Closed Bug 352885 Opened 18 years ago Closed 18 years ago

Crash [@ generator_op] iteration over gen.__proto__

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
PowerPC
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: jruderman, Assigned: igor)

Details

(Keywords: crash, testcase, verified1.8.1)

Crash Data

Attachments

(1 file)

Fix
1.34 KB, patch
brendan
: review+
mtschrep
: approval1.8.1+
Details | Diff | Splinter Review 
js> for (j in ((function() { yield 3; })().__proto__)) print(j);

Null deref crash [@ generator_op].
Assignee: general → igor.bukanov
I will attach that treat gen.__proto__ as closed generator so the following test passes:

function test() 
{
  var proto = (function() { yield 3; })().__proto__;

  try {
    proto.next();
    throw "generatorProto.next() does not throw StopIteration";
  } catch (e) {
    if (!(e instanceof StopIteration))
      throw "generatorProto.next() throws unexpected exception: "+uneval(e);
  }

  try {
    proto.send();
    throw "generatorProto.send() does not throw StopIteration";
  } catch (e) {
    if (!(e instanceof StopIteration))
      throw "generatorProto.send() throws unexpected exception: "+uneval(e);
  }

  var obj = {};
  try {
    proto.throw(obj);
    throw "generatorProto.throw(obj) does not throw obj";
  } catch (e) {
    if (e !== obj)
      throw "generatorProto.throw() throws unexpected exception: "+uneval(e);
  }

  var obj = {};
  try {
    proto.close();
  } catch (e) {
      throw "generatorProto.throw() throws exception: "+uneval(e);
  }

}

test();
print("Success");
Attached patch FixSplinter Review 
Fix that confirms to the test case from comment 1.

Again I have no intentions to commit until having a sleep.
Attachment #238710 - Flags: review?(brendan)
Comment on attachment 238710 [details] [diff] [review]
Fix

Alternative is to create a closed generator in js_InitIteratorClasses, but that's heavyweight.

This is a simple crash fix.  The crash is a null deref, so no security hazard on sane OSes and in sane apps (see recent work using SEH on Windows to exploit null derefs; some crazy Linuxes map nearly null pages too).

Be a shame to miss 1.8.1, but I will wait for Igor to sleep before nominating.

/be
Attachment #238710 - Flags: review?(brendan) → review+
(In reply to comment #3)
> (From update of attachment 238710 [details] [diff] [review] [edit])
> Alternative is to create a closed generator in js_InitIteratorClasses, but
> that's heavyweight.

The code in the rest 3 places that accesses generator's private checks if it is not null. So adding that not-null check adds the consistency. I think having 4 checks for null takes less space then code to create a closed generator object for gen.__proto__ which in addition would waste 124+malloc overhead bytes for JSGenerator per each global scope. 

> 
> This is a simple crash fix.  The crash is a null deref, so no security hazard
> on sane OSes and in sane apps (see recent work using SEH on Windows to exploit
> null derefs; some crazy Linuxes map nearly null pages too).
> 
> Be a shame to miss 1.8.1, but I will wait for Igor to sleep before nominating.
> 
> /be
>
Status: NEW → ASSIGNED
I committed the patch from comment 2 to the trunk:

Checking in jsiter.c;
/cvsroot/mozilla/js/src/jsiter.c,v  <--  jsiter.c
new revision: 3.41; previous revision: 3.40
done
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Flags: blocking1.8.1.1?
Resolution: --- → FIXED
(In reply to comment #4)
> (In reply to comment #3)
> > (From update of attachment 238710 [details] [diff] [review] [edit] [edit])
> > Alternative is to create a closed generator in js_InitIteratorClasses, but
> > that's heavyweight.
> 
> The code in the rest 3 places that accesses generator's private checks if it is
> not null. So adding that not-null check adds the consistency. I think having 4
> checks for null takes less space then code to create a closed generator object
> for gen.__proto__ which in addition would waste 124+malloc overhead bytes for
> JSGenerator per each global scope. 

Yeah, heavyweight ;-).  The patch is good.  I'll nominate it for 1.8.1.

/be
Comment on attachment 238710 [details] [diff] [review]
Fix

Safe null defense, good for stopping an annoyance DOS.

/be
Attachment #238710 - Flags: approval1.8.1?
Comment on attachment 238710 [details] [diff] [review]
Fix

a=schrep - approved to land on 1.8.1 branch before rc1.
Attachment #238710 - Flags: approval1.8.1? → approval1.8.1+
I committed the patch from comment 2 to the trunk:

Checking in jsiter.c;
/cvsroot/mozilla/js/src/jsiter.c,v  <--  jsiter.c
new revision: 3.17.2.17; previous revision: 3.17.2.16
done
Keywords: fixed1.8.1
Checking in regress-352885-01.js;
/cvsroot/mozilla/js/tests/js1_7/geniter/regress-352885-01.js,v  <--  regress-352885-01.js
initial revision: 1.1
done
RCS file: /cvsroot/mozilla/js/tests/js1_7/geniter/regress-352885-02.js,v
done
Checking in regress-352885-02.js;
/cvsroot/mozilla/js/tests/js1_7/geniter/regress-352885-02.js,v  <--  regress-352885-02.js
initial revision: 1.1
done
Flags: in-testsuite+
verified fixed 1.8 1.9 20060919 windows/mac*/linux
Status: RESOLVED → VERIFIED
Keywords: fixed1.8.1verified1.8.1
Already in 1.8.1, clearing 1.8.1.1 request
Flags: blocking1.8.1.1?
Crash Signature: [@ generator_op]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: