Closed Bug 353214 Opened 18 years ago Closed 18 years ago

Crash involving uneval and "function ([x]) { }"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
PowerPC
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: jruderman, Assigned: brendan)

References

Details

(Keywords: crash, testcase, verified1.8.1.1, Whiteboard: [sg:critical])

Attachments

(3 files, 2 obsolete files)

js1_5/Regress/regress-353214.js
2.45 KB, text/plain
Details
js1_7/block/regress-353214-01.js
2.84 KB, text/plain
Details
js1_7/block/regress-353214-02.js
2.32 KB, text/plain
Details 
count=8434; tryItOut("(function ([x]) { })(); eval('return 3;')");
Scary crash

js> uneval(function() { (function ([x]) { })(); eval('return 3;') })
Null deref crash

I don't know why it's a scary crash when it's part of the fuzzer but a null deref outside of the fuzzer.


Here's the mac crash reporter info for the scarier crash:

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_INVALID_ADDRESS (0x0001) at 0x79393d1c

Thread 0 Crashed:
0   libSystem.B.dylib 	0x900030e8 strlen + 8
1   js                	0x00047b20 SprintCString + 32 (crt.c:355)
2   js                	0x000488f0 Decompile + 892 (crt.c:355)
3   js                	0x0004e15c js_DecompileCode + 448 (crt.c:355)
4   js                	0x0004ecc0 js_DecompileFunction + 760 (crt.c:355)
5   js                	0x0000c89c JS_DecompileFunction + 116 (crt.c:355)
6   js                	0x00011b10 js_fun_toString + 368 (crt.c:355)
7   js                	0x0004ca18 Decompile + 17572 (crt.c:355)
8   js                	0x0004e15c js_DecompileCode + 448 (crt.c:355)
9   js                	0x0004ecc0 js_DecompileFunction + 760 (crt.c:355)
10  js                	0x0000c89c JS_DecompileFunction + 116 (crt.c:355)
11  js                	0x00011b10 js_fun_toString + 368 (crt.c:355)
12  js                	0x000338b4 js_Invoke + 1548 (crt.c:355)
13  js                	0x00033d10 js_InternalInvoke + 204 (crt.c:355)
14  js                	0x0001e1e0 js_TryMethod + 284 (crt.c:355)
15  js                	0x00050260 js_ValueToSource + 180 (crt.c:355)
16  js                	0x000502a8 str_uneval + 28 (crt.c:355)
17  js                	0x000338b4 js_Invoke + 1548 (crt.c:355)
18  js                	0x0002da98 js_Interpret + 30808 (crt.c:355)
19  js                	0x000331d4 js_Execute + 484 (crt.c:355)
20  js                	0x00008b68 JS_ExecuteScript + 36 (crt.c:355)
21  js                	0x0000298c Process + 380 (crt.c:355)
22  js                	0x00005c4c main + 2032 (crt.c:355)
23  js                	0x00002068 _start + 340 (crt.c:272)
24  js                	0x00001f10 start + 60
Guessing this is the same bug.

count=10373; tryItOut("switch(({ get x() { export *; }, set x(/* destructuring:a2 */[/* destructuring:a1 */[y], /* destructuring:a1 */[x] ]) { let x;} })) { case eval(\"[[1]]\", function(id) { return id }): L:for(let x in (((eval).call)(eval(\"yield <x><y/></x>;\",  \"\" ))))var x; case (uneval(this)): import x.*; }");

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_INVALID_ADDRESS (0x0001) at 0x0076045c

Thread 0 Crashed:
0   js 	0x0006d5a4 js_PushBlockScope + 124 (crt.c:355)
1   js 	0x00071750 js_EmitTree + 15808 (crt.c:355)
2   js 	0x00073e14 js_EmitFunctionBody + 168 (crt.c:355)
3   js 	0x0006dcdc js_EmitTree + 844 (crt.c:355)
4   js 	0x00071cc0 js_EmitTree + 17200 (crt.c:355)
5   js 	0x00071df4 js_EmitTree + 17508 (crt.c:355)
6   js 	0x0006e240 js_EmitTree + 2224 (crt.c:355)
7   js 	0x000703d0 js_EmitTree + 10816 (crt.c:355)
8   js 	0x0005ab2c FunctionBody + 360 (crt.c:355)
9   js 	0x0005f2f4 js_CompileFunctionBody + 260 (crt.c:355)
10  js 	0x000132dc Function + 1448 (crt.c:355)
11  js 	0x000338b4 js_Invoke + 1548 (crt.c:355)
12  js 	0x00033bb4 js_InvokeConstructor + 356 (crt.c:355)
13  js 	0x0002b1d0 js_Interpret + 20368 (crt.c:355)
14  js 	0x000331d4 js_Execute + 484 (crt.c:355)
15  js 	0x00008b68 JS_ExecuteScript + 36 (crt.c:355)
16  js 	0x0000298c Process + 380 (crt.c:355)
17  js 	0x00005c4c main + 2032 (crt.c:355)
18  js 	0x00002068 _start + 340 (crt.c:272)
19  js 	0x00001f10 start + 60


All 3 of those no longer crash with desdec.patch-v3.  But the third produces an assertion failure.  Here's a reduced testcase for the assertion failure:

js> function ([x]) { let x; }
Assertion failure: body->pn_arity == PN_LIST, at jsparse.c:1323

All good with "destructuring decompilation, v5d" in bug 346642.
Depends on: desdec
Assignee: general → brendan
Whiteboard: [sg:critical]
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Flags: in-testsuite+
verified fixed 1.9 20061002 windows/linux, not a problem in 1.8.
Status: RESOLVED → VERIFIED

        Attachment #240887 -
        Attachment is obsolete: true

    
    

    
  


  

        Attachment #240888 -
        Attachment is obsolete: true

    
    

    
  
fixed by Bug 346642
verified fixed 20061203 windows/linux/mac*
Keywords: verified1.8.1.1
Group: security

    
    

    
  
/cvsroot/mozilla/js/tests/js1_5/extensions/regress-353214.js,v  <--  regress-353214.js

/cvsroot/mozilla/js/tests/js1_7/extensions/regress-353214-01.js,v  <--  regress-353214-01.js

/cvsroot/mozilla/js/tests/js1_7/extensions/regress-353214-02.js,v  <--  regress-353214-02.js

moved to extensions/ due to decompilation

    
    

    
  
tweak decompilation
/cvsroot/mozilla/js/tests/js1_5/extensions/regress-353214.js,v  <--  regress-353214.js
new revision: 1.3; previous revision: 1.2


          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: