Closed Bug 352094 Opened 18 years ago Closed 18 years ago

Invalid setter usage, twice, makes js engine access memory at 0xdadadada

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.9alpha1

People

(Reporter: jruderman, Assigned: mrbkap)

Details

(Keywords: crash, testcase, verified1.8.1, Whiteboard: [sg:critical?] js1.7)

Attachments

(2 files)

Fix
960 bytes, patch
brendan
: review+
beltzner
: approval1.8.1+
Details | Diff | Splinter Review
js1_5/Regress/regress-352094.js
2.55 KB, text/plain
Details 
js> (function(){ this.p setter = 0 })()
typein:1: SyntaxError: invalid setter usage

js> (function(){ this.p setter = 0 })()

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0xdadadada
0x000559b8 in js_PCToLineNumber (cx=0x500180, script=0x5039c0, pc=0xdadadada <Address 0xdadadada out of bounds>) at jsscript.c:1430
1430        if (*pc == JSOP_DEFFUN) {

(gdb) bt
#0  0x000559b8 in js_PCToLineNumber (cx=0x500180, script=0x5039c0, pc=0xdadadada <Address 0xdadadada out of bounds>) at jsscript.c:1430
#1  0x000e7164 in js_ReportErrorNumberVA (cx=0x500180, flags=0, callback=0xe74b8 <js_GetErrorMessage>, userRef=0x0, errorNumber=151, charArgs=1, ap=0xbfffdb48 "") at jscntxt.c:1113
#2  0x00021ee0 in JS_ReportErrorNumber (cx=0x500180, errorCallback=0xe74b8 <js_GetErrorMessage>, userRef=0x0, errorNumber=151) at jsapi.c:4713
#3  0x000a88a4 in js_Interpret (cx=0x500180, pc=0x5039f3 "6", result=0xbfffe6f0) at jsinterp.c:5298
#4  0x0008f468 in js_Execute (cx=0x500180, chain=0x1804ec0, script=0x503a00, down=0x0, flags=0, result=0xbfffe820) at jsinterp.c:1621
#5  0x00020a00 in JS_ExecuteScript (cx=0x500180, obj=0x1804ec0, script=0x503a00, rval=0xbfffe820) at jsapi.c:4256
#6  0x0000256c in Process (cx=0x500180, obj=0x1804ec0, filename=0x0, forceTTY=0) at js.c:265
#7  0x00003134 in ProcessArgs (cx=0x500180, obj=0x1804ec0, argv=0xbffff9fc, argc=0) at js.c:486
#8  0x000094c4 in main (argc=0, argv=0xbffff9fc, envp=0xbffffa00) at js.c:3086
Whiteboard: [sg:critical?]
Attached patch FixSplinter Review 
We need to home fp->pc so we can get a valid line number out of cx->fp.
Assignee: general → mrbkap
Status: NEW → ASSIGNED
Attachment #237697 - Flags: review?(brendan)
OS: Mac OS X 10.4 → All
Priority: -- → P1
Hardware: Macintosh → All
Target Milestone: --- → mozilla1.9alpha
Comment on attachment 237697 [details] [diff] [review]
Fix

Great -- no brainer (and required IMO) for 1.8, so target/nominate appropriately.

/be
Attachment #237697 - Flags: review?(brendan)
Attachment #237697 - Flags: review+
Attachment #237697 - Flags: approval1.8.1?
Comment on attachment 237697 [details] [diff] [review]
Fix

a=beltzner on behalf of 181drivers
Attachment #237697 - Flags: approval1.8.1? → approval1.8.1+
Fix checked into trunk.
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Fixed on the 1.8 branch.

/be
Keywords: fixed1.8.1
Flags: in-testsuite+
verified fixed 1.8 20060914 windows/linux 1.9 20060914 windows/mac*/linux
Status: RESOLVED → VERIFIED
Keywords: fixed1.8.1verified1.8.1
needed for 1.8.0? I can't reproduce the crash in 1.5.0.7 (or a debug xpcshell), but then I can't in FF2 (pre fix) either so I'm not sure I'm doing it right. The code looks similar, but the SAVE_SP_AND_PC macro was added as part of the js1.7 landing.
Flags: blocking1.8.0.8?
The patch is not needed on older branches, which lack JS_THREADED_INTERP and so keep fp->pc up to date at the top of the interpreter loop.

/be
Flags: blocking1.8.0.8? → blocking1.8.0.8-
Whiteboard: [sg:critical?] → [sg:critical?] js1.7
Group: security
/cvsroot/mozilla/js/tests/js1_5/extensions/regress-352094.js,v  <--  regress-352094.js

moved to extensions/ since it uses setter
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: