Closed
Bug 367630
Opened 17 years ago
Closed 17 years ago
Crash with use of sharp variable in function [@ js_PCToLineNumber]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: jruderman, Assigned: mrbkap)
Details
(4 keywords, Whiteboard: [sg:critical?])
Crash Data
Attachments
(2 files)
980 bytes,
patch
|
brendan
:
review+
dveditz
:
approval1.8.1.4+
dveditz
:
approval1.8.0.12+
|
Details | Diff | Splinter Review |
2.54 KB,
text/plain
|
Details |
js> uneval(#1={a:#1#}); (function() { return #1# })(); Segmentation fault js> w = {a:#1=function(){return #1#}}; w.a() Segmentation fault In the first example, the #1# is clearly illegal due to being out of scope, right? Why does the function even compile? Is the second example also illegal? Here's the top of a stack trace from the js shell: Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_INVALID_ADDRESS (0x0001) at 0xdadadada Thread 0 Crashed: 0 js_PCToLineNumber + 68 (jsscript.c:1519) 1 js_ReportErrorNumberVA + 236 (jscntxt.c:1141) 2 JS_ReportErrorNumber + 96 (jsapi.c:4672) 3 js_Interpret + 90244 (jsinterp.c:5336) 4 js_Execute + 904 (jsinterp.c:1607) 5 JS_ExecuteScript + 64 (jsapi.c:4212) ...
Reporter | ||
Comment 1•17 years ago
|
||
I found this while messing around in the js shell, but I plan to add sharps to a fuzzer soon ;)
Whiteboard: [sg:critical?]
Assignee | ||
Comment 2•17 years ago
|
||
Attachment #252230 -
Flags: review?(brendan)
Updated•17 years ago
|
Assignee: general → mrbkap
Comment 3•17 years ago
|
||
Comment on attachment 252230 [details] [diff] [review] Easy fix r=me (pls. cc: me on bugs like this; wish r? cc'd me automatically). /be
Attachment #252230 -
Flags: review?(brendan) → review+
Assignee | ||
Comment 4•17 years ago
|
||
Fixed on trunk.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Assignee | ||
Updated•17 years ago
|
Attachment #252230 -
Flags: approval1.8.1.3?
Attachment #252230 -
Flags: approval1.8.0.11?
Comment 5•17 years ago
|
||
reliably crashes 1.8.1 but does not crash 1.8.0
Updated•17 years ago
|
Flags: in-testsuite+
Comment 6•17 years ago
|
||
verified fixed 1.9.0 20070226 windows/mac*/linux
Status: RESOLVED → VERIFIED
Updated•17 years ago
|
Flags: blocking1.8.1.4?
Flags: blocking1.8.0.12?
Updated•17 years ago
|
Flags: blocking1.8.1.4?
Flags: blocking1.8.1.4+
Flags: blocking1.8.0.12?
Flags: blocking1.8.0.12+
Comment 7•17 years ago
|
||
Comment on attachment 252230 [details] [diff] [review] Easy fix approved for 1.8.0.12 and 1.8.1.4, a=dveditz for release-drivers
Attachment #252230 -
Flags: approval1.8.1.4?
Attachment #252230 -
Flags: approval1.8.1.4+
Attachment #252230 -
Flags: approval1.8.0.12?
Attachment #252230 -
Flags: approval1.8.0.12+
Updated•17 years ago
|
Group: security
Comment 10•17 years ago
|
||
/cvsroot/mozilla/js/tests/js1_5/extensions/regress-367630.js,v <-- regress-367630.js initial revision: 1.1
Updated•13 years ago
|
Crash Signature: [@ js_PCToLineNumber]
You need to log in
before you can comment on or make changes to this bug.
Description
•