Closed
Bug 352271
Opened 18 years ago
Closed 18 years ago
Crash dereferencing 0xdadadada [@ ReportCompileErrorNumber] called from CheckDestructuring
Categories
(Core :: JavaScript Engine, defect, P1)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
mozilla1.8.1
People
(Reporter: jruderman, Assigned: mrbkap)
Details
(4 keywords, Whiteboard: [sg:critical?])
Crash Data
Attachments
(2 files)
|
881 bytes,
patch
|
brendan
:
review+
dveditz
:
approval1.8.0.8+
mtschrep
:
approval1.8.1+
|
Details | Diff | Splinter Review |
|
2.37 KB,
text/plain
|
Details |
js> [window.x getter= t for each ([*].a(v) in [])]
Segmentation fault
js> [window.x getter= t for each ([*].a(v)
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0xdadadb66
0x0007f3b4 in ReportCompileErrorNumber (cx=0x600180, handle=0x1814b00, flags=512, errorNumber=102, report=0xbfffdaa4, charArgs=1, ap=0xbfffdb18 "???h") at jsscan.c:571
571 JS_ASSERT(!ts || ts->linebuf.limit < ts->linebuf.base + JS_LINE_LIMIT);
(gdb) bt
#0 0x0007f3b4 in ReportCompileErrorNumber (cx=0x600180, handle=0x1814b00, flags=512, errorNumber=102, report=0xbfffdaa4, charArgs=1, ap=0xbfffdb18 "???h") at jsscan.c:571
#1 0x0007f92c in js_ReportCompileErrorNumber (cx=0x600180, handle=0x1814b00, flags=512, errorNumber=102) at jsscan.c:710
#2 0x000d90dc in CheckDestructuring (cx=0x600180, data=0xbfffdc34, left=0x1814ab0, right=0x0, tc=0xbfffe568) at jsparse.c:2212
#3 0x000e26a0 in PrimaryExpr (cx=0x600180, ts=0x1815010, tc=0xbfffe568, tt=TOK_LB, afterDot=0) at jsparse.c:5299
#4 0x000df598 in MemberExpr (cx=0x600180, ts=0x1815010, tc=0xbfffe568, allowCallSyntax=1) at jsparse.c:4231
#5 0x000df0d8 in UnaryExpr (cx=0x600180, ts=0x1815010, tc=0xbfffe568) at jsparse.c:4141
#6 0x000de734 in MulExpr (cx=0x600180, ts=0x1815010, tc=0xbfffe568) at jsparse.c:3984
#7 0x000de61c in AddExpr (cx=0x600180, ts=0x1815010, tc=0xbfffe568) at jsparse.c:3966
|
Reporter | |
Updated•18 years ago
|
Whiteboard: [sg:critical?]
|
|
Reporter | |
Comment 1•18 years ago
|
||
(gdb) f 0
#0 0x0007f3b4 in ReportCompileErrorNumber (cx=0x600180, handle=0x1814b00, flags=512, errorNumber=102, report=0xbfffdaa4, charArgs=1, ap=0xbfffdb18 "???h") at jsscan.c:571
571 JS_ASSERT(!ts || ts->linebuf.limit < ts->linebuf.base + JS_LINE_LIMIT);
(gdb) p ts
$1 = (JSTokenStream *) 0xdadadada
|
Assignee | |
Comment 2•18 years ago
|
||
|
|
Assignee | |
Updated•18 years ago
|
OS: Mac OS X 10.4 → All
Priority: -- → P1
Hardware: Macintosh → All
Target Milestone: --- → mozilla1.8.1
|
||
Comment 3•18 years ago
|
||
Comment on attachment 237903 [details] [diff] [review]
Fix
Nominating.
/be
Attachment #237903 -
Flags: review?(brendan)
Attachment #237903 -
Flags: review+
Attachment #237903 -
Flags: approval1.8.1?
|
|
Assignee | |
Comment 4•18 years ago
|
||
Fix-on-trunk.
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
|
||
Comment 5•18 years ago
|
||
Comment on attachment 237903 [details] [diff] [review]
Fix
a=schrep for JS crash.
Attachment #237903 -
Flags: approval1.8.1? → approval1.8.1+
|
||
Comment 7•18 years ago
|
||
|
|
||
Updated•18 years ago
|
Flags: in-testsuite+
|
|
||
Comment 8•18 years ago
|
||
verified fixed 1.8 20060914 windows/linux 1.9 20060914 window/mac*/linux
Status: RESOLVED → VERIFIED
Keywords: fixed1.8.1 → verified1.8.1
|
||
Comment 9•18 years ago
|
||
The testcase doesn't crash 1.8.0.x because it uses js1.7 syntax, but the fixed code in MemberExpr() appears identical. Is this fix needed on the 1.8.0 branch?
Flags: blocking1.8.0.8?
|
|
||
Comment 10•18 years ago
|
||
(In reply to comment #9)
> The testcase doesn't crash 1.8.0.x because it uses js1.7 syntax, but the fixed
> code in MemberExpr() appears identical. Is this fix needed on the 1.8.0 branch?
This is a 100% safe fix that may be needed; recommend you take it.
/be
|
|
Reporter | |
Updated•18 years ago
|
Attachment #237903 -
Flags: approval1.8.0.8?
|
|
||
Updated•18 years ago
|
Flags: blocking1.8.0.8? → blocking1.8.0.8+
|
|
||
Comment 11•18 years ago
|
||
Comment on attachment 237903 [details] [diff] [review]
Fix
approved for 1.8.0 branch, a=dveditz for drivers
Attachment #237903 -
Flags: approval1.8.0.8? → approval1.8.0.8+
|
||
Comment 13•18 years ago
|
||
(In reply to comment #12)
> mozilla/js/src/jsscan.c 3.81.2.7.2.8
Oops, wrong bug. Real checkin:
mozilla/js/src/jsparse.c 3.142.2.6.2.9
|
||
Comment 14•18 years ago
|
||
Verified fixed on
firefox_1.8.0.8pre_2006100918_opt
firefox_1.8.0.8pre_2006100918_dbg
(windows/mac/linux)
Using js regression test tool.
Keywords: fixed1.8.0.8 → verified1.8.0.8
|
|
||
Comment 15•18 years ago
|
||
Bug not relevant to aviary/moz1.7 branches
Flags: blocking1.7.14-
Flags: blocking-aviary1.0.9-
|
|
||
Updated•18 years ago
|
Group: security
|
|
||
Comment 16•18 years ago
|
||
RCS file: /cvsroot/mozilla/js/tests/js1_6/Regress/regress-352271.js,v
done
Checking in regress-352271.js;
/cvsroot/mozilla/js/tests/js1_6/Regress/regress-352271.js,v <-- regress-352271.js
initial revision: 1.1
done
|
||
Updated•14 years ago
|
Crash Signature: [@ ReportCompileErrorNumber]
You need to log in
before you can comment on or make changes to this bug.
Description
•