Last Comment Bug 352271 - Crash dereferencing 0xdadadada [@ ReportCompileErrorNumber] called from CheckDestructuring
: Crash dereferencing 0xdadadada [@ ReportCompileErrorNumber] called from Check...
Status: VERIFIED FIXED
[sg:critical?]
: crash, testcase, verified1.8.0.8, verified1.8.1
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: All All
: P1 critical (vote)
: mozilla1.8.1
Assigned To: Blake Kaplan (:mrbkap)
:
Mentors:
Depends on:
Blocks: jsfunfuzz
  Show dependency treegraph
 
Reported: 2006-09-11 21:05 PDT by Jesse Ruderman
Modified: 2011-06-13 10:01 PDT (History)
4 users (show)
dveditz: blocking1.7.14-
dveditz: blocking‑aviary1.0.9-
dveditz: blocking1.8.0.8+
bob: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Fix (881 bytes, patch)
2006-09-11 21:40 PDT, Blake Kaplan (:mrbkap)
brendan: review+
dveditz: approval1.8.0.8+
mtschrep: approval1.8.1+
Details | Diff | Splinter Review
js1_6/Regress/regress-352271.js (2.37 KB, text/plain)
2006-09-14 04:40 PDT, Bob Clary [:bc:]
no flags Details

Description Jesse Ruderman 2006-09-11 21:05:03 PDT
js> [window.x getter= t for each ([*].a(v) in [])]
Segmentation fault

js> [window.x getter= t for each ([*].a(v)

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0xdadadb66
0x0007f3b4 in ReportCompileErrorNumber (cx=0x600180, handle=0x1814b00, flags=512, errorNumber=102, report=0xbfffdaa4, charArgs=1, ap=0xbfffdb18 "???h") at jsscan.c:571
571         JS_ASSERT(!ts || ts->linebuf.limit < ts->linebuf.base + JS_LINE_LIMIT);
(gdb) bt
#0  0x0007f3b4 in ReportCompileErrorNumber (cx=0x600180, handle=0x1814b00, flags=512, errorNumber=102, report=0xbfffdaa4, charArgs=1, ap=0xbfffdb18 "???h") at jsscan.c:571
#1  0x0007f92c in js_ReportCompileErrorNumber (cx=0x600180, handle=0x1814b00, flags=512, errorNumber=102) at jsscan.c:710
#2  0x000d90dc in CheckDestructuring (cx=0x600180, data=0xbfffdc34, left=0x1814ab0, right=0x0, tc=0xbfffe568) at jsparse.c:2212
#3  0x000e26a0 in PrimaryExpr (cx=0x600180, ts=0x1815010, tc=0xbfffe568, tt=TOK_LB, afterDot=0) at jsparse.c:5299
#4  0x000df598 in MemberExpr (cx=0x600180, ts=0x1815010, tc=0xbfffe568, allowCallSyntax=1) at jsparse.c:4231
#5  0x000df0d8 in UnaryExpr (cx=0x600180, ts=0x1815010, tc=0xbfffe568) at jsparse.c:4141
#6  0x000de734 in MulExpr (cx=0x600180, ts=0x1815010, tc=0xbfffe568) at jsparse.c:3984
#7  0x000de61c in AddExpr (cx=0x600180, ts=0x1815010, tc=0xbfffe568) at jsparse.c:3966
Comment 1 Jesse Ruderman 2006-09-11 21:06:31 PDT
(gdb) f 0
#0  0x0007f3b4 in ReportCompileErrorNumber (cx=0x600180, handle=0x1814b00, flags=512, errorNumber=102, report=0xbfffdaa4, charArgs=1, ap=0xbfffdb18 "???h") at jsscan.c:571
571         JS_ASSERT(!ts || ts->linebuf.limit < ts->linebuf.base + JS_LINE_LIMIT);

(gdb) p ts
$1 = (JSTokenStream *) 0xdadadada
Comment 2 Blake Kaplan (:mrbkap) 2006-09-11 21:40:02 PDT
Created attachment 237903 [details] [diff] [review]
Fix
Comment 3 Brendan Eich [:brendan] 2006-09-11 21:48:40 PDT
Comment on attachment 237903 [details] [diff] [review]
Fix

Nominating.

/be
Comment 4 Blake Kaplan (:mrbkap) 2006-09-11 22:00:08 PDT
Fix-on-trunk.
Comment 5 Mike Schroepfer 2006-09-12 16:52:00 PDT
Comment on attachment 237903 [details] [diff] [review]
Fix

a=schrep for JS crash.
Comment 6 Brendan Eich [:brendan] 2006-09-13 08:30:58 PDT
Fixed on the 1.8 branch.

/be
Comment 7 Bob Clary [:bc:] 2006-09-14 04:40:36 PDT
Created attachment 238404 [details]
js1_6/Regress/regress-352271.js
Comment 8 Bob Clary [:bc:] 2006-09-14 15:08:33 PDT
verified fixed 1.8 20060914 windows/linux 1.9 20060914 window/mac*/linux
Comment 9 Daniel Veditz [:dveditz] 2006-09-20 15:37:00 PDT
The testcase doesn't crash 1.8.0.x because it uses js1.7 syntax, but the fixed code in MemberExpr() appears identical. Is this fix needed on the 1.8.0 branch?
Comment 10 Brendan Eich [:brendan] 2006-09-20 21:52:02 PDT
(In reply to comment #9)
> The testcase doesn't crash 1.8.0.x because it uses js1.7 syntax, but the fixed
> code in MemberExpr() appears identical. Is this fix needed on the 1.8.0 branch?

This is a 100% safe fix that may be needed; recommend you take it.

/be
Comment 11 Daniel Veditz [:dveditz] 2006-09-26 14:31:00 PDT
Comment on attachment 237903 [details] [diff] [review]
Fix

approved for 1.8.0 branch, a=dveditz for drivers
Comment 12 :Gavin Sharp [email: gavin@gavinsharp.com] 2006-10-06 10:45:12 PDT
mozilla/js/src/jsscan.c 	3.81.2.7.2.8
Comment 13 :Gavin Sharp [email: gavin@gavinsharp.com] 2006-10-06 10:47:24 PDT
(In reply to comment #12)
> mozilla/js/src/jsscan.c         3.81.2.7.2.8

Oops, wrong bug. Real checkin:

mozilla/js/src/jsparse.c 	3.142.2.6.2.9 

Comment 14 alice nodelman [:alice] [:anode] 2006-10-11 11:17:05 PDT
Verified fixed on 
firefox_1.8.0.8pre_2006100918_opt
firefox_1.8.0.8pre_2006100918_dbg
(windows/mac/linux)

Using js regression test tool.
Comment 15 Daniel Veditz [:dveditz] 2006-11-01 17:42:47 PST
Bug not relevant to aviary/moz1.7 branches
Comment 16 Bob Clary [:bc:] 2006-11-10 11:53:29 PST
RCS file: /cvsroot/mozilla/js/tests/js1_6/Regress/regress-352271.js,v
done
Checking in regress-352271.js;
/cvsroot/mozilla/js/tests/js1_6/Regress/regress-352271.js,v  <--  regress-352271.js
initial revision: 1.1
done

Note You need to log in before you can comment on or make changes to this bug.