Note: There are a few cases of duplicates in user autocompletion which are being worked on.

Crash dereferencing 0xdadadada [@ ReportCompileErrorNumber] called from CheckDestructuring

VERIFIED FIXED in mozilla1.8.1

Status

()

Core
JavaScript Engine
P1
critical
VERIFIED FIXED
11 years ago
6 years ago

People

(Reporter: Jesse Ruderman, Assigned: mrbkap)

Tracking

(Blocks: 1 bug, 4 keywords)

Trunk
mozilla1.8.1
crash, testcase, verified1.8.0.8, verified1.8.1
Points:
---
Bug Flags:
blocking1.7.14 -
blocking-aviary1.0.9 -
blocking1.8.0.8 +
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical?], crash signature)

Attachments

(2 attachments)

(Reporter)

Description

11 years ago
js> [window.x getter= t for each ([*].a(v) in [])]
Segmentation fault

js> [window.x getter= t for each ([*].a(v)

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0xdadadb66
0x0007f3b4 in ReportCompileErrorNumber (cx=0x600180, handle=0x1814b00, flags=512, errorNumber=102, report=0xbfffdaa4, charArgs=1, ap=0xbfffdb18 "???h") at jsscan.c:571
571         JS_ASSERT(!ts || ts->linebuf.limit < ts->linebuf.base + JS_LINE_LIMIT);
(gdb) bt
#0  0x0007f3b4 in ReportCompileErrorNumber (cx=0x600180, handle=0x1814b00, flags=512, errorNumber=102, report=0xbfffdaa4, charArgs=1, ap=0xbfffdb18 "???h") at jsscan.c:571
#1  0x0007f92c in js_ReportCompileErrorNumber (cx=0x600180, handle=0x1814b00, flags=512, errorNumber=102) at jsscan.c:710
#2  0x000d90dc in CheckDestructuring (cx=0x600180, data=0xbfffdc34, left=0x1814ab0, right=0x0, tc=0xbfffe568) at jsparse.c:2212
#3  0x000e26a0 in PrimaryExpr (cx=0x600180, ts=0x1815010, tc=0xbfffe568, tt=TOK_LB, afterDot=0) at jsparse.c:5299
#4  0x000df598 in MemberExpr (cx=0x600180, ts=0x1815010, tc=0xbfffe568, allowCallSyntax=1) at jsparse.c:4231
#5  0x000df0d8 in UnaryExpr (cx=0x600180, ts=0x1815010, tc=0xbfffe568) at jsparse.c:4141
#6  0x000de734 in MulExpr (cx=0x600180, ts=0x1815010, tc=0xbfffe568) at jsparse.c:3984
#7  0x000de61c in AddExpr (cx=0x600180, ts=0x1815010, tc=0xbfffe568) at jsparse.c:3966
(Reporter)

Updated

11 years ago
Whiteboard: [sg:critical?]
(Reporter)

Comment 1

11 years ago
(gdb) f 0
#0  0x0007f3b4 in ReportCompileErrorNumber (cx=0x600180, handle=0x1814b00, flags=512, errorNumber=102, report=0xbfffdaa4, charArgs=1, ap=0xbfffdb18 "???h") at jsscan.c:571
571         JS_ASSERT(!ts || ts->linebuf.limit < ts->linebuf.base + JS_LINE_LIMIT);

(gdb) p ts
$1 = (JSTokenStream *) 0xdadadada
(Assignee)

Comment 2

11 years ago
Created attachment 237903 [details] [diff] [review]
Fix
Assignee: general → mrbkap
Status: NEW → ASSIGNED
Attachment #237903 - Flags: review?(brendan)
(Assignee)

Updated

11 years ago
OS: Mac OS X 10.4 → All
Priority: -- → P1
Hardware: Macintosh → All
Target Milestone: --- → mozilla1.8.1
Comment on attachment 237903 [details] [diff] [review]
Fix

Nominating.

/be
Attachment #237903 - Flags: review?(brendan)
Attachment #237903 - Flags: review+
Attachment #237903 - Flags: approval1.8.1?
(Assignee)

Comment 4

11 years ago
Fix-on-trunk.
Status: ASSIGNED → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → FIXED

Comment 5

11 years ago
Comment on attachment 237903 [details] [diff] [review]
Fix

a=schrep for JS crash.
Attachment #237903 - Flags: approval1.8.1? → approval1.8.1+
Fixed on the 1.8 branch.

/be
Keywords: fixed1.8.1

Comment 7

11 years ago
Created attachment 238404 [details]
js1_6/Regress/regress-352271.js

Updated

11 years ago
Flags: in-testsuite+

Comment 8

11 years ago
verified fixed 1.8 20060914 windows/linux 1.9 20060914 window/mac*/linux
Status: RESOLVED → VERIFIED
Keywords: fixed1.8.1 → verified1.8.1
The testcase doesn't crash 1.8.0.x because it uses js1.7 syntax, but the fixed code in MemberExpr() appears identical. Is this fix needed on the 1.8.0 branch?
Flags: blocking1.8.0.8?
(In reply to comment #9)
> The testcase doesn't crash 1.8.0.x because it uses js1.7 syntax, but the fixed
> code in MemberExpr() appears identical. Is this fix needed on the 1.8.0 branch?

This is a 100% safe fix that may be needed; recommend you take it.

/be
(Reporter)

Updated

11 years ago
Attachment #237903 - Flags: approval1.8.0.8?
Flags: blocking1.8.0.8? → blocking1.8.0.8+
Comment on attachment 237903 [details] [diff] [review]
Fix

approved for 1.8.0 branch, a=dveditz for drivers
Attachment #237903 - Flags: approval1.8.0.8? → approval1.8.0.8+
mozilla/js/src/jsscan.c 	3.81.2.7.2.8
Keywords: fixed1.8.0.8
(In reply to comment #12)
> mozilla/js/src/jsscan.c         3.81.2.7.2.8

Oops, wrong bug. Real checkin:

mozilla/js/src/jsparse.c 	3.142.2.6.2.9 

Verified fixed on 
firefox_1.8.0.8pre_2006100918_opt
firefox_1.8.0.8pre_2006100918_dbg
(windows/mac/linux)

Using js regression test tool.
Keywords: fixed1.8.0.8 → verified1.8.0.8
Bug not relevant to aviary/moz1.7 branches
Flags: blocking1.7.14-
Flags: blocking-aviary1.0.9-
Group: security

Comment 16

11 years ago
RCS file: /cvsroot/mozilla/js/tests/js1_6/Regress/regress-352271.js,v
done
Checking in regress-352271.js;
/cvsroot/mozilla/js/tests/js1_6/Regress/regress-352271.js,v  <--  regress-352271.js
initial revision: 1.1
done
Crash Signature: [@ ReportCompileErrorNumber]
You need to log in before you can comment on or make changes to this bug.