Closed Bug 243389 Opened 20 years ago Closed 20 years ago

Crash when doing illegal regexp [@ProcessOp]

Categories

(Core :: JavaScript Engine, defect, P1)

x86
Windows 2000
defect

Tracking

()

VERIFIED FIXED
mozilla1.7final

People

(Reporter: bugzilla, Assigned: brendan)

References

()

Details

(Keywords: crash, fixed1.7, js1.5)

Crash Data

Attachments

(2 files)

WARNING: THE URL WILL CRASH YOUR BROWSER!

on http://gemal.dk/test/crash.html I have:
<script>
if (/(\\|/)/) {
}
</script>

this will crash your browser.

please make it not crash.

using latest nighly build on Win2000

it also crashed Firefox 0.8
crash Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8a) Gecko/20040511
Talkbackid TB45120K
Whiteboard: TB45120K
Stacktrace with current cvs trunk build:
ProcessOp(CompilerState * 0x0012ec4c, REOpData * 0x032f6a04, RENode * *
0x0331fd08, int 0x00000001) line 363 + 28 bytes
ParseRegExp(CompilerState * 0x032f69f8) line 566 + 17 bytes
js_NewRegExp(JSContext * 0x033f4908, JSTokenStream * 0x00000000, JSString *
0x032e6658, unsigned int 0x00000000, int 0x00000000) line 1563 + 9 bytes
js_NewRegExpObject(JSContext * 0x033f4908, JSTokenStream * 0x033b7920, unsigned
short * 0x033b7c18, unsigned int 0x00000004, unsigned int 0x00000000) line 3643
+ 15 bytes
js_GetToken(JSContext * 0x78001532, JSTokenStream * 0x01500ff9) line 1193 + 26 bytes
MSVCRT! 78001532()
MulExpr(JSContext * 0x033f4908, JSTokenStream * 0x033b7920, JSTreeContext *
0x0012efec) line 2483 + 16 bytes
AddExpr(JSContext * 0x033f4908, JSTokenStream * 0x033b7920, JSTreeContext *
0x0012efec) line 2465 + 16 bytes
ShiftExpr(JSContext * 0x033f4908, JSTokenStream * 0x033b7920, JSTreeContext *
0x0012efec) line 2450 + 16 bytes
RelExpr(JSContext * 0x033f4908, JSTokenStream * 0x033b7920, JSTreeContext *
0x0012efec) line 2418 + 26 bytes
EqExpr(JSContext * 0x033f4908, JSTokenStream * 0x033b7920, JSTreeContext *
0x0012efec) line 2394 + 16 bytes
BitAndExpr(JSContext * 0x033f4908, JSTokenStream * 0x033b7920, JSTreeContext *
0x0012efec) line 2382 + 15 bytes
BitXorExpr(JSContext * 0x033f4908, JSTokenStream * 0x033b7920, JSTreeContext *
0x0012efec) line 2369 + 15 bytes
BitOrExpr(JSContext * 0x033f4908, JSTokenStream * 0x033b7920, JSTreeContext *
0x0012efec) line 2356 + 15 bytes
AndExpr(JSContext * 0x033f4908, JSTokenStream * 0x033b7920, JSTreeContext *
0x0012efec) line 2345 + 16 bytes
OrExpr(JSContext * 0x033f4908, JSTokenStream * 0x033b7920, JSTreeContext *
0x0012efec) line 2334 + 16 bytes
CondExpr(JSContext * 0x033f4908, JSTokenStream * 0x033b7920, JSTreeContext *
0x0012efec) line 2294 + 18 bytes
AssignExpr(JSContext * 0x033f4908, JSTokenStream * 0x033b7920, JSTreeContext *
0x0012efec) line 2240 + 13 bytes
Expr(JSContext * 0x033f4908, JSTokenStream * 0x033b7920, JSTreeContext *
0x0012efec) line 2212 + 18 bytes
Condition(JSContext * 0x033f4908, JSTokenStream * 0x033b7920, JSTreeContext *
0x0012efec) line 1051 + 12 bytes
Statement(JSContext * 0x033f4908, JSTokenStream * 0x033b7920, JSTreeContext *
0x0012efec) line 1281 + 10 bytes
Statements(JSContext * 0x033f4908, JSTokenStream * 0x033b7920, JSTreeContext *
0x0012efec) line 999 + 14 bytes
js_CompileTokenStream(JSContext * 0x033f4908, JSObject * 0x02c96590,
JSTokenStream * 0x033b7920, JSCodeGenerator * 0x0012efec) line 451 + 12 bytes
CompileTokenStream(JSContext * 0x033f4908, JSObject * 0x02c96590, JSTokenStream
* 0x033b7920, void * 0x033f4958, int * 0x00000000) line 3044 + 21 bytes
JS_CompileUCScriptForPrincipals(JSContext * 0x033f4908, JSObject * 0x02c96590,
JSPrincipals * 0x033fe364, const unsigned short * 0x0012f308, unsigned int
0x00000013, const char * 0x033a8730, unsigned int 0x0000000f) line 3125 + 13 bytes
JS_EvaluateUCScriptForPrincipals(JSContext * 0x033f4908, JSObject * 0x02c96590,
JSPrincipals * 0x033fe364, const unsigned short * 0x0012f308, unsigned int
0x00000013, const char * 0x033a8730, unsigned int 0x0000000f, long * 0x0012f190)
line 3579
nsJSContext::EvaluateString(nsJSContext * const 0x00080104, const nsAString &
{...}, void * 0x02c96590, nsIPrincipal * 0xffffffff, const char * 0x033a8730,
unsigned int 0x0000000f, const char * 0x00000000, nsAString & {...}, int *
0x0012f2c8) line 927 + 69 bytes
nsScriptLoader::EvaluateScript(nsScriptLoader * const 0x00080104,
nsScriptLoadRequest * 0x02b86568, const nsString & {...}) line 676
nsScriptLoader::ProcessRequest(nsScriptLoader * const 0x00080104,
nsScriptLoadRequest * 0x02b86568) line 589 + 9 bytes
nsScriptLoader::ProcessScriptElement(nsScriptLoader * const 0x0341988c,
nsIDOMHTMLScriptElement * 0x0000000f, nsIScriptLoaderObserver * 0x03419888) line
535 + 11 bytes
nsHTMLScriptElement::MaybeProcessScript(nsHTMLScriptElement * const 0x00080104)
line 655
nsHTMLScriptElement::SetDocument(nsHTMLScriptElement * const 0x00080104,
nsIDocument * 0x03057140, int 0x00000000, int 0x00000001) line 468 + 7 bytes
nsGenericElement::AppendChildTo(nsGenericElement * const 0x00080104, nsIContent
* 0x03419868, int 0x00000000, int 0x00000000) line 2525
HTMLContentSink::ProcessSCRIPTTag(HTMLContentSink * const 0x00080104, const
nsIParserNode & {...}) line 4335
HTMLContentSink::AddLeaf(HTMLContentSink * const 0x03433fa4, const nsIParserNode
& {...}) line 3188
HTMLContentSink::AddHeadContent(HTMLContentSink * const 0x03433fa4, const
nsIParserNode & {...}) line 3139 + 10 bytes
CNavDTD::AddHeadLeaf(CNavDTD * const 0x00080104, nsIParserNode * 0x0329d578)
line 3834 + 10 bytes
CNavDTD::HandleStartToken(CNavDTD * const 0x00080104, CToken * 0x00000054) line
1842 + 10 bytes
CNavDTD::HandleToken(CNavDTD * const 0x032d71f8, CToken * 0x0346fcb0, nsIParser
* 0x033fa150) line 1029 + 10 bytes
CNavDTD::BuildModel(CNavDTD * const 0x032d71f8, nsIParser * 0x033fa150,
nsITokenizer * 0x033b5bc0, nsITokenObserver * 0x00000000, nsIContentSink *
0x03433fa4) line 510 + 10 bytes
nsParser::BuildModel(nsParser * const 0x033b5bc0) line 1898
nsParser::ResumeParse(nsParser * const 0x00080104, int 0x01c136ca, int
0x00000001, int 0x00000000) line 1760 + 6 bytes
nsParser::OnDataAvailable(nsParser * const 0x00000003, nsIRequest * 0x012c2fc8,
nsISupports * 0x03147498, nsIInputStream * 0x00000000, unsigned int 0x03433fa4,
unsigned int 0x00000000) line 2425 + 13 bytes
GKPARSER! const  nsParser::`vftable'{for `nsIStreamListener'} address 0x01c292bc
nsParser::AddRef(nsParser * const 0x01c11f5b nsParser::GetContentSink(void))
line 357
nsParser::SetContentSink(nsParser * const 0x01c12984
nsParser::ContinueParsing(void), nsIContentSink * 0x01c129d7
nsParser::BlockParser(void)) line 506
nsParser::GetDTD(nsParser * const 0x01c12e7c nsParser::ParseFragment(const
nsAString &, void *, nsVoidArray &, unsigned int, const nsACString &,
nsDTDMode), nsIDTD * * 0x01c13206 nsParser::BuildModel(void)) line 2644
nsParser::Terminate(nsParser * const 0xb80a75c9) line 1318
8556104d()
Keywords: stackwanted
Summary: Crash when doing illegal reg.exp → Crash when doing illegal reg.exp [@ProcessOp]
Whiteboard: TB45120K
Summary: Crash when doing illegal reg.exp [@ProcessOp] → Crash when doing illegal regexp [@ProcessOp]
Crashes at jsregexp.c:361, trying to dereference kid.  Caused by this:

[E] ABR: Array bounds read in ProcessOp {1 occurrence}
        Reading 4 bytes from 0x0cdb1d9c (4 bytes at 0x0cdb1d9c illegal)
        Address 0x0cdb1d9c is 4 bytes before the beginning of a 512 byte block 
at 0x0cdb1da0
        Address 0x0cdb1d9c points to a malloc'd block in heap 0x01e80000
        Thread ID: 0xf0
        Error location
            ProcessOp      [jsregexp.c:353]
                        result = NewRENode(state, REOP_ALT);
                        if (!result)
                            return JS_FALSE;
             =>         result->kid = operandStack[operandSP - 2];
                        result->u.kid2 = operandStack[operandSP - 1];
                        operandStack[operandSP - 2] = result;
                        /*
            ParseRegExp    [jsregexp.c:566]
            js_NewRegExp   [jsregexp.c:1563]
            js_NewRegExpObject [jsregexp.c:3643]
            js_GetToken    [jsscan.c:1193]
            UnaryExpr      [jsparse.c:2566]
            MulExpr        [jsparse.c:2483]
            AddExpr        [jsparse.c:2465]
            ShiftExpr      [jsparse.c:2450]
            RelExpr        [jsparse.c:2418]
        Allocation location
            malloc         [dbgheap.c:138]
            JS_malloc      [jsapi.c:1463]
            ParseRegExp    [jsregexp.c:460]
            js_NewRegExp   [jsregexp.c:1563]
            js_NewRegExpObject [jsregexp.c:3643]
            js_GetToken    [jsscan.c:1193]
            UnaryExpr      [jsparse.c:2566]
            MulExpr        [jsparse.c:2483]
            AddExpr        [jsparse.c:2465]
            ShiftExpr      [jsparse.c:2450]
Sigh.  Where'd rogerl go?

/be
Assignee: general → brendan
Keywords: js1.5
Priority: -- → P1
Target Milestone: --- → mozilla1.7final
Status: NEW → ASSIGNED
Flags: blocking1.7+
I'm not gonna make RC2 with a fix, but this must be fixed by 1.7 final.

/be
Attached patch simple fixSplinter Review
Too easy -- I had to add the empty alternative code previously, but didn't get
the test quite right.

/be
Comment on attachment 148476 [details] [diff] [review]
simple fix

Going for fast RC2 review and approval (tonight -- got a reprieve due to RC2
not being today's builds, for other reasons).

/be
Attachment #148476 - Flags: superreview?(shaver)
Attachment #148476 - Flags: review?(igor)
Attachment #148476 - Flags: approval1.7?
Not going to miss RC2, this one-char fix (I beefed up the comment, so one char
for the code change) is in the trunk and branch now.  I optimistically asserted
r/sr=igor/shaver, and Asa said "go for it" in person.

/be
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Keywords: fixed1.7
Resolution: --- → FIXED
Comment on attachment 148476 [details] [diff] [review]
simple fix

a=asa (on behalf of drivers) for checkin to 1.7
Attachment #148476 - Flags: approval1.7? → approval1.7+
Comment on attachment 148476 [details] [diff] [review]
simple fix

sr=shaver
Attachment #148476 - Flags: superreview?(shaver) → superreview+
http://gemal.dk/test/crash.html no longer crashes for me using build
2004-07-25-09, Windows XP.

Verified FIXED (and since nobody else on Linux/Mac has reopened, assuming fixed
state on those plats, too)
Status: RESOLVED → VERIFIED
Henrik, with your permission this will be included in the javascript test
library.
bc: sure. include it
js1_5/Regress/regress-243389-n.js checked in.
Flags: testcase+
Attachment #148476 - Flags: review?(igor)
Crash Signature: [@ProcessOp]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: