Closed
Bug 1261817
Opened 8 years ago
Closed 8 years ago
Crash [@ js::frontend::Parser<js::frontend::FullParseHandler>::strictMode]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1161312
People
(Reporter: decoder, Unassigned)
Details
(4 keywords, Whiteboard: [jsbugmon:update,bisect])
Crash Data
The following testcase crashes on mozilla-central revision cfd51e67b26e (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --ion-offthread-compile=off): lfLogBuffer = ` function loadFile(lfVarx) evaluate(lfVarx, new Error); GetRawTimezoneOffset() function GetRawTimezoneOffset() { var t1 = new Date(000); } ` lfCodeBuffer = "" while (true) { line = lfLogBuffer; loadFile(lfCodeBuffer); lfCodeBuffer = line; } function loadFile(lfVarx) evaluate(lfVarx); Backtrace: Program received signal SIGSEGV, Segmentation fault. js::frontend::Parser<js::frontend::FullParseHandler>::strictMode (this=0x7fffffffb630) at js/src/frontend/Parser.h:711 #0 js::frontend::Parser<js::frontend::FullParseHandler>::strictMode (this=0x7fffffffb630) at js/src/frontend/Parser.h:711 #1 0x0000000000c3c375 in strictMode (this=0x7fffffffb660) at js/src/frontend/TokenStream.h:436 #2 js::frontend::TokenStream::reportStrictModeError (this=this@entry=0x7fffffffb660, errorNumber=errorNumber@entry=175) at js/src/frontend/TokenStream.cpp:717 #3 0x0000000000c3ded3 in js::frontend::TokenStream::getTokenInternal (this=this@entry=0x7fffffffb660, ttp=ttp@entry=0x7fffffffad50, modifier=modifier@entry=js::frontend::Token::None) at js/src/frontend/TokenStream.cpp:1363 #4 0x00000000004dfe60 in peekTokenPos (modifier=js::frontend::Token::None, posp=0x7ffff698b024, this=0x7fffffffb660) at js/src/frontend/TokenStream.h:578 #5 js::frontend::Parser<js::frontend::FullParseHandler>::standaloneLazyFunction (this=this@entry=0x7fffffffb630, fun=..., fun@entry=..., strict=false, generatorKind=js::NotGenerator) at js/src/frontend/Parser.cpp:3070 #6 0x0000000000c19cdb in js::frontend::CompileLazyFunction (cx=cx@entry=0x7ffff6908800, lazy=lazy@entry=..., chars=<optimized out>, length=41) at js/src/frontend/BytecodeCompiler.cpp:821 #7 0x0000000000918824 in JSFunction::createScriptForLazilyInterpretedFunction (cx=0x7ffff6908800, fun=fun@entry=...) at js/src/jsfun.cpp:1425 #8 0x00000000004a16a1 in JSFunction::getOrCreateScript (this=<optimized out>, cx=<optimized out>) at js/src/jsfun.h:413 #9 0x00000000009185b1 in functionDelazifying (cx=0x7ffff6908800, this=<optimized out>) at js/src/jsscriptinlines.h:91 #10 JSFunction::createScriptForLazilyInterpretedFunction (cx=0x7ffff6908800, fun=fun@entry=...) at js/src/jsfun.cpp:1376 #11 0x00000000004a16a1 in JSFunction::getOrCreateScript (this=<optimized out>, cx=<optimized out>) at js/src/jsfun.h:413 #12 0x0000000000a8b0fb in Interpret (cx=cx@entry=0x7ffff6908800, state=...) at js/src/vm/Interpreter.cpp:2819 #13 0x0000000000a981c8 in js::RunScript (cx=cx@entry=0x7ffff6908800, state=...) at js/src/vm/Interpreter.cpp:426 #14 0x0000000000a9af39 in js::ExecuteKernel (cx=cx@entry=0x7ffff6908800, script=..., script@entry=..., scopeChainArg=..., newTargetValue=..., evalInFrame=..., evalInFrame@entry=..., result=result@entry=0x7ffff3183110) at js/src/vm/Interpreter.cpp:682 #15 0x0000000000a9b218 in js::Execute (cx=cx@entry=0x7ffff6908800, script=script@entry=..., scopeChainArg=..., rval=rval@entry=0x7ffff3183110) at js/src/vm/Interpreter.cpp:715 #16 0x00000000008d1f58 in ExecuteScript (cx=cx@entry=0x7ffff6908800, scope=scope@entry=..., script=script@entry=..., rval=rval@entry=0x7ffff3183110) at js/src/jsapi.cpp:4372 #17 0x00000000008d5b19 in JS_ExecuteScript (cx=cx@entry=0x7ffff6908800, scriptArg=scriptArg@entry=..., rval=rval@entry=...) at js/src/jsapi.cpp:4398 #18 0x0000000000495101 in Evaluate (cx=0x7ffff6908800, argc=<optimized out>, vp=0x7ffff3183110) at js/src/shell/js.cpp:1514 #19 0x0000000000a9bee2 in js::CallJSNative (cx=0x7ffff6908800, native=0x494850 <Evaluate(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235 [...] #31 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:7443 rax 0x0 0 rbx 0x7fffffffb660 140737488336480 rcx 0x7fffffffb8c8 140737488337096 rdx 0x0 0 rsi 0xaf 175 rdi 0x7fffffffb630 140737488336432 rbp 0x7fffffffaaa0 140737488333472 rsp 0x7fffffffaaa0 140737488333472 r8 0x1d 29 r9 0x7fffffffb630 140737488336432 r10 0x7ffff6909400 140737330058240 r11 0x1b 27 r12 0xaf 175 r13 0x7fffffffb660 140737488336480 r14 0x7ffff317dd02 140737271815426 r15 0x7ffff317dd52 140737271815506 rip 0x4e03eb <js::frontend::Parser<js::frontend::FullParseHandler>::strictMode()+11> => 0x4e03eb <js::frontend::Parser<js::frontend::FullParseHandler>::strictMode()+11>: mov 0x8(%rax),%rdx 0x4e03ef <js::frontend::Parser<js::frontend::FullParseHandler>::strictMode()+15>: mov $0x1,%eax Please note that this testcase is whitespace sensitive. Removing spaces in line 3 causes parts of line 4 to show up in the error message instead of crashing. Marking s-s because this sounds like some buffers aren't right and we could potentially go out of bounds. Remove s-s when it's confirmed that this will always be a null-deref.
Updated•8 years ago
|
Flags: needinfo?(winter2718)
Flags: needinfo?(jorendorff)
Comment 1•8 years ago
|
||
This could be related to https://bugzilla.mozilla.org/show_bug.cgi?id=1205298, investigating.
Flags: needinfo?(winter2718)
Comment 2•8 years ago
|
||
evaluate(lfVarx, new Error) --> bug 1161312. :-\
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
Updated•8 years ago
|
Flags: needinfo?(jorendorff)
Updated•8 years ago
|
status-firefox48:
affected → ---
Updated•6 years ago
|
Group: javascript-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•