Last Comment Bug 367630 - Crash with use of sharp variable in function [@ js_PCToLineNumber]
: Crash with use of sharp variable in function [@ js_PCToLineNumber]
Status: VERIFIED FIXED
[sg:critical?]
: crash, testcase, verified1.8.0.12, verified1.8.1.4
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: PowerPC Mac OS X
: -- critical (vote)
: ---
Assigned To: Blake Kaplan (:mrbkap) (please use needinfo!)
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2007-01-20 17:20 PST by Jesse Ruderman
Modified: 2011-06-13 10:01 PDT (History)
2 users (show)
dveditz: blocking1.8.1.4+
dveditz: blocking1.8.0.12+
bob: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Easy fix (980 bytes, patch)
2007-01-21 11:25 PST, Blake Kaplan (:mrbkap) (please use needinfo!)
brendan: review+
dveditz: approval1.8.1.4+
dveditz: approval1.8.0.12+
Details | Diff | Review
js1_5/extensions/regress-367630.js (2.54 KB, text/plain)
2007-02-25 11:04 PST, Bob Clary [:bc:]
no flags Details

Description Jesse Ruderman 2007-01-20 17:20:56 PST
js> uneval(#1={a:#1#}); (function() { return #1# })();
Segmentation fault

js> w = {a:#1=function(){return #1#}}; w.a()
Segmentation fault

In the first example, the #1# is clearly illegal due to being out of scope, right?  Why does the function even compile?  Is the second example also illegal?

Here's the top of a stack trace from the js shell:

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_INVALID_ADDRESS (0x0001) at 0xdadadada

Thread 0 Crashed:
0   js_PCToLineNumber + 68 (jsscript.c:1519)
1   js_ReportErrorNumberVA + 236 (jscntxt.c:1141)
2   JS_ReportErrorNumber + 96 (jsapi.c:4672)
3   js_Interpret + 90244 (jsinterp.c:5336)
4   js_Execute + 904 (jsinterp.c:1607)
5   JS_ExecuteScript + 64 (jsapi.c:4212)
...
Comment 1 Jesse Ruderman 2007-01-20 17:22:07 PST
I found this while messing around in the js shell, but I plan to add sharps to a fuzzer soon ;)
Comment 2 Blake Kaplan (:mrbkap) (please use needinfo!) 2007-01-21 11:25:54 PST
Created attachment 252230 [details] [diff] [review]
Easy fix
Comment 3 Brendan Eich [:brendan] 2007-02-15 17:50:22 PST
Comment on attachment 252230 [details] [diff] [review]
Easy fix

r=me (pls. cc: me on bugs like this; wish r? cc'd me automatically).

/be
Comment 4 Blake Kaplan (:mrbkap) (please use needinfo!) 2007-02-20 20:10:09 PST
Fixed on trunk.
Comment 5 Bob Clary [:bc:] 2007-02-25 11:04:49 PST
Created attachment 256373 [details]
js1_5/extensions/regress-367630.js

reliably crashes 1.8.1 but does not crash 1.8.0
Comment 6 Bob Clary [:bc:] 2007-02-28 10:12:56 PST
verified fixed 1.9.0 20070226 windows/mac*/linux
Comment 7 Daniel Veditz [:dveditz] 2007-03-21 15:33:34 PDT
Comment on attachment 252230 [details] [diff] [review]
Easy fix

approved for 1.8.0.12 and 1.8.1.4, a=dveditz for release-drivers
Comment 8 Blake Kaplan (:mrbkap) (please use needinfo!) 2007-03-29 11:48:19 PDT
Fixed on the 1.8 branches.
Comment 9 Bob Clary [:bc:] 2007-04-06 11:52:42 PDT
verified fixed linux, windows, mac* 1.8.0, 1.8.1 shell 20070406
Comment 10 Bob Clary [:bc:] 2007-06-14 15:31:38 PDT
/cvsroot/mozilla/js/tests/js1_5/extensions/regress-367630.js,v  <--  regress-367630.js
initial revision: 1.1

Note You need to log in before you can comment on or make changes to this bug.