Closed
Bug 256501
Opened 21 years ago
Closed 21 years ago
Still unchecked recursion in parser
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
VERIFIED
FIXED
mozilla1.8alpha4
People
(Reporter: igor, Assigned: brendan)
References
Details
(Keywords: fixed-aviary1.0, fixed1.7.5, js1.5)
Attachments
(2 files)
|
723 bytes,
patch
|
brendan
:
review+
asa
:
approval-aviary+
asa
:
approval1.7.5+
|
Details | Diff | Splinter Review |
|
2.46 KB,
text/plain
|
Details |
Statement function from jsparse.c misses a case of uncontrollable recursion. It
does not protect with CHECK_RECURSION() macro the recursion while parsing
do-while loop and simply calls self after consuming the do token.
The following test case demonstrate the problem in js shell:
var N = 100*1000;
var buffer = new Array(N * 2 + 1);
for (var i = 0; i != N; ++i) {
buffer[i] = 'do ';
buffer[buffer.length - i - 1] = ' while(0);'
}
buffer[N] = 'print("TEST");'
// text is do do ... do print("TEST"); while(0); while(0); ... while(0);
var text = buffer.join('');
eval(text)
The test cause N recursive call to Statement during do-parsing and if N is
100*1000 and I limit the stack size explicitly with shell invocation to 10K then
I expect that it should detect to deep recursion. Instead with native stack
limited to 1MB it segfaults:
~> ulimit -s 1024
~> js -S 10000 x.js
Segmentation fault
|
Reporter | |
Comment 1•21 years ago
|
||
Strictly speaking it is necessary to add the check only to "case TOK_DO" since
the rest of recursive calls to Statement comes after calling Condition etc.
that in turn call Expr which contain the missed check.
But I prefer to be sure since I managed to miss this case during initial
CHECK_RECURSION work.
|
|
Reporter | |
Comment 2•21 years ago
|
||
With the patch applied I got:
~> js -S 10000 x.js
/home/igor/s/x.js:15: InternalError: too much recursion:
/home/igor/s/x.js:15: do do do do do do do do do do do do do do do do do do do
do do do do do do do do do do do do do do do do do do do do do do do do do do do
do do do do do do do do do do do do do do do do do do do do do do do do do do do
do do do do do do do do do do do do
/home/igor/s/x.js:15:
........................................................................^
|
|
Reporter | |
Updated•21 years ago
|
Attachment #156729 -
Flags: review?(brendan)
|
Assignee | |
Updated•21 years ago
|
|
|
Assignee | |
Comment 3•21 years ago
|
||
Comment on attachment 156729 [details] [diff] [review]
Fix: added CHECK_RECURSION
Sure, can't hurt perf much.
/be
Attachment #156729 -
Flags: review?(brendan)
Attachment #156729 -
Flags: review+
Attachment #156729 -
Flags: approval1.7.x?
Attachment #156729 -
Flags: approval-aviary?
|
|
Assignee | |
Updated•21 years ago
|
Status: NEW → ASSIGNED
Priority: -- → P1
Target Milestone: --- → mozilla1.8alpha4
|
||
Comment 4•21 years ago
|
||
Comment on attachment 156729 [details] [diff] [review]
Fix: added CHECK_RECURSION
a=asa for branch checkin.
Attachment #156729 -
Flags: approval1.7.x?
Attachment #156729 -
Flags: approval1.7.x+
Attachment #156729 -
Flags: approval-aviary?
Attachment #156729 -
Flags: approval-aviary+
|
|
Assignee | |
Comment 5•21 years ago
|
||
Fixed everywhere.
/be
Status: ASSIGNED → RESOLVED
Closed: 21 years ago
Keywords: fixed-aviary1.0,
fixed1.7
Resolution: --- → FIXED
|
||
Updated•21 years ago
|
Keywords: fixed1.7 → fixed1.7.x
|
||
Comment 6•20 years ago
|
||
Igor, with your permission this will be included in the javascript test
library.
|
|
||
Comment 7•20 years ago
|
||
js1_5/Regress/regress-256501.js checked in.
|
|
||
Updated•20 years ago
|
Flags: testcase+
|
|
||
Comment 8•20 years ago
|
||
note to self: 1.8/1.8.0.1 dbg linux assert vp + 1 < end
|
|
||
Comment 9•20 years ago
|
||
I am getting abnormal exits in mac os 10.4.4 shell opt builds for 1.8.0.1, 1.8, 1.9a1, but not in dbg builds nor on windows/linux for opt/dbg.
You need to log in
before you can comment on or make changes to this bug.
Description
•