358508 - crash with destructuring-parameters and block-local-functions

Status: VERIFIED FIXED

(Core :: JavaScript Engine, defect, P1)

Description

[shutdown]

$ cat bad-block-object.txt
(function({0x100000badf00d0: a}) {
  function b() {}
  let c;
})();

$ dbg.obj/js -v 170 bad-block-object.txt
Assertion failure: *pc == JSOP_ENTERBLOCK || (*pc == JSOP_LITOPX && pc[1 + LITERAL_INDEX_LEN] == JSOP_ENTERBLOCK), at jsemit.c:3992

$ gdb --eval run --args opt.obj/js -v 170 bad-block-object.txt
...
Program received signal SIGSEGV, Segmentation fault.
0x0042fc58 in js_GetScopeChain (cx=0xab07a0, fp=0x9b3524) at jsinterp.c:508
508             parent = OBJ_GET_PARENT(cx, cursor);
(gdb) p *cursor
$1 = {map = 0xbadf00d0, slots = 0x43300000}

exploitable.

Comment 1

[Brendan Eich [:brendan]]

Ahem.  I should have remembered destructuring formal parameters.  Fixing shortly, will put a 1.8 combined patch in the other bug.

Thanks for finding this so quickly.

/be

Comment 2

[Brendan Eich [:brendan]]

Attachment: fix, plus cleanups

Simplest fix, shorn of now-vacuous-seeming attempted assertions in jsemit.c.

/be

Comment 3

[Brendan Eich [:brendan]]

Fixed:

Checking in jsemit.c;
/cvsroot/mozilla/js/src/jsemit.c,v  <--  jsemit.c
new revision: 3.226; previous revision: 3.225
done
Checking in jsinterp.c;
/cvsroot/mozilla/js/src/jsinterp.c,v  <--  jsinterp.c
new revision: 3.302; previous revision: 3.301
done

/be

Comment 4

[Bob Clary [:bc] (inactive)]

Attachment: js1_7/block/regress-358508.js

Comment 5

[Bob Clary [:bc] (inactive)]

verified fixed 1.9 2006110700 windows/linux no crash but I didn't show a crash in the 1.8 branch.

Comment 6

[Bob Clary [:bc] (inactive)]

/cvsroot/mozilla/js/tests/js1_7/block/regress-358508.js,v  <--  regress-358508.js
initial revision: 1.1