Closed Bug 367630 Opened 18 years ago Closed 18 years ago

Crash with use of sharp variable in function [@ js_PCToLineNumber]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
PowerPC
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: jruderman, Assigned: mrbkap)

Details

(4 keywords, Whiteboard: [sg:critical?])

Crash Data

Attachments

(2 files)

Easy fix
980 bytes, patch
brendan
: review+
dveditz
: approval1.8.1.4+
dveditz
: approval1.8.0.12+
Details | Diff | Splinter Review
js1_5/extensions/regress-367630.js
2.54 KB, text/plain
Details
js> uneval(#1={a:#1#}); (function() { return #1# })(); Segmentation fault js> w = {a:#1=function(){return #1#}}; w.a() Segmentation fault In the first example, the #1# is clearly illegal due to being out of scope, right? Why does the function even compile? Is the second example also illegal? Here's the top of a stack trace from the js shell: Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_INVALID_ADDRESS (0x0001) at 0xdadadada Thread 0 Crashed: 0 js_PCToLineNumber + 68 (jsscript.c:1519) 1 js_ReportErrorNumberVA + 236 (jscntxt.c:1141) 2 JS_ReportErrorNumber + 96 (jsapi.c:4672) 3 js_Interpret + 90244 (jsinterp.c:5336) 4 js_Execute + 904 (jsinterp.c:1607) 5 JS_ExecuteScript + 64 (jsapi.c:4212) ...
I found this while messing around in the js shell, but I plan to add sharps to a fuzzer soon ;)
Whiteboard: [sg:critical?]
Attached patch Easy fixSplinter Review
Attachment #252230 - Flags: review?(brendan)
Assignee: general → mrbkap
Comment on attachment 252230 [details] [diff] [review] Easy fix r=me (pls. cc: me on bugs like this; wish r? cc'd me automatically). /be
Attachment #252230 - Flags: review?(brendan) → review+
Fixed on trunk.
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Attachment #252230 - Flags: approval1.8.1.3?
Attachment #252230 - Flags: approval1.8.0.11?
reliably crashes 1.8.1 but does not crash 1.8.0
Flags: in-testsuite+
verified fixed 1.9.0 20070226 windows/mac*/linux
Status: RESOLVED → VERIFIED
Flags: blocking1.8.1.4?
Flags: blocking1.8.0.12?
Flags: blocking1.8.1.4?
Flags: blocking1.8.1.4+
Flags: blocking1.8.0.12?
Flags: blocking1.8.0.12+
Comment on attachment 252230 [details] [diff] [review] Easy fix approved for 1.8.0.12 and 1.8.1.4, a=dveditz for release-drivers
Attachment #252230 - Flags: approval1.8.1.4?
Attachment #252230 - Flags: approval1.8.1.4+
Attachment #252230 - Flags: approval1.8.0.12?
Attachment #252230 - Flags: approval1.8.0.12+
Fixed on the 1.8 branches.
Keywords: fixed1.8.0.12, fixed1.8.1.4
verified fixed linux, windows, mac* 1.8.0, 1.8.1 shell 20070406
Keywords: fixed1.8.0.12, fixed1.8.1.4verified1.8.0.12, verified1.8.1.4
Group: security
/cvsroot/mozilla/js/tests/js1_5/extensions/regress-367630.js,v <-- regress-367630.js initial revision: 1.1
Crash Signature: [@ js_PCToLineNumber]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: