0x03433fa4, const nsIParserNode & {...}) line 3188 HTMLContentSink::AddHeadContent(HTMLContentSink * const 0x03433fa4, const nsIParserNode & {...}) line 3139 + 10 bytes CNavDTD::AddHeadLeaf(CNavDTD * const 0x00080104, nsIParserNode * 0x0329d578) line 3834 + 10 bytes CNavDTD::HandleStartToken(CNavDTD * const 0x00080104, CToken * 0x00000054) line 1842 + 10 bytes CNavDTD::HandleToken(CNavDTD * const 0x032d71f8, CToken * 0x0346fcb0, nsIParser * 0x033fa150) line 1029 + 10 bytes CNavDTD::BuildModel(CNavDTD * const 0x032d71f8, nsIParser * 0x033fa150, nsITokenizer * 0x033b5bc0, nsITokenObserver * 0x00000000, nsIContentSink * 0x03433fa4) line 510 + 10 bytes nsParser::BuildModel(nsParser * const 0x033b5bc0) line 1898 nsParser::ResumeParse(nsParser * const 0x00080104, int 0x01c136ca, int 0x00000001, int 0x00000000) line 1760 + 6 bytes nsParser::OnDataAvailable(nsParser * const 0x00000003, nsIRequest * 0x012c2fc8, nsISupports * 0x03147498, nsIInputStream * 0x00000000, unsigned int 0x03433fa4, unsigned int 0x00000000) line 2425 + 13 bytes GKPARSER! const nsParser::`vftable'{for `nsIStreamListener'} address 0x01c292bc nsParser::AddRef(nsParser * const 0x01c11f5b nsParser::GetContentSink(void)) line 357 nsParser::SetContentSink(nsParser * const 0x01c12984 nsParser::ContinueParsing(void), nsIContentSink * 0x01c129d7 nsParser::BlockParser(void)) line 506 nsParser::GetDTD(nsParser * const 0x01c12e7c nsParser::ParseFragment(const nsAString &, void *, nsVoidArray &, unsigned int, const nsACString &, nsDTDMode), nsIDTD * * 0x01c13206 nsParser::BuildModel(void)) line 2644 nsParser::Terminate(nsParser * const 0xb80a75c9) line 1318 8556104d()
Keywords: stackwanted
Summary: Crash when doing illegal reg.exp → Crash when doing illegal reg.exp [@ProcessOp]
Whiteboard: TB45120K
Summary: Crash when doing illegal reg.exp [@ProcessOp] → Crash when doing illegal regexp [@ProcessOp]
Crashes at jsregexp.c:361, trying to dereference kid. Caused by this: [E] ABR: Array bounds read in ProcessOp {1 occurrence} Reading 4 bytes from 0x0cdb1d9c (4 bytes at 0x0cdb1d9c illegal) Address 0x0cdb1d9c is 4 bytes before the beginning of a 512 byte block at 0x0cdb1da0 Address 0x0cdb1d9c points to a malloc'd block in heap 0x01e80000 Thread ID: 0xf0 Error location ProcessOp [jsregexp.c:353] result = NewRENode(state, REOP_ALT); if (!result) return JS_FALSE; => result->kid = operandStack[operandSP - 2]; result->u.kid2 = operandStack[operandSP - 1]; operandStack[operandSP - 2] = result; /* ParseRegExp [jsregexp.c:566] js_NewRegExp [jsregexp.c:1563] js_NewRegExpObject [jsregexp.c:3643] js_GetToken [jsscan.c:1193] UnaryExpr [jsparse.c:2566] MulExpr [jsparse.c:2483] AddExpr [jsparse.c:2465] ShiftExpr [jsparse.c:2450] RelExpr [jsparse.c:2418] Allocation location malloc [dbgheap.c:138] JS_malloc [jsapi.c:1463] ParseRegExp [jsregexp.c:460] js_NewRegExp [jsregexp.c:1563] js_NewRegExpObject [jsregexp.c:3643] js_GetToken [jsscan.c:1193] UnaryExpr [jsparse.c:2566] MulExpr [jsparse.c:2483] AddExpr [jsparse.c:2465] ShiftExpr [jsparse.c:2450]
Sigh. Where'd rogerl go? /be
Assignee: general → brendan
Keywords: js1.5
Priority: -- → P1
Target Milestone: --- → mozilla1.7final
Status: NEW → ASSIGNED
Flags: blocking1.7+
I'm not gonna make RC2 with a fix, but this must be fixed by 1.7 final. /be
Attached patch simple fixSplinter Review
Too easy -- I had to add the empty alternative code previously, but didn't get the test quite right. /be
Comment on attachment 148476 [details] [diff] [review] simple fix Going for fast RC2 review and approval (tonight -- got a reprieve due to RC2 not being today's builds, for other reasons). /be
Attachment #148476 - Flags: superreview?(shaver)
Attachment #148476 - Flags: review?(igor)
Attachment #148476 - Flags: approval1.7?
Not going to miss RC2, this one-char fix (I beefed up the comment, so one char for the code change) is in the trunk and branch now. I optimistically asserted r/sr=igor/shaver, and Asa said "go for it" in person. /be
Status: ASSIGNED → RESOLVED
Closed: 21 years ago
Keywords: fixed1.7
Resolution: --- → FIXED
Comment on attachment 148476 [details] [diff] [review] simple fix a=asa (on behalf of drivers) for checkin to 1.7
Attachment #148476 - Flags: approval1.7? → approval1.7+
Comment on attachment 148476 [details] [diff] [review] simple fix sr=shaver
Attachment #148476 - Flags: superreview?(shaver) → superreview+
http://gemal.dk/test/crash.html no longer crashes for me using build 2004-07-25-09, Windows XP. Verified FIXED (and since nobody else on Linux/Mac has reopened, assuming fixed state on those plats, too)
Status: RESOLVED → VERIFIED
Henrik, with your permission this will be included in the javascript test library.
bc: sure. include it
js1_5/Regress/regress-243389-n.js checked in.
Flags: testcase+
Attachment #148476 - Flags: review?(igor)
Crash Signature: [@ProcessOp]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: