Closed
Bug 1261817
Opened 10 years ago
Closed 10 years ago
Crash [@ js::frontend::Parser<js::frontend::FullParseHandler>::strictMode]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1161312
People
(Reporter: decoder, Unassigned)
Details
(4 keywords, Whiteboard: [jsbugmon:update,bisect])
Crash Data
The following testcase crashes on mozilla-central revision cfd51e67b26e (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --ion-offthread-compile=off):
lfLogBuffer = `
function loadFile(lfVarx)
evaluate(lfVarx, new Error);
GetRawTimezoneOffset()
function GetRawTimezoneOffset() {
var t1 = new Date(000);
}
`
lfCodeBuffer = ""
while (true) {
line = lfLogBuffer;
loadFile(lfCodeBuffer);
lfCodeBuffer = line;
}
function loadFile(lfVarx)
evaluate(lfVarx);
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
js::frontend::Parser<js::frontend::FullParseHandler>::strictMode (this=0x7fffffffb630) at js/src/frontend/Parser.h:711
#0 js::frontend::Parser<js::frontend::FullParseHandler>::strictMode (this=0x7fffffffb630) at js/src/frontend/Parser.h:711
#1 0x0000000000c3c375 in strictMode (this=0x7fffffffb660) at js/src/frontend/TokenStream.h:436
#2 js::frontend::TokenStream::reportStrictModeError (this=this@entry=0x7fffffffb660, errorNumber=errorNumber@entry=175) at js/src/frontend/TokenStream.cpp:717
#3 0x0000000000c3ded3 in js::frontend::TokenStream::getTokenInternal (this=this@entry=0x7fffffffb660, ttp=ttp@entry=0x7fffffffad50, modifier=modifier@entry=js::frontend::Token::None) at js/src/frontend/TokenStream.cpp:1363
#4 0x00000000004dfe60 in peekTokenPos (modifier=js::frontend::Token::None, posp=0x7ffff698b024, this=0x7fffffffb660) at js/src/frontend/TokenStream.h:578
#5 js::frontend::Parser<js::frontend::FullParseHandler>::standaloneLazyFunction (this=this@entry=0x7fffffffb630, fun=..., fun@entry=..., strict=false, generatorKind=js::NotGenerator) at js/src/frontend/Parser.cpp:3070
#6 0x0000000000c19cdb in js::frontend::CompileLazyFunction (cx=cx@entry=0x7ffff6908800, lazy=lazy@entry=..., chars=<optimized out>, length=41) at js/src/frontend/BytecodeCompiler.cpp:821
#7 0x0000000000918824 in JSFunction::createScriptForLazilyInterpretedFunction (cx=0x7ffff6908800, fun=fun@entry=...) at js/src/jsfun.cpp:1425
#8 0x00000000004a16a1 in JSFunction::getOrCreateScript (this=<optimized out>, cx=<optimized out>) at js/src/jsfun.h:413
#9 0x00000000009185b1 in functionDelazifying (cx=0x7ffff6908800, this=<optimized out>) at js/src/jsscriptinlines.h:91
#10 JSFunction::createScriptForLazilyInterpretedFunction (cx=0x7ffff6908800, fun=fun@entry=...) at js/src/jsfun.cpp:1376
#11 0x00000000004a16a1 in JSFunction::getOrCreateScript (this=<optimized out>, cx=<optimized out>) at js/src/jsfun.h:413
#12 0x0000000000a8b0fb in Interpret (cx=cx@entry=0x7ffff6908800, state=...) at js/src/vm/Interpreter.cpp:2819
#13 0x0000000000a981c8 in js::RunScript (cx=cx@entry=0x7ffff6908800, state=...) at js/src/vm/Interpreter.cpp:426
#14 0x0000000000a9af39 in js::ExecuteKernel (cx=cx@entry=0x7ffff6908800, script=..., script@entry=..., scopeChainArg=..., newTargetValue=..., evalInFrame=..., evalInFrame@entry=..., result=result@entry=0x7ffff3183110) at js/src/vm/Interpreter.cpp:682
#15 0x0000000000a9b218 in js::Execute (cx=cx@entry=0x7ffff6908800, script=script@entry=..., scopeChainArg=..., rval=rval@entry=0x7ffff3183110) at js/src/vm/Interpreter.cpp:715
#16 0x00000000008d1f58 in ExecuteScript (cx=cx@entry=0x7ffff6908800, scope=scope@entry=..., script=script@entry=..., rval=rval@entry=0x7ffff3183110) at js/src/jsapi.cpp:4372
#17 0x00000000008d5b19 in JS_ExecuteScript (cx=cx@entry=0x7ffff6908800, scriptArg=scriptArg@entry=..., rval=rval@entry=...) at js/src/jsapi.cpp:4398
#18 0x0000000000495101 in Evaluate (cx=0x7ffff6908800, argc=<optimized out>, vp=0x7ffff3183110) at js/src/shell/js.cpp:1514
#19 0x0000000000a9bee2 in js::CallJSNative (cx=0x7ffff6908800, native=0x494850 <Evaluate(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
[...]
#31 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:7443
rax 0x0 0
rbx 0x7fffffffb660 140737488336480
rcx 0x7fffffffb8c8 140737488337096
rdx 0x0 0
rsi 0xaf 175
rdi 0x7fffffffb630 140737488336432
rbp 0x7fffffffaaa0 140737488333472
rsp 0x7fffffffaaa0 140737488333472
r8 0x1d 29
r9 0x7fffffffb630 140737488336432
r10 0x7ffff6909400 140737330058240
r11 0x1b 27
r12 0xaf 175
r13 0x7fffffffb660 140737488336480
r14 0x7ffff317dd02 140737271815426
r15 0x7ffff317dd52 140737271815506
rip 0x4e03eb <js::frontend::Parser<js::frontend::FullParseHandler>::strictMode()+11>
=> 0x4e03eb <js::frontend::Parser<js::frontend::FullParseHandler>::strictMode()+11>: mov 0x8(%rax),%rdx
0x4e03ef <js::frontend::Parser<js::frontend::FullParseHandler>::strictMode()+15>: mov $0x1,%eax
Please note that this testcase is whitespace sensitive. Removing spaces in line 3 causes parts of line 4 to show up in the error message instead of crashing. Marking s-s because this sounds like some buffers aren't right and we could potentially go out of bounds. Remove s-s when it's confirmed that this will always be a null-deref.
|
||
Updated•10 years ago
|
Flags: needinfo?(winter2718)
Flags: needinfo?(jorendorff)
|
||
Comment 1•10 years ago
|
||
This could be related to https://bugzilla.mozilla.org/show_bug.cgi?id=1205298, investigating.
Flags: needinfo?(winter2718)
|
||
Comment 2•10 years ago
|
||
evaluate(lfVarx, new Error) --> bug 1161312. :-\
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
|
|
||
Updated•10 years ago
|
Flags: needinfo?(jorendorff)
|
||
Updated•10 years ago
|
status-firefox48:
affected → ---
|
||
Updated•7 years ago
|
Group: javascript-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•