Closed Bug 367630 Opened 17 years ago Closed 17 years ago

Crash with use of sharp variable in function [@ js_PCToLineNumber]

Categories

(Core :: JavaScript Engine, defect)

PowerPC
macOS
defect
Not set
critical

Tracking

()

VERIFIED FIXED

People

(Reporter: jruderman, Assigned: mrbkap)

Details

(4 keywords, Whiteboard: [sg:critical?])

Crash Data

Attachments

(2 files)

js> uneval(#1={a:#1#}); (function() { return #1# })();
Segmentation fault

js> w = {a:#1=function(){return #1#}}; w.a()
Segmentation fault

In the first example, the #1# is clearly illegal due to being out of scope, right?  Why does the function even compile?  Is the second example also illegal?

Here's the top of a stack trace from the js shell:

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_INVALID_ADDRESS (0x0001) at 0xdadadada

Thread 0 Crashed:
0   js_PCToLineNumber + 68 (jsscript.c:1519)
1   js_ReportErrorNumberVA + 236 (jscntxt.c:1141)
2   JS_ReportErrorNumber + 96 (jsapi.c:4672)
3   js_Interpret + 90244 (jsinterp.c:5336)
4   js_Execute + 904 (jsinterp.c:1607)
5   JS_ExecuteScript + 64 (jsapi.c:4212)
...
I found this while messing around in the js shell, but I plan to add sharps to a fuzzer soon ;)
Whiteboard: [sg:critical?]
Attached patch Easy fixSplinter Review
Attachment #252230 - Flags: review?(brendan)
Assignee: general → mrbkap
Comment on attachment 252230 [details] [diff] [review]
Easy fix

r=me (pls. cc: me on bugs like this; wish r? cc'd me automatically).

/be
Attachment #252230 - Flags: review?(brendan) → review+
Fixed on trunk.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Attachment #252230 - Flags: approval1.8.1.3?
Attachment #252230 - Flags: approval1.8.0.11?
reliably crashes 1.8.1 but does not crash 1.8.0
Flags: in-testsuite+
verified fixed 1.9.0 20070226 windows/mac*/linux
Status: RESOLVED → VERIFIED
Flags: blocking1.8.1.4?
Flags: blocking1.8.0.12?
Flags: blocking1.8.1.4?
Flags: blocking1.8.1.4+
Flags: blocking1.8.0.12?
Flags: blocking1.8.0.12+
Comment on attachment 252230 [details] [diff] [review]
Easy fix

approved for 1.8.0.12 and 1.8.1.4, a=dveditz for release-drivers
Attachment #252230 - Flags: approval1.8.1.4?
Attachment #252230 - Flags: approval1.8.1.4+
Attachment #252230 - Flags: approval1.8.0.12?
Attachment #252230 - Flags: approval1.8.0.12+
Fixed on the 1.8 branches.
verified fixed linux, windows, mac* 1.8.0, 1.8.1 shell 20070406
Group: security
/cvsroot/mozilla/js/tests/js1_5/extensions/regress-367630.js,v  <--  regress-367630.js
initial revision: 1.1
Crash Signature: [@ js_PCToLineNumber]
You need to log in before you can comment on or make changes to this bug.