Closed
Bug 352094
Opened 18 years ago
Closed 18 years ago
Invalid setter usage, twice, makes js engine access memory at 0xdadadada
Categories
(Core :: JavaScript Engine, defect, P1)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
mozilla1.9alpha1
People
(Reporter: jruderman, Assigned: mrbkap)
Details
(Keywords: crash, testcase, verified1.8.1, Whiteboard: [sg:critical?] js1.7)
Attachments
(2 files)
960 bytes,
patch
|
brendan
:
review+
beltzner
:
approval1.8.1+
|
Details | Diff | Splinter Review |
2.55 KB,
text/plain
|
Details |
js> (function(){ this.p setter = 0 })() typein:1: SyntaxError: invalid setter usage js> (function(){ this.p setter = 0 })() Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_INVALID_ADDRESS at address: 0xdadadada 0x000559b8 in js_PCToLineNumber (cx=0x500180, script=0x5039c0, pc=0xdadadada <Address 0xdadadada out of bounds>) at jsscript.c:1430 1430 if (*pc == JSOP_DEFFUN) { (gdb) bt #0 0x000559b8 in js_PCToLineNumber (cx=0x500180, script=0x5039c0, pc=0xdadadada <Address 0xdadadada out of bounds>) at jsscript.c:1430 #1 0x000e7164 in js_ReportErrorNumberVA (cx=0x500180, flags=0, callback=0xe74b8 <js_GetErrorMessage>, userRef=0x0, errorNumber=151, charArgs=1, ap=0xbfffdb48 "") at jscntxt.c:1113 #2 0x00021ee0 in JS_ReportErrorNumber (cx=0x500180, errorCallback=0xe74b8 <js_GetErrorMessage>, userRef=0x0, errorNumber=151) at jsapi.c:4713 #3 0x000a88a4 in js_Interpret (cx=0x500180, pc=0x5039f3 "6", result=0xbfffe6f0) at jsinterp.c:5298 #4 0x0008f468 in js_Execute (cx=0x500180, chain=0x1804ec0, script=0x503a00, down=0x0, flags=0, result=0xbfffe820) at jsinterp.c:1621 #5 0x00020a00 in JS_ExecuteScript (cx=0x500180, obj=0x1804ec0, script=0x503a00, rval=0xbfffe820) at jsapi.c:4256 #6 0x0000256c in Process (cx=0x500180, obj=0x1804ec0, filename=0x0, forceTTY=0) at js.c:265 #7 0x00003134 in ProcessArgs (cx=0x500180, obj=0x1804ec0, argv=0xbffff9fc, argc=0) at js.c:486 #8 0x000094c4 in main (argc=0, argv=0xbffff9fc, envp=0xbffffa00) at js.c:3086
Reporter | ||
Updated•18 years ago
|
Whiteboard: [sg:critical?]
Assignee | ||
Comment 1•18 years ago
|
||
We need to home fp->pc so we can get a valid line number out of cx->fp.
Assignee | ||
Updated•18 years ago
|
OS: Mac OS X 10.4 → All
Priority: -- → P1
Hardware: Macintosh → All
Target Milestone: --- → mozilla1.9alpha
Comment 2•18 years ago
|
||
Comment on attachment 237697 [details] [diff] [review] Fix Great -- no brainer (and required IMO) for 1.8, so target/nominate appropriately. /be
Attachment #237697 -
Flags: review?(brendan)
Attachment #237697 -
Flags: review+
Attachment #237697 -
Flags: approval1.8.1?
Comment 3•18 years ago
|
||
Comment on attachment 237697 [details] [diff] [review] Fix a=beltzner on behalf of 181drivers
Attachment #237697 -
Flags: approval1.8.1? → approval1.8.1+
Assignee | ||
Comment 4•18 years ago
|
||
Fix checked into trunk.
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Comment 6•18 years ago
|
||
Updated•18 years ago
|
Flags: in-testsuite+
Comment 7•18 years ago
|
||
verified fixed 1.8 20060914 windows/linux 1.9 20060914 windows/mac*/linux
Status: RESOLVED → VERIFIED
Keywords: fixed1.8.1 → verified1.8.1
Comment 8•18 years ago
|
||
needed for 1.8.0? I can't reproduce the crash in 1.5.0.7 (or a debug xpcshell), but then I can't in FF2 (pre fix) either so I'm not sure I'm doing it right. The code looks similar, but the SAVE_SP_AND_PC macro was added as part of the js1.7 landing.
Flags: blocking1.8.0.8?
Comment 9•18 years ago
|
||
The patch is not needed on older branches, which lack JS_THREADED_INTERP and so keep fp->pc up to date at the top of the interpreter loop. /be
Updated•18 years ago
|
Flags: blocking1.8.0.8? → blocking1.8.0.8-
Updated•18 years ago
|
Whiteboard: [sg:critical?] → [sg:critical?] js1.7
Updated•18 years ago
|
Group: security
Comment 10•17 years ago
|
||
/cvsroot/mozilla/js/tests/js1_5/extensions/regress-352094.js,v <-- regress-352094.js moved to extensions/ since it uses setter
You need to log in
before you can comment on or make changes to this bug.
Description
•