Last Comment Bug 354924 - Crash [@ js_Invoke] [@ QuoteString] with export/import and setter
: Crash [@ js_Invoke] [@ QuoteString] with export/import and setter
Status: VERIFIED FIXED
[sg:critical]
: crash, testcase, verified1.8.0.8, verified1.8.1
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: All All
: P1 critical (vote)
: mozilla1.8.1
Assigned To: Brendan Eich [:brendan]
:
:
Mentors:
Depends on:
Blocks: jsfunfuzz
  Show dependency treegraph
 
Reported: 2006-09-29 23:43 PDT by Jesse Ruderman
Modified: 2011-06-13 10:01 PDT (History)
4 users (show)
dveditz: blocking1.8.0.8+
bob: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
minimal fix (1.06 KB, patch)
2006-09-30 11:47 PDT, Brendan Eich [:brendan]
mrbkap: review+
igor: review+
dveditz: approval1.8.0.8+
mtschrep: approval1.8.1+
Details | Diff | Splinter Review
js1_5/Regress/regress-354924.js (2.38 KB, text/plain)
2006-10-01 23:42 PDT, Bob Clary [:bc:]
no flags Details

Description Jesse Ruderman 2006-09-29 23:43:41 PDT
js> this.x setter= function(){}; export *; t = this; new Function("import t.*; import t.*;")();
Segmentation fault

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_INVALID_ADDRESS (0x0001) at 0x7c0802a6

Thread 0 Crashed:
0   js 	0x0002f57c QuoteString + 176 (jsopcode.c:468)
1   js 	0x0002fbac js_QuoteString + 132 (jsopcode.c:555)
2   js 	0x0007d7e0 js_ValueToSource + 76 (jsstr.c:2688)
3   js 	0x0003f59c js_DecompileValueGenerator + 3868 (jsopcode.c:4748)
4   js 	0x00056dc8 js_ReportIsNotFunction + 220 (jsfun.c:2241)
5   js 	0x00093b1c js_Invoke + 4712 (jsinterp.c:1436)
6   js 	0x00093cfc js_InternalInvoke + 444 (jsinterp.c:1467)
7   js 	0x00094034 js_InternalGetOrSet + 552 (jsinterp.c:1527)
8   js 	0x0004b448 js_SetProperty + 2804 (jsobj.c:3631)
9   js 	0x00094b0c ImportProperty + 1524 (jsinterp.c:1730)
10  js 	0x000aa6f8 js_Interpret + 85440 (jsinterp.c:4718)
11  js 	0x00094400 js_Execute + 936 (jsinterp.c:1618)
12  js 	0x00021578 JS_ExecuteScript + 64 (jsapi.c:4256)
13  js 	0x00003084 Process + 904 (js.c:265)
14  js 	0x00003c4c ProcessArgs + 2304 (js.c:487)
15  js 	0x0000a03c main + 640 (js.c:3088)
16  js 	0x000023e8 _start + 340 (crt.c:272)
17  js 	0x00002290 start + 60
Comment 1 Brendan Eich [:brendan] 2006-09-30 11:47:44 PDT
Created attachment 240741 [details] [diff] [review]
minimal fix

The old Netscape 4-era import stuff is ill-defined for getters and setters, but in order to avoid flagging a native JSPropertOp as if it were a function object, we must clear the JSPROP_(GETTER|SETTER) attributes at a minimum.

/be
Comment 2 Brendan Eich [:brendan] 2006-09-30 12:35:50 PDT
Comment on attachment 240741 [details] [diff] [review]
minimal fix

We tried to remove JS_HAS_EXPORT_IMPORT but someone was using it.  For Mozilla 1.9, we could try again.  For Mozilla 2, we will remove all this junk.

In the mean time, this patch is a safe fix for any near-term release.  I'm not sure how easy it is to stumble on the testcase with the fuzzer, but I'd rather not risk anyone doing that.

/be
Comment 3 Brendan Eich [:brendan] 2006-09-30 12:36:33 PDT
See comment 1 and comment 2.

/be
Comment 4 Brendan Eich [:brendan] 2006-09-30 12:53:02 PDT
Fixed on trunk:

Checking in jsinterp.c;
/cvsroot/mozilla/js/src/jsinterp.c,v  <--  jsinterp.c
new revision: 3.294; previous revision: 3.293
done

/be
Comment 5 Mike Schroepfer 2006-09-30 14:11:38 PDT
Comment on attachment 240741 [details] [diff] [review]
minimal fix

Approved for RC2.
Comment 6 Brendan Eich [:brendan] 2006-09-30 14:46:53 PDT
Fixed on the 1.8 branch:

Checking in jsinterp.c;
/cvsroot/mozilla/js/src/jsinterp.c,v  <--  jsinterp.c
new revision: 3.181.2.65; previous revision: 3.181.2.64
done

/be
Comment 7 Daniel Veditz [:dveditz] 2006-10-01 09:03:35 PDT
This looks like we need it for 1.8.0.8 as well? Please request approval on the patch if so.
Comment 8 Bob Clary [:bc:] 2006-10-01 23:42:37 PDT
Created attachment 240894 [details]
js1_5/Regress/regress-354924.js

I could not reproduce this crash. Jesse can you verify this bug?
Comment 9 Daniel Veditz [:dveditz] 2006-10-02 11:23:01 PDT
Comment on attachment 240741 [details] [diff] [review]
minimal fix

approved for 1.8.0 branch, a=dveditz for drivers
Comment 10 Brendan Eich [:brendan] 2006-10-02 11:32:12 PDT
Checking in jsinterp.c;
/cvsroot/mozilla/js/src/jsinterp.c,v  <--  jsinterp.c
new revision: 3.181.2.17.2.22; previous revision: 3.181.2.17.2.21
done

/be
Comment 11 Jesse Ruderman 2006-10-02 12:21:22 PDT
Verified fixed (by testing in opt and debug jsshell on Mac).
Comment 12 Bob Clary [:bc:] 2006-10-02 22:46:03 PDT
verified fixed 1.8 1.9 20061002 windows/linux 1.8 macppc
Comment 13 Bob Clary [:bc:] 2006-10-04 05:56:11 PDT
verified fixed 1.8.0.8 20061003 windows/mac*/linux
Comment 14 Bob Clary [:bc:] 2006-11-10 11:49:26 PST
RCS file: /cvsroot/mozilla/js/tests/js1_5/Regress/regress-354924.js,v
done
Checking in regress-354924.js;
/cvsroot/mozilla/js/tests/js1_5/Regress/regress-354924.js,v  <--  regress-354924.js
initial revision: 1.1
done

Note You need to log in before you can comment on or make changes to this bug.