Closed Bug 1602209 Opened 3 years ago Closed 2 years ago

firefox 71 spidermonkey segment fault

Categories

(Core :: JavaScript Engine, defect, P3)

Product:
Core
Component:
JavaScript Engine
Version:
71 Branch
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla73
Tracking Flags:
Tracking Status
firefox73 --- fixed

People

(Reporter: slei.casper, Assigned: jandem)

Details

Attachments

(2 files)

ff71crash
20 bytes, application/octet-steam
Details
Bug 1602209 - Don't assume interactive mode in the JS shell when no file paths are specified. r?jorendorff!
47 bytes, text/x-phabricator-request
Details | Review
Attached file ff71crash

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36

Steps to reproduce:

compile spidermonkey in js/src:

mkdir release
../configure
make

run with poc:

./dist/bin/js < /tmp/ff71crash

Actual results:

segmentation fault

(In reply to slei.casper from comment #0)

Created attachment 9114353 [details]
ff71crash

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36

Steps to reproduce:

compile spidermonkey in js/src:

mkdir release && cd release
../configure
make

run with poc:

./dist/bin/js < /tmp/ff71crash

Actual results:

segmentation fault
Attachment #9114353 - Attachment mime type: application/octet-stream → text/plain
Attachment #9114353 - Attachment mime type: text/plain → application/octet-steam
Group: firefox-core-security → javascript-core-security
Component: Untriaged → JavaScript Engine
Product: Firefox → Core

Thanks for the bug report.

The file has a ^R control character. The JS shell uses editline where this is treated as a search command.

You probably want to use js -f file.js or js file.js instead.

Group: javascript-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Resolution: --- → INVALID

Thinking about it more, maybe we should fix our terminal detection code here (we call that with forceTTY true I think but that seems wrong):

https://searchfox.org/mozilla-central/rev/d24696b5abaf9fb75f7985952eab50d5f4ed52ac/js/src/shell/js.cpp#1508

Status: RESOLVED → REOPENED
Ever confirmed: true
Priority: -- → P3
Resolution: INVALID → ---
Assignee: nobody → jdemooij
Status: REOPENED → ASSIGNED

This fixes the following case to just execute the script instead of using
the interactive shell:

  dist/bin/js < file.js

The -i flag can be used to force interactive mode in this case.

Pushed by jdemooij@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/7190108fee04
Don't assume interactive mode in the JS shell when no file paths are specified. r=jorendorff

https://hg.mozilla.org/mozilla-central/rev/7190108fee04

Status: ASSIGNED → RESOLVED
Closed: 3 years ago2 years ago
status-firefox73: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla73
You need to log in before you can comment on or make changes to this bug.