Closed Bug 355341 Opened 14 years ago Closed 14 years ago

Crash with watch and setter [@ js_PCToLineNumber] [@ Function]

Categories

(Core :: JavaScript Engine, defect, P2, critical)

defect

Tracking

()

VERIFIED FIXED
mozilla1.9alpha1

People

(Reporter: jruderman, Assigned: brendan)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase, verified1.8.1.1)

Crash Data

Attachments

(1 file)

js> this.x setter= Function; this.watch('x', function () { }); x = 3;
Bus error

I'm making this bug security-sensitive for now because the stack in an opt jsshell looks strange:

Thread 0 Crashed:
0   js 	0x00013c28 js_PCToLineNumber + 28 (crt.c:355)
1   <<00000000>> 	0xbfffe83c 0 + -1073747908
2   js 	0x00012b44 Function + 240 (crt.c:355)
3   js 	0x00033534 js_Invoke + 1548 (crt.c:355)
4   js 	0x00033990 js_InternalInvoke + 204 (crt.c:355)
...
Assignee: general → igor.bukanov
Whiteboard: [sg:investigate]
This is a null deref only crash.

/be
Group: security
Attached patch fixSplinter Review
Often internal APIs do not null-defend, but in case any callers in addition to Function want to pass fp->pc, this will test in one place only and return the invalid line number (0).

/be
Attachment #241515 - Flags: review?(igor.bukanov)
Blocks: js1.7src
Whiteboard: [sg:investigate]
Attachment #241515 - Flags: review?(igor.bukanov) → review+
One more thing about the previous attachment. It changes ToXMLName to use ConvertToString to ensure that String instances with overwritten String.prototype.toString still uses the default ToString conversion. But that required that SanitizeValue skips string converssion for Number, Boolean and String object instances.
Ignore prev comments, wrong bug.
Comment on attachment 241515 [details] [diff] [review]
fix

Simple null defense in the function that needs it.

/be
Attachment #241515 - Flags: approval1.8.1.1?
Fixed on trunk:

Checking in jsscript.c;
/cvsroot/mozilla/js/src/jsscript.c,v  <--  jsscript.c
new revision: 3.117; previous revision: 3.116
done

/be
Assignee: igor.bukanov → brendan
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
OS: Mac OS X 10.4 → All
Priority: -- → P2
Hardware: Macintosh → All
Target Milestone: --- → mozilla1.9alpha
Checking in regress-355341.js;
/cvsroot/mozilla/js/tests/js1_5/Regress/regress-355341.js,v  <--  regress-355341.js
initial revision: 1.1
done
Flags: in-testsuite+
verified fixed 1.9 20061007 windows/linux
Status: RESOLVED → VERIFIED
Comment on attachment 241515 [details] [diff] [review]
fix

approved for 1.8 branch, a=dveditz for drivers
Attachment #241515 - Flags: approval1.8.1.1? → approval1.8.1.1+
Checking in jsscript.c;
/cvsroot/mozilla/js/src/jsscript.c,v  <--  jsscript.c
new revision: 3.79.2.18; previous revision: 3.79.2.17
done

/be
Keywords: fixed1.8.1.1
verified fixed 20061130 1.8.1.1 windows/linux/mac*
No longer blocks: 349611
Blocks: 349611
Crash Signature: [@ js_PCToLineNumber] [@ Function]
You need to log in before you can comment on or make changes to this bug.