Crash involving uneval and "function ([x]) { }"

VERIFIED FIXED

Status

()

Core
JavaScript Engine
--
critical
VERIFIED FIXED
11 years ago
10 years ago

People

(Reporter: Jesse Ruderman, Assigned: brendan)

Tracking

(Blocks: 1 bug, {crash, testcase, verified1.8.1.1})

Trunk
PowerPC
Mac OS X
crash, testcase, verified1.8.1.1
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical])

Attachments

(3 attachments, 2 obsolete attachments)

(Reporter)

Description

11 years ago
count=8434; tryItOut("(function ([x]) { })(); eval('return 3;')");
Scary crash

js> uneval(function() { (function ([x]) { })(); eval('return 3;') })
Null deref crash

I don't know why it's a scary crash when it's part of the fuzzer but a null deref outside of the fuzzer.


Here's the mac crash reporter info for the scarier crash:

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_INVALID_ADDRESS (0x0001) at 0x79393d1c

Thread 0 Crashed:
0   libSystem.B.dylib 	0x900030e8 strlen + 8
1   js                	0x00047b20 SprintCString + 32 (crt.c:355)
2   js                	0x000488f0 Decompile + 892 (crt.c:355)
3   js                	0x0004e15c js_DecompileCode + 448 (crt.c:355)
4   js                	0x0004ecc0 js_DecompileFunction + 760 (crt.c:355)
5   js                	0x0000c89c JS_DecompileFunction + 116 (crt.c:355)
6   js                	0x00011b10 js_fun_toString + 368 (crt.c:355)
7   js                	0x0004ca18 Decompile + 17572 (crt.c:355)
8   js                	0x0004e15c js_DecompileCode + 448 (crt.c:355)
9   js                	0x0004ecc0 js_DecompileFunction + 760 (crt.c:355)
10  js                	0x0000c89c JS_DecompileFunction + 116 (crt.c:355)
11  js                	0x00011b10 js_fun_toString + 368 (crt.c:355)
12  js                	0x000338b4 js_Invoke + 1548 (crt.c:355)
13  js                	0x00033d10 js_InternalInvoke + 204 (crt.c:355)
14  js                	0x0001e1e0 js_TryMethod + 284 (crt.c:355)
15  js                	0x00050260 js_ValueToSource + 180 (crt.c:355)
16  js                	0x000502a8 str_uneval + 28 (crt.c:355)
17  js                	0x000338b4 js_Invoke + 1548 (crt.c:355)
18  js                	0x0002da98 js_Interpret + 30808 (crt.c:355)
19  js                	0x000331d4 js_Execute + 484 (crt.c:355)
20  js                	0x00008b68 JS_ExecuteScript + 36 (crt.c:355)
21  js                	0x0000298c Process + 380 (crt.c:355)
22  js                	0x00005c4c main + 2032 (crt.c:355)
23  js                	0x00002068 _start + 340 (crt.c:272)
24  js                	0x00001f10 start + 60
(Reporter)

Comment 1

11 years ago
Guessing this is the same bug.

count=10373; tryItOut("switch(({ get x() { export *; }, set x(/* destructuring:a2 */[/* destructuring:a1 */[y], /* destructuring:a1 */[x] ]) { let x;} })) { case eval(\"[[1]]\", function(id) { return id }): L:for(let x in (((eval).call)(eval(\"yield <x><y/></x>;\",  \"\" ))))var x; case (uneval(this)): import x.*; }");

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_INVALID_ADDRESS (0x0001) at 0x0076045c

Thread 0 Crashed:
0   js 	0x0006d5a4 js_PushBlockScope + 124 (crt.c:355)
1   js 	0x00071750 js_EmitTree + 15808 (crt.c:355)
2   js 	0x00073e14 js_EmitFunctionBody + 168 (crt.c:355)
3   js 	0x0006dcdc js_EmitTree + 844 (crt.c:355)
4   js 	0x00071cc0 js_EmitTree + 17200 (crt.c:355)
5   js 	0x00071df4 js_EmitTree + 17508 (crt.c:355)
6   js 	0x0006e240 js_EmitTree + 2224 (crt.c:355)
7   js 	0x000703d0 js_EmitTree + 10816 (crt.c:355)
8   js 	0x0005ab2c FunctionBody + 360 (crt.c:355)
9   js 	0x0005f2f4 js_CompileFunctionBody + 260 (crt.c:355)
10  js 	0x000132dc Function + 1448 (crt.c:355)
11  js 	0x000338b4 js_Invoke + 1548 (crt.c:355)
12  js 	0x00033bb4 js_InvokeConstructor + 356 (crt.c:355)
13  js 	0x0002b1d0 js_Interpret + 20368 (crt.c:355)
14  js 	0x000331d4 js_Execute + 484 (crt.c:355)
15  js 	0x00008b68 JS_ExecuteScript + 36 (crt.c:355)
16  js 	0x0000298c Process + 380 (crt.c:355)
17  js 	0x00005c4c main + 2032 (crt.c:355)
18  js 	0x00002068 _start + 340 (crt.c:272)
19  js 	0x00001f10 start + 60

(Reporter)

Comment 2

11 years ago
All 3 of those no longer crash with desdec.patch-v3.  But the third produces an assertion failure.  Here's a reduced testcase for the assertion failure:

js> function ([x]) { let x; }
Assertion failure: body->pn_arity == PN_LIST, at jsparse.c:1323
(Reporter)

Comment 3

11 years ago
All good with "destructuring decompilation, v5d" in bug 346642.
Depends on: 346642
(Reporter)

Updated

11 years ago
Assignee: general → brendan
Whiteboard: [sg:critical]
(Reporter)

Updated

11 years ago
Status: NEW → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → FIXED

Comment 4

11 years ago
Created attachment 240865 [details]
js1_5/Regress/regress-353214.js

Updated

11 years ago
Flags: in-testsuite+

Comment 5

11 years ago
Created attachment 240887 [details]
js1_7/block/regress-353214-01.js

Comment 6

11 years ago
Created attachment 240888 [details]
js1_7/block/regress-353214-02.js

Comment 7

11 years ago
verified fixed 1.9 20061002 windows/linux, not a problem in 1.8.
Status: RESOLVED → VERIFIED

Comment 8

11 years ago
Created attachment 241432 [details]
js1_7/block/regress-353214-01.js
Attachment #240887 - Attachment is obsolete: true

Comment 9

11 years ago
Created attachment 241433 [details]
js1_7/block/regress-353214-02.js
Attachment #240888 - Attachment is obsolete: true

Comment 10

11 years ago
fixed by Bug 346642
verified fixed 20061203 windows/linux/mac*
Keywords: verified1.8.1.1
Group: security

Comment 11

11 years ago
/cvsroot/mozilla/js/tests/js1_5/extensions/regress-353214.js,v  <--  regress-353214.js

/cvsroot/mozilla/js/tests/js1_7/extensions/regress-353214-01.js,v  <--  regress-353214-01.js

/cvsroot/mozilla/js/tests/js1_7/extensions/regress-353214-02.js,v  <--  regress-353214-02.js

moved to extensions/ due to decompilation
(Reporter)

Updated

10 years ago
No longer blocks: 349611
(Reporter)

Updated

10 years ago
Blocks: 349611

Comment 12

10 years ago
tweak decompilation
/cvsroot/mozilla/js/tests/js1_5/extensions/regress-353214.js,v  <--  regress-353214.js
new revision: 1.3; previous revision: 1.2
You need to log in before you can comment on or make changes to this bug.