Closed Bug 352271 Opened 14 years ago Closed 14 years ago

Crash dereferencing 0xdadadada [@ ReportCompileErrorNumber] called from CheckDestructuring

Categories

(Core :: JavaScript Engine, defect, P1, critical)

defect

Tracking

()

VERIFIED FIXED
mozilla1.8.1

People

(Reporter: jruderman, Assigned: mrbkap)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [sg:critical?])

Crash Data

Attachments

(2 files)

js> [window.x getter= t for each ([*].a(v) in [])]
Segmentation fault

js> [window.x getter= t for each ([*].a(v)

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0xdadadb66
0x0007f3b4 in ReportCompileErrorNumber (cx=0x600180, handle=0x1814b00, flags=512, errorNumber=102, report=0xbfffdaa4, charArgs=1, ap=0xbfffdb18 "???h") at jsscan.c:571
571         JS_ASSERT(!ts || ts->linebuf.limit < ts->linebuf.base + JS_LINE_LIMIT);
(gdb) bt
#0  0x0007f3b4 in ReportCompileErrorNumber (cx=0x600180, handle=0x1814b00, flags=512, errorNumber=102, report=0xbfffdaa4, charArgs=1, ap=0xbfffdb18 "???h") at jsscan.c:571
#1  0x0007f92c in js_ReportCompileErrorNumber (cx=0x600180, handle=0x1814b00, flags=512, errorNumber=102) at jsscan.c:710
#2  0x000d90dc in CheckDestructuring (cx=0x600180, data=0xbfffdc34, left=0x1814ab0, right=0x0, tc=0xbfffe568) at jsparse.c:2212
#3  0x000e26a0 in PrimaryExpr (cx=0x600180, ts=0x1815010, tc=0xbfffe568, tt=TOK_LB, afterDot=0) at jsparse.c:5299
#4  0x000df598 in MemberExpr (cx=0x600180, ts=0x1815010, tc=0xbfffe568, allowCallSyntax=1) at jsparse.c:4231
#5  0x000df0d8 in UnaryExpr (cx=0x600180, ts=0x1815010, tc=0xbfffe568) at jsparse.c:4141
#6  0x000de734 in MulExpr (cx=0x600180, ts=0x1815010, tc=0xbfffe568) at jsparse.c:3984
#7  0x000de61c in AddExpr (cx=0x600180, ts=0x1815010, tc=0xbfffe568) at jsparse.c:3966
Whiteboard: [sg:critical?]
(gdb) f 0
#0  0x0007f3b4 in ReportCompileErrorNumber (cx=0x600180, handle=0x1814b00, flags=512, errorNumber=102, report=0xbfffdaa4, charArgs=1, ap=0xbfffdb18 "???h") at jsscan.c:571
571         JS_ASSERT(!ts || ts->linebuf.limit < ts->linebuf.base + JS_LINE_LIMIT);

(gdb) p ts
$1 = (JSTokenStream *) 0xdadadada
Attached patch FixSplinter Review
Assignee: general → mrbkap
Status: NEW → ASSIGNED
Attachment #237903 - Flags: review?(brendan)
OS: Mac OS X 10.4 → All
Priority: -- → P1
Hardware: Macintosh → All
Target Milestone: --- → mozilla1.8.1
Comment on attachment 237903 [details] [diff] [review]
Fix

Nominating.

/be
Attachment #237903 - Flags: review?(brendan)
Attachment #237903 - Flags: review+
Attachment #237903 - Flags: approval1.8.1?
Fix-on-trunk.
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Comment on attachment 237903 [details] [diff] [review]
Fix

a=schrep for JS crash.
Attachment #237903 - Flags: approval1.8.1? → approval1.8.1+
Fixed on the 1.8 branch.

/be
Keywords: fixed1.8.1
Flags: in-testsuite+
verified fixed 1.8 20060914 windows/linux 1.9 20060914 window/mac*/linux
Status: RESOLVED → VERIFIED
The testcase doesn't crash 1.8.0.x because it uses js1.7 syntax, but the fixed code in MemberExpr() appears identical. Is this fix needed on the 1.8.0 branch?
Flags: blocking1.8.0.8?
(In reply to comment #9)
> The testcase doesn't crash 1.8.0.x because it uses js1.7 syntax, but the fixed
> code in MemberExpr() appears identical. Is this fix needed on the 1.8.0 branch?

This is a 100% safe fix that may be needed; recommend you take it.

/be
Attachment #237903 - Flags: approval1.8.0.8?
Flags: blocking1.8.0.8? → blocking1.8.0.8+
Comment on attachment 237903 [details] [diff] [review]
Fix

approved for 1.8.0 branch, a=dveditz for drivers
Attachment #237903 - Flags: approval1.8.0.8? → approval1.8.0.8+
mozilla/js/src/jsscan.c 	3.81.2.7.2.8
Keywords: fixed1.8.0.8
(In reply to comment #12)
> mozilla/js/src/jsscan.c         3.81.2.7.2.8

Oops, wrong bug. Real checkin:

mozilla/js/src/jsparse.c 	3.142.2.6.2.9 

Verified fixed on 
firefox_1.8.0.8pre_2006100918_opt
firefox_1.8.0.8pre_2006100918_dbg
(windows/mac/linux)

Using js regression test tool.
Bug not relevant to aviary/moz1.7 branches
Flags: blocking1.7.14-
Flags: blocking-aviary1.0.9-
Group: security
RCS file: /cvsroot/mozilla/js/tests/js1_6/Regress/regress-352271.js,v
done
Checking in regress-352271.js;
/cvsroot/mozilla/js/tests/js1_6/Regress/regress-352271.js,v  <--  regress-352271.js
initial revision: 1.1
done
Crash Signature: [@ ReportCompileErrorNumber]
You need to log in before you can comment on or make changes to this bug.