Closed Bug 352271 Opened 18 years ago Closed 18 years ago

Crash dereferencing 0xdadadada [@ ReportCompileErrorNumber] called from CheckDestructuring

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.8.1

People

(Reporter: jruderman, Assigned: mrbkap)

Details

(4 keywords, Whiteboard: [sg:critical?])

Crash Data

Attachments

(2 files)

Fix
881 bytes, patch
brendan
: review+
dveditz
: approval1.8.0.8+
mtschrep
: approval1.8.1+
Details | Diff | Splinter Review
js1_6/Regress/regress-352271.js
2.37 KB, text/plain
Details 
js> [window.x getter= t for each ([*].a(v) in [])]
Segmentation fault

js> [window.x getter= t for each ([*].a(v)

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0xdadadb66
0x0007f3b4 in ReportCompileErrorNumber (cx=0x600180, handle=0x1814b00, flags=512, errorNumber=102, report=0xbfffdaa4, charArgs=1, ap=0xbfffdb18 "???h") at jsscan.c:571
571         JS_ASSERT(!ts || ts->linebuf.limit < ts->linebuf.base + JS_LINE_LIMIT);
(gdb) bt
#0  0x0007f3b4 in ReportCompileErrorNumber (cx=0x600180, handle=0x1814b00, flags=512, errorNumber=102, report=0xbfffdaa4, charArgs=1, ap=0xbfffdb18 "???h") at jsscan.c:571
#1  0x0007f92c in js_ReportCompileErrorNumber (cx=0x600180, handle=0x1814b00, flags=512, errorNumber=102) at jsscan.c:710
#2  0x000d90dc in CheckDestructuring (cx=0x600180, data=0xbfffdc34, left=0x1814ab0, right=0x0, tc=0xbfffe568) at jsparse.c:2212
#3  0x000e26a0 in PrimaryExpr (cx=0x600180, ts=0x1815010, tc=0xbfffe568, tt=TOK_LB, afterDot=0) at jsparse.c:5299
#4  0x000df598 in MemberExpr (cx=0x600180, ts=0x1815010, tc=0xbfffe568, allowCallSyntax=1) at jsparse.c:4231
#5  0x000df0d8 in UnaryExpr (cx=0x600180, ts=0x1815010, tc=0xbfffe568) at jsparse.c:4141
#6  0x000de734 in MulExpr (cx=0x600180, ts=0x1815010, tc=0xbfffe568) at jsparse.c:3984
#7  0x000de61c in AddExpr (cx=0x600180, ts=0x1815010, tc=0xbfffe568) at jsparse.c:3966
Whiteboard: [sg:critical?]
(gdb) f 0
#0  0x0007f3b4 in ReportCompileErrorNumber (cx=0x600180, handle=0x1814b00, flags=512, errorNumber=102, report=0xbfffdaa4, charArgs=1, ap=0xbfffdb18 "???h") at jsscan.c:571
571         JS_ASSERT(!ts || ts->linebuf.limit < ts->linebuf.base + JS_LINE_LIMIT);

(gdb) p ts
$1 = (JSTokenStream *) 0xdadadada
Attached patch FixSplinter Review 
Assignee: general → mrbkap
Status: NEW → ASSIGNED

        Attachment #237903 -
        Flags: review?(brendan)

    
  
OS: Mac OS X 10.4 → All
Priority: -- → P1
Hardware: Macintosh → All
Target Milestone: --- → mozilla1.8.1

    
    

    
  
Comment on attachment 237903 [details] [diff] [review]
Fix

Nominating.

/be

        Attachment #237903 -
        Flags: review?(brendan)

        Attachment #237903 -
        Flags: review+

        Attachment #237903 -
        Flags: approval1.8.1?

    
    

    
  
Fix-on-trunk.
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED

    
    

    
  
Comment on attachment 237903 [details] [diff] [review]
Fix

a=schrep for JS crash.

        Attachment #237903 -
        Flags: approval1.8.1? → approval1.8.1+

    
    

    
  
Fixed on the 1.8 branch.

/be
Keywords: fixed1.8.1
Flags: in-testsuite+

    
    

    
  
verified fixed 1.8 20060914 windows/linux 1.9 20060914 window/mac*/linux
Status: RESOLVED → VERIFIED
Keywords: fixed1.8.1verified1.8.1

    
    

    
  
The testcase doesn't crash 1.8.0.x because it uses js1.7 syntax, but the fixed code in MemberExpr() appears identical. Is this fix needed on the 1.8.0 branch?
Flags: blocking1.8.0.8?

    
    

    
  
(In reply to comment #9)
> The testcase doesn't crash 1.8.0.x because it uses js1.7 syntax, but the fixed
> code in MemberExpr() appears identical. Is this fix needed on the 1.8.0 branch?

This is a 100% safe fix that may be needed; recommend you take it.

/be

    
  

        Attachment #237903 -
        Flags: approval1.8.0.8?
Flags: blocking1.8.0.8? → blocking1.8.0.8+

    
    

    
  
Comment on attachment 237903 [details] [diff] [review]
Fix

approved for 1.8.0 branch, a=dveditz for drivers

        Attachment #237903 -
        Flags: approval1.8.0.8? → approval1.8.0.8+

    
    

    
  
mozilla/js/src/jsscan.c 	3.81.2.7.2.8
Keywords: fixed1.8.0.8

    
    

    
  
(In reply to comment #12)
> mozilla/js/src/jsscan.c         3.81.2.7.2.8

Oops, wrong bug. Real checkin:

mozilla/js/src/jsparse.c 	3.142.2.6.2.9 



    
    

    
  
Verified fixed on 
firefox_1.8.0.8pre_2006100918_opt
firefox_1.8.0.8pre_2006100918_dbg
(windows/mac/linux)

Using js regression test tool.
Keywords: fixed1.8.0.8verified1.8.0.8

    
    

    
  
Bug not relevant to aviary/moz1.7 branches
Flags: blocking1.7.14-
Flags: blocking-aviary1.0.9-
Group: security

    
    

    
  
RCS file: /cvsroot/mozilla/js/tests/js1_6/Regress/regress-352271.js,v
done
Checking in regress-352271.js;
/cvsroot/mozilla/js/tests/js1_6/Regress/regress-352271.js,v  <--  regress-352271.js
initial revision: 1.1
done

Crash Signature: [@ ReportCompileErrorNumber]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: