Closed Bug 354924 Opened 18 years ago Closed 18 years ago

Crash [@ js_Invoke] [@ QuoteString] with export/import and setter

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.8.1

People

(Reporter: jruderman, Assigned: brendan)

Details

(4 keywords, Whiteboard: [sg:critical])

Crash Data

Attachments

(2 files)

minimal fix
1.06 KB, patch
mrbkap
: review+
igor
: review+
dveditz
: approval1.8.0.8+
mtschrep
: approval1.8.1+
Details | Diff | Splinter Review
js1_5/Regress/regress-354924.js
2.38 KB, text/plain
Details
js> this.x setter= function(){}; export *; t = this; new Function("import t.*; import t.*;")(); Segmentation fault Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_INVALID_ADDRESS (0x0001) at 0x7c0802a6 Thread 0 Crashed: 0 js 0x0002f57c QuoteString + 176 (jsopcode.c:468) 1 js 0x0002fbac js_QuoteString + 132 (jsopcode.c:555) 2 js 0x0007d7e0 js_ValueToSource + 76 (jsstr.c:2688) 3 js 0x0003f59c js_DecompileValueGenerator + 3868 (jsopcode.c:4748) 4 js 0x00056dc8 js_ReportIsNotFunction + 220 (jsfun.c:2241) 5 js 0x00093b1c js_Invoke + 4712 (jsinterp.c:1436) 6 js 0x00093cfc js_InternalInvoke + 444 (jsinterp.c:1467) 7 js 0x00094034 js_InternalGetOrSet + 552 (jsinterp.c:1527) 8 js 0x0004b448 js_SetProperty + 2804 (jsobj.c:3631) 9 js 0x00094b0c ImportProperty + 1524 (jsinterp.c:1730) 10 js 0x000aa6f8 js_Interpret + 85440 (jsinterp.c:4718) 11 js 0x00094400 js_Execute + 936 (jsinterp.c:1618) 12 js 0x00021578 JS_ExecuteScript + 64 (jsapi.c:4256) 13 js 0x00003084 Process + 904 (js.c:265) 14 js 0x00003c4c ProcessArgs + 2304 (js.c:487) 15 js 0x0000a03c main + 640 (js.c:3088) 16 js 0x000023e8 _start + 340 (crt.c:272) 17 js 0x00002290 start + 60
Whiteboard: [sg:critical]
Attached patch minimal fixSplinter Review
The old Netscape 4-era import stuff is ill-defined for getters and setters, but in order to avoid flagging a native JSPropertOp as if it were a function object, we must clear the JSPROP_(GETTER|SETTER) attributes at a minimum. /be
Assignee: general → brendan
Status: NEW → ASSIGNED
Attachment #240741 - Flags: review?(mrbkap)
Attachment #240741 - Flags: approval1.8.1?
OS: Mac OS X 10.4 → All
Priority: -- → P1
Hardware: Macintosh → All
Target Milestone: --- → mozilla1.8.1
Comment on attachment 240741 [details] [diff] [review] minimal fix We tried to remove JS_HAS_EXPORT_IMPORT but someone was using it. For Mozilla 1.9, we could try again. For Mozilla 2, we will remove all this junk. In the mean time, this patch is a safe fix for any near-term release. I'm not sure how easy it is to stumble on the testcase with the fuzzer, but I'd rather not risk anyone doing that. /be
Attachment #240741 - Flags: review?(igor.bukanov)
See comment 1 and comment 2. /be
Flags: blocking1.8.1?
Flags: blocking1.8.1.1?
Attachment #240741 - Flags: review?(igor.bukanov) → review+
Fixed on trunk: Checking in jsinterp.c; /cvsroot/mozilla/js/src/jsinterp.c,v <-- jsinterp.c new revision: 3.294; previous revision: 3.293 done /be
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Attachment #240741 - Flags: review?(mrbkap) → review+
Comment on attachment 240741 [details] [diff] [review] minimal fix Approved for RC2.
Attachment #240741 - Flags: approval1.8.1? → approval1.8.1+
Fixed on the 1.8 branch: Checking in jsinterp.c; /cvsroot/mozilla/js/src/jsinterp.c,v <-- jsinterp.c new revision: 3.181.2.65; previous revision: 3.181.2.64 done /be
Keywords: fixed1.8.1
This looks like we need it for 1.8.0.8 as well? Please request approval on the patch if so.
Flags: blocking1.8.0.8?
Attachment #240741 - Flags: approval1.8.0.8?
I could not reproduce this crash. Jesse can you verify this bug?
Flags: in-testsuite+
Flags: blocking1.8.0.8? → blocking1.8.0.8+
Comment on attachment 240741 [details] [diff] [review] minimal fix approved for 1.8.0 branch, a=dveditz for drivers
Attachment #240741 - Flags: approval1.8.0.8? → approval1.8.0.8+
Checking in jsinterp.c; /cvsroot/mozilla/js/src/jsinterp.c,v <-- jsinterp.c new revision: 3.181.2.17.2.22; previous revision: 3.181.2.17.2.21 done /be
Keywords: fixed1.8.0.8
Verified fixed (by testing in opt and debug jsshell on Mac).
Status: RESOLVED → VERIFIED
verified fixed 1.8 1.9 20061002 windows/linux 1.8 macppc
Keywords: fixed1.8.1verified1.8.1
verified fixed 1.8.0.8 20061003 windows/mac*/linux
Keywords: fixed1.8.0.8verified1.8.0.8
Flags: blocking1.8.1?
Flags: blocking1.8.1.1?
Group: security
RCS file: /cvsroot/mozilla/js/tests/js1_5/Regress/regress-354924.js,v done Checking in regress-354924.js; /cvsroot/mozilla/js/tests/js1_5/Regress/regress-354924.js,v <-- regress-354924.js initial revision: 1.1 done
Crash Signature: [@ js_Invoke] [@ QuoteString]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: