352212 - Crash [@ block_getProperty] with XML filtering predicate operator, "let", string.replace

Status: VERIFIED FIXED

(Core :: JavaScript Engine, defect, P1)

Description

[Jesse Ruderman]

To reproduce:
  js> 'a'.replace(/a/g, function () { return let(y) (3).(<x/>) });

Expected: "TypeError: XML filtering predicate operator called on incompatible Number"

Result: crash


Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000000
0x00041b1c in block_getProperty (cx=0x500180, obj=0x18059a8, id=1, vp=0xbfffd41c) at jsobj.c:1964
1964        *vp = fp->spbase[slot];

(gdb) bt
#0  0x00041b1c in block_getProperty (cx=0x500180, obj=0x18059a8, id=1, vp=0xbfffd41c) at jsobj.c:1964
#1  0x000418c8 in js_PutBlockObject (cx=0x500180, obj=0x18059a8) at jsobj.c:1934
#2  0x0008de50 in PutBlockObjects (cx=0x500180, fp=0xbfffd548) at jsinterp.c:543
#3  0x0008f8ec in js_Invoke (cx=0x500180, argc=3, flags=2) at jsinterp.c:1407
#4  0x00074f10 in find_replen (cx=0x500180, rdata=0xbfffd8f4, sizep=0xbfffd7b4) at jsstr.c:1477
#5  0x000756ec in replace_glob (cx=0x500180, count=0, data=0xbfffd8f4) at jsstr.c:1566
#6  0x000742a8 in match_or_replace (cx=0x500180, obj=0x1805474, argc=2, argv=0x1816434, glob=0x754bc <replace_glob>, data=0xbfffd8f4, rval=0xbfffda38) at jsstr.c:1200
#7  0x00075bf0 in str_replace (cx=0x500180, obj=0x1805474, argc=2, argv=0x1816434, rval=0xbfffda38) at jsstr.c:1631
#8  0x0008f7c0 in js_Invoke (cx=0x500180, argc=2, flags=0) at jsinterp.c:1372
#9  0x000a2ddc in js_Interpret (cx=0x500180, pc=0x503bdd ":", result=0xbfffe6b0) at jsinterp.c:4087
#10 0x000903f8 in js_Execute (cx=0x500180, chain=0x1804ec0, script=0x503ba0, down=0x0, flags=0, result=0xbfffe7e0) at jsinterp.c:1621
#11 0x00021818 in JS_ExecuteScript (cx=0x500180, obj=0x1804ec0, script=0x503ba0, rval=0xbfffe7e0) at jsapi.c:4256
#12 0x00003384 in Process (cx=0x500180, obj=0x1804ec0, filename=0x0, forceTTY=0) at js.c:265
#13 0x00003f4c in ProcessArgs (cx=0x500180, obj=0x1804ec0, argv=0xbffff9c8, argc=2) at js.c:486
#14 0x0000a2dc in main (argc=2, argv=0xbffff9c8, envp=0xbffff9d4) at js.c:3086

(gdb) f 0
#0  0x00041b1c in block_getProperty (cx=0x500180, obj=0x18059a8, id=1, vp=0xbfffd41c) at jsobj.c:1964
1964        *vp = fp->spbase[slot];
(gdb) p fp
$1 = (JSStackFrame *) 0xbfffd548
(gdb) p fp->spbase
$2 = (jsval *) 0x0
(gdb) p slot
$3 = 0

Comment 1

[Brendan Eich [:brendan]]

Attachment: fix

Thanks to mrbkap for pointing out the bug.

/be

Comment 2

[Brendan Eich [:brendan]]

Comment on attachment 237916 [details] [diff] [review]
fix

No, that's not right.

/be

Comment 3

[Brendan Eich [:brendan]]

Attachment: correct fix

Comment 4

[timeless]

*** Bug 352314 has been marked as a duplicate of this bug. ***

Comment 5

[Brendan Eich [:brendan]]

Comment on attachment 237918 [details] [diff] [review]
correct fix

This is looking like a topcrash in the making. It's also potentially a FMR, bad memory safety.  Fix is safe, just transposes two steps in order to avoid referencing released stack.

/be

Comment 6

[Brendan Eich [:brendan]]

Fixed on trunk.

/be

Comment 7

[Brendan Eich [:brendan]]

Checking in jsinterp.c;
/cvsroot/mozilla/js/src/jsinterp.c,v  <--  jsinterp.c
new revision: 3.286; previous revision: 3.285
done

Comment 8

[Mike Schroepfer]

Comment on attachment 237918 [details] [diff] [review]
correct fix

a=schrep for 181drivers for JS topcrash.

Comment 9

[Brendan Eich [:brendan]]

Fixed on the 1.8 branch.

/be

Comment 10

[Bob Clary [:bc] (inactive)]

Checking in regress-352212.js;
/cvsroot/mozilla/js/tests/js1_7/block/regress-352212.js,v  <--  regress-352212.js
initial revision: 1.1
done

Comment 11

[Bob Clary [:bc] (inactive)]

verified fixed 1.8 20060914 windows/linux 1.9 20060914 windows/mac*/linux